Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Publishing sharepoint with client certificate and Kerberos constrained delegation

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> SharePoint Publishing >> Publishing sharepoint with client certificate and Kerberos constrained delegation Page: [1]
Login
Message << Older Topic   Newer Topic >>
Publishing sharepoint with client certificate and Kerbe... - 30.Oct.2006 9:31:48 AM   
peterbuus

 

Posts: 7
Joined: 30.Oct.2006
Status: offline 		Hi,

We want to publish sharepoint 2 SP2 through ISA 2006 using client certificate authentication.

For test purposes I made a test installation with a win2003 R2 server acting both as domain controller (for domain TEST in win2003 functional level) and IIS/sharepoint server.

On an other win2003 R2 server i have installed ISA 2006 and configured a sharepoint web publishing rule requiring client certificate and kerberos constrained delegation using SPN "http/sharepoint".

On a third client winXP computer I have installed a client certificate. When hitting the ISA server I am prompted for client certificate - but authentication fails with error code 401 Unauthorized ... (12209)

On the ISA server the monitoring log states an error 12239....requires authorization.  However the Client Username on the logline is TEST/Peter which is the user I have namemapped to the client certificate.

Thus ISA does indeed map my client certificate to the right account, but something goes wrong in the Kerberos delegation.

I am quite confused on how to configure the "http/sharepoint" SPN - I have tried most (all) combinations of
setspn -A http/sharepoint ISASERVER and setspn -A http/sharepoint DOMAINSERVER
and the "Delegation" tab on the ISASERVER/DOMAINSERVER in AD.
Can anybody tell me the correct configuration in my scenario?
Does anybody know how to troubleshoot Kerberos constrained delegation?

Regards / Peter
Post #: 1
RE: Publishing sharepoint with client certificate and K... - 30.Oct.2006 12:35:21 PM   
peterbuus

 

Posts: 7
Joined: 30.Oct.2006
Status: offline 		I forgot to mention that I already did enable Sharepoint for Kerberos authentication

/Peter

(in reply to peterbuus)
Post #: 2
RE: Publishing sharepoint with client certificate and K... - 31.Oct.2006 9:01:05 AM   
tshinder

 

Posts: 46928
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Peter,

Check this article series out for some help with KCD and User Certificate authentication:

http://www.isaserver.org/tutorials/Configuring-ISA-Firewalls-ISA-2006-RC-Support-User-Certificate-Authentication-using-Constrained-Delegation-Part1.html#

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to peterbuus)
Post #: 3
RE: Publishing sharepoint with client certificate and K... - 31.Oct.2006 9:52:23 AM   
peterbuus

 

Posts: 7
Joined: 30.Oct.2006
Status: offline 		Hi Tom

I did read your article on OWA publishing and tried my best to copy the setup and configuration to a Sharepoint setup.
However, I still cant make it work.

My ISA server authenticates the User Certificate and maps it to the corresponding user account.
I think the 12209/12239 error I encounter is releated to the subsequent Kerberos delegation.

My ISA setup specifies Kerberos constrained delegation with the SPN http/sharepoint
My understanding is that I further need to
'setspn -A http/sharepoint ISASERVER'
and configure ISASERVER in AD to support kerberos for http/sharepoint as described in your article

Should the delegation work if I (for test purposes) just checked
'Trust this computer for delegation to any service (Kerberos only)'
in the AD delegation tab for ISASERVER?

Is it a problem that my setup is based on vmware and not actual machines?

Thanks
Peter


(in reply to tshinder)
Post #: 4
RE: Publishing sharepoint with client certificate and K... - 31.Oct.2006 2:20:13 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Peter,

quote:

Should the delegation work if I (for test purposes) just checked
'Trust this computer for delegation to any service (Kerberos only)'
in the AD delegation tab for ISASERVER?

No, that option won't work because it implies that the user was originally authenticated by the Kerberos protocol. Selecting 'Trust this computer for delegation to specified services only' *and* selecting 'Use any authentication protocol' is therefore a requirement.

Also, make sure you set the SPN in the web publishing rule to the *real* FQDN of the published web server and not a CNAME.

HTH,
Stefaan

(in reply to peterbuus)
Post #: 5
RE: Publishing sharepoint with client certificate and K... - 1.Nov.2006 10:20:54 AM   
tshinder

 

Posts: 46928
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Peter,

Listen to Stefaan on this -- he learned from hard experience!

Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to spouseele)
Post #: 6
RE: Publishing sharepoint with client certificate and K... - 1.Nov.2006 11:07:44 AM   
peterbuus

 

Posts: 7
Joined: 30.Oct.2006
Status: offline 		OK - I still cant make it work

I made a new setup with 3 machines

isa.signaturgruppen.dk (ISA server)
dc.signaturgruppen.dk (domain controller)
sharepoint.signaturgruppen.dk (sharepoint)

When I configure a web publishing rule for sharepoint.signaturgruppen.dk ISA suggests the use of SPN http/sharepoint.signaturgruppen.dk

Is it a correct understanding that I should

setspn http/sharepoint.signaturgruppen.dk ISA
and configure ISA server entry in AD to allow kerberos authentication to http/sharepoint.signaturgruppen.dk
- or is it another way around?


/Peter

(in reply to tshinder)
Post #: 7
RE: Publishing sharepoint with client certificate and K... - 1.Nov.2006 1:45:56 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Tom,

quote:

ORIGINAL: tshinder

Hi Peter,

Listen to Stefaan on this -- he learned from hard experience!

Tom

Only on this... ?

Thanks,
Stefaan

(in reply to tshinder)
Post #: 8
RE: Publishing sharepoint with client certificate and K... - 1.Nov.2006 2:00:33 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Peter,

quote:

Is it a correct understanding that I should

setspn http/sharepoint.signaturgruppen.dk ISA
and configure ISA server entry in AD to allow kerberos authentication to http/sharepoint.signaturgruppen.dk
- or is it another way around?

Assuming 'sharepoint.signaturgruppen.dk' is the *real* hostname and not an alias than the proposed SPN on ISA should be OK.

However, you shouldn't have to execute the command 'setspn http/sharepoint.signaturgruppen.dk ISA'. So, I suggest to remove first your custom SPN with the 'setspn -D' command.

Thereafter, just go to the Active Directory Users and Computers, select the ISA computer account and than the Delegation tab. Now, make sure you select 'Trust this computer for delegation to specified services only' *and* 'Use any authentication protocol'. Next, click the add button and select first the sharepoint computer and than the HTTP service type.

In my case that was enough to get the Kerberos Constrained Delegation working with a FBA and Radius user validation method.

HTH,
Stefaan

(in reply to spouseele)
Post #: 9
RE: Publishing sharepoint with client certificate and K... - 2.Nov.2006 3:56:03 AM   
peterbuus

 

Posts: 7
Joined: 30.Oct.2006
Status: offline 		Hi Stefaan

Thanks a lot - your suggestion solved my problem. Apparently I did some unnecessary SPN panic.....

/Peter

(in reply to spouseele)
Post #: 10
RE: Publishing sharepoint with client certificate and K... - 2.Nov.2006 5:23:46 AM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Peter,

good to hear you have it working and thanks for the follow up!

BTW --- I think that the SPN confusing is created because a 'setspn -L' doesn't show the 'HTTP/' SPNs. You'll have to go through the wizard to find them.

Best Regards,
Stefaan

(in reply to peterbuus)
Post #: 11
RE: Publishing sharepoint with client certificate and K... - 23.Mar.2008 10:11:10 AM   
no fear

 

Posts: 32
Joined: 19.Oct.2005
Status: offline 		Dears:

I read (http://www.isaserver.org/tutorials/Configuring-ISA-Firewalls-ISA-2006-RC-Support-User-Certificate-Authentication-using-Constrained-Delegation-Part2.html) ...but what if the ISA is in a different domain than the published IIS Server WITH NO TRUST between them??

(in reply to peterbuus)
Post #: 12
RE: Publishing sharepoint with client certificate and K... - 3.Apr.2008 9:07:49 PM   
tshinder

 

Posts: 46928
Joined: 10.Jan.2001
From: Texas
Status: offline 		It won't work. The ISA Firewall has to be in the same domain.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to no fear)
Post #: 13

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> SharePoint Publishing >> Publishing sharepoint with client certificate and Kerberos constrained delegation Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts