Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Kerberos Double hop authentication

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Web Proxy] >> Web Proxy Client >> Kerberos Double hop authentication Page: [1]
Login
Message << Older Topic   Newer Topic >>
Kerberos Double hop authentication - 10.Nov.2006 3:47:11 PM   
bpetros

 

Posts: 2
Joined: 10.Nov.2006
Status: offline 		We are trying to configure ISA 2006 Ent. to support publishing a Sharepoint Portal webpart that uses Kerberos to provide the client credentials to the database server.

This configuration is similar to what is described by Thomas Shinder here:
http://www.isaserver.org/tutorials/Configuring-ISA-Firewalls-ISA-2006-RC-Support-User-Certificate-Authentication-using-Constrained-Delegation-Part2.html

This setup works for internal client that directly access the Sharepoint website but does not work for internal clients that reference the ISA public IP address for the site. We are able to get the initial Sharepoint page up and can verify a Kerberos login in the Sharepoint web server log but are not able to execute the page that uses the user credentials for the database lookup. We see an anonymous login in the database servers log and eventually get 500 error back to the IE browser (because the webpart fails to handle the database error message).

Any ideas or suggestions on how to proceed diagnosing or debugging this?

I would be happy to describe our AD changes to support the Kerberos delegation. They are similar to the article linked above except not constrained on the Sharepoint / database connection. Generally the service accounts running the various services are domain accounts not machine or local accounts.

Please let me know what additional information you would like to have.


Here is a google for double hop if anyone wants more reading material
http://www.google.com/search?hl=en&q=kerberos+double+hop

Thanks in advance

Post #: 1
RE: Kerberos Double hop authentication - 11.Dec.2006 8:32:55 AM   
bpetros

 

Posts: 2
Joined: 10.Nov.2006
Status: offline 		I wanted to provide some information back to the community on the progress and results of my problem described above.

We were able to get the configuration above working by changing the AD configuration to use "Constrained delegation" as described in the Windows Server 2003 documentation. The Microsoft BI product documentation had suggested and we had configured our AD to use Win Server 2000 style Kerberos.

Next we work on SSO and form authentication.


(in reply to bpetros)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Web Proxy] >> Web Proxy Client >> Kerberos Double hop authentication Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts