• Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Constrained delegation doesn't work

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Web Publishing >> Constrained delegation doesn't work Page: [1]
Message << Older Topic   Newer Topic >>
Constrained delegation doesn't work - 19.Jul.2007 4:36:36 PM   


Posts: 1
Joined: 19.Jul.2007
Status: offline
Hi @all,

my ISA2006 gets me nuts: I want to publish the internal certificate authority web enrollment page for remote users outside the VPN corporate network to allow them renewing their smartcard certificates manually when they become due (autoenrollment won't reach them).

To ensure maximum protection, there's a seperate WebListener that requires SmartCard authentication and that's bound to a web publishing rule to the /certsrv/ and /certcontrol/ and /certcontrol/ directories for the designated web enrollment host. The web publishing rule is activated for constrained delegation and the listener is hardended to accept our own certificates only.

ISA server is a domain member and computer account is trusted for delegation. Certificate Services web enrollment page requires integration windows authentication (kerberos) and runs with the default network service identity. Forest level is W2K3 native.

When smartcard users login, they get prompted for their card/certificate/PIN and delegation then immediately fails with isa error 12202 ("denied URL"). Event log shows event ID 21315 "ISA Server failed to delegate the credentials using Kerberos constrained delegation to ... Check that the SPN ... matches SPN in Active Directory."

The http SPN is not explicitly registered for the web enrollment host computer object, but even doing this does not change the misbehavior. If I temporarily allow for user-individual prompting in delegation options, everything is fine but obviously I want to enforce user identity by kerberos delegation. Most of them even don't know their passwords any more... ;-)

What's going wrong with constrained delegation here?

Thanks much!
Post #: 1
RE: Constrained delegation doesn't work - 8.Sep.2015 6:21:33 AM   


Posts: 1
Joined: 8.Sep.2015
Status: offline
Add this problem last week and find absolutly no documentation regarding any issue even on Microsoft
web site. So as far as I can see there is two solution possible

1- https://support.microsoft.com/en-us/kb/947124

2- This solution is not documented anywhere, we had a duplicated SPN entry onto our network that cause the
same error as KB947124

Removing the extry SPN entry and restarting the ISA services did the trick.

(in reply to thorstenrood)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Web Publishing >> Constrained delegation doesn't work Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts