Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RESOLVED Constrained Delegation with HTTP Authentication
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RESOLVED Constrained Delegation with HTTP Authentication - 17.Jun.2008 7:51:41 AM
|
|
|
frobnitzz
Posts: 22
Joined: 11.Jun.2008
Status: offline
|
Please help!!!
I need to be able to use integrated authentication on my clients, so I get a streamlined logon to desktop > access site. This will ultimately be for accessing a sharepoint farm – but for now if I can just get it to work with a basic website I'll be pleased!
Pulling my hair out. 2 weeks I've been trying all kinds of rule combinations, read more guides than you can shake a stick at (nothing specific to this though) Can't get around it prompting 3 times (putting Enterprise Admin details in) and giving:
Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)
ISA logging gives:
12232 The server denied the specified Uniform Resource Locator (URL). Contact the server administrator.
It thinks the user is Anonymous.
If I use html forms on the listener, with constrained delegation – it works. Doesn't this say that the constrained delegation must be ok?
It's like the clients arn't passing on the logon details..?
Help!!!
CONFIGURATION
Environment as:
-Single root domain – Johndom.com (2003 AD)
-ISA 2006 – Patched with KB939455, KB942639, KB951510 (JDISA01)
-IIS 6 on Server 2003 SP1 (JDFAP01)
-XP SP2 Workstation (JDCLIENT01)
Website:
-site.johncom.com / 80 / with header
-It's own web app with identity = johndom\spnsite
-Anonymous = off
-Integrated is the only checkbox on
ISA config / Rule details (I'll list the important bits only):
-From = Anywhere
-To: Published site = site.johndom.com / Comp Name = jdfp01.johndom.com / Forward original host header = no / Requests appear from ISA
-Public Name = site.johndom.com
-Authentication Delegation = Kerberos constrained Delegation / SPN = http/site.johndom.com
-Users = All Authenticated Users
Listener Details:
-Authentication – HTTP Authentication / Integrated
--Advanced – Require users to auth = no / allow client auth over http = yes
SPN Registration Details:
-setspn -A HTTP/site.johndom.com johndom\spnsite
-setspn –L spnsite:
C:\Documents and Settings\ea>setspn -L spnsite
Registered ServicePrincipalNames for CN=spnsite,OU=Service Accounts,OU=Administ
ration,DC=JOHNDOM,DC=COM:
http/site.johndom.com
http/site
AD Object Properties:
-Service Account SPNSITE – Delegation = Trust to specified only, Kerberos only / http site.johndom.com
-ISA Server JDISA01 - Delegation = Trust to specified only, Use any auth protocol / http site.johndom.com + http jdfp01
Workstation Details:
-XP SP2
-IE 6
-Integrated is on in the IE settings
-Site in Local Intranet
There is beer/wine on it's way to the person who solves this!
Infact - I'd be happy if you just told me HTTP auth doesn't work with constrained delegation!!! lol
Thanks & Best Regards,
John
< Message edited by frobnitzz -- 2.Sep.2008 8:03:10 AM >
|
|
|
|
RE: Constrained Delegation with HTTP Authentication - 17.Jun.2008 8:54:49 AM
|
|
|
Jason Jones
Posts: 2119
Joined: 30.Jul.2002
From: United Kingdom
Status: online
|
Need a bit of time to digest your setup.
However, it should work, as I have Exchange 2007 working with Integrated HTTP Authentication and KCD. So, the "concept" is sound! :-)
First guess would be the SPN setup, as this is normally the place it all goes wrong...
Have you seen the following issue? Not sure if this is relevant? http://support.microsoft.com/kb/951509
Can you provide more details on your publishing rules? Also, do you get ISA alerts with reference to KCD issues?
Cheers
JJ
_____________________________
Jason Jones (MVP)
Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/
Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Constrained Delegation with HTTP Authentication - 17.Jun.2008 10:40:42 AM
|
|
|
frobnitzz
Posts: 22
Joined: 11.Jun.2008
Status: offline
|
Hi,
Yes I've applied that patch and run the script already 
I get a Kerberos error on the client - forgot to include it above. I think the fact it worked ok with forms and constrained threw me off the scent.
I've searched and read loads on it, but can't see anything that applies to me. Can't be duplicate machine, only one domain with 7 machines. The SPN looks how I'm sure it should, I've removed the SPN, put it in again etc.
I have another Dev environment and it behaves exactly the same!
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 17/06/2008
Time: 15:21:12
User: N/A
Computer: JDCLIENT01
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/jdisa01.johndom.com. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (JOHNDOM.COM), and the client realm. Please contact your system administrator.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
On the publishing rule constrained delegation tab, for the SPN, I've tried using http/jdfap01.johndom.com, http/*, HTTP/site.johndom.com.....
Not much more I can say about the rule itself.
In addition, the sharepoint rule I have configured the same and behaves the same. If I point the sites DNS record directly at the MOSS front end, I get Kerberos logged in no problem, so the SPN setup must be ok In terms of which SPN I have registered?
|
|
|
|
|
RE: Constrained Delegation with HTTP Authentication - 19.Jun.2008 6:47:35 AM
|
|
|
frobnitzz
Posts: 22
Joined: 11.Jun.2008
Status: offline
|
The fact that ISA thinks that the requests are anonymous (during logging) > is that a big problem at this stage? Would you normally expect to see the actual log in name listed?
Just seems to me like the credentials are not being passed on by the browser?
Thanks,
John
|
|
|
|
|
RE: Constrained Delegation with HTTP Authentication - 19.Jun.2008 7:10:02 AM
|
|
|
frobnitzz
Posts: 22
Joined: 11.Jun.2008
Status: offline
|
Yes makes sense. It only ever lists Anon though so musn't be getting anything else from the client.
|
|
|
|
|
RE: Constrained Delegation with HTTP Authentication - 19.Jun.2008 8:48:52 AM
|
|
|
frobnitzz
Posts: 22
Joined: 11.Jun.2008
Status: offline
|
Logged on to the domain. Using Enterprise Admin. Behaves the same no matter where I do it from, XP client, 2003 Member Server etc
I just tried changing the IIS app site ID to local system and the constrained delegation to http/*
no luck.
|
|
|
|
|
RE: Constrained Delegation with HTTP Authentication - 19.Jun.2008 8:59:43 AM
|
|
|
Jason Jones
Posts: 2119
Joined: 30.Jul.2002
From: United Kingdom
Status: online
|
Even if KCD was failing, you should still be able to authenticate to the listener.
From memory, the browser will only send credentials if the URL is in the intranet zone - can you try this?
I would use netmon/wireshark to look at how the browser is sending credentials to ISA. You may also want to look at a tool called WFetch as this can be used to choose the authentication type for a web request...this may show up any other problems...
Cheers
JJ
_____________________________
Jason Jones (MVP)
Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/
Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Constrained Delegation with HTTP Authentication - 19.Jun.2008 9:05:59 AM
|
|
|
Jason Jones
Posts: 2119
Joined: 30.Jul.2002
From: United Kingdom
Status: online
|
The only other thing I can think of is that I have never done this config over HTTP, always HTTPS. Maybe you could get a test SSL cert so that you rule out this element?
_____________________________
Jason Jones (MVP)
Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/
Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Constrained Delegation with HTTP Authentication - 19.Jun.2008 9:12:19 AM
|
|
|
frobnitzz
Posts: 22
Joined: 11.Jun.2008
Status: offline
|
It's in the intranet zone, your memory serves you right :)
Recently secured it with a wildcard after having exactly the same thought, only client to ISA though - not end to end.
Interestingly, when I changed to run the IIS web app to local system - I couldn't connect to the site pointing direct to the box anymore. It should reg SPN for local system (using machine netbios) automatically shouldn't it?
Changed back to my domain spn account and it connected again.
I'll get some tracing results done.
ty so far :)
|
|
|
|
|
RE: Constrained Delegation with HTTP Authentication - 19.Jun.2008 9:23:10 AM
|
|
|
Jason Jones
Posts: 2119
Joined: 30.Jul.2002
From: United Kingdom
Status: online
|
Just a thought, can you try setting the SPN in ISA to use jdfp01.johndom.com as this will match the entry in the computer name field of the To tab.
However, I still think things are going wrong at the listener.
Do you get any ISA alerts complaining about KCD when access fails? If not, this will point back to the listener being an issue...
_____________________________
Jason Jones (MVP)
Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/
Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Constrained Delegation with HTTP Authentication - 20.Jun.2008 7:26:22 AM
|
|
|
frobnitzz
Posts: 22
Joined: 11.Jun.2008
Status: offline
|
Hi,
I can confirm it's going wrong at the listener, doesn't matter what I put in the rule's SPN field - it's won't get any further. Which leads me to think it's not getting that far.
As an experiment I've configured it to use SSL client certificates. Works a treat. I then went on to configure MOSS to use 443 and to accept user certificates - perfect, logs the user in no problem.
The only issue with doing it like this, is that if the user has more than one user cert it prompts you as to which one you would like to use - also if means re-configuring as an end to end SSL solution.
To re-itterate it also works with Form Based Authentication. It's just HTTP Auth it doesn't like.
John
|
|
|
|
|
RE: Constrained Delegation with HTTP Authentication - 30.Jun.2008 9:38:50 AM
|
|
|
frobnitzz
Posts: 22
Joined: 11.Jun.2008
Status: offline
|
Hi Jason,
Been away for a week, a nice break to sunny Devon :)
Turning off integrated in the browser results in the 403 url forbidden straight away. If I take the site out of local intranet, I get prompted once - but then 403.
Wfetch - DNS pointing Direct to the IIS server.
At the moment it's giving me a 401.2 when I try to connect with kerberos, but if I go via browser (IE6) I get the right ticket (http/site.johndom.com in kerbtray) and it logs straight in. Event logs show Kerberos logon activity, so I'm sure it's not falling back to ntlm. If I enable anon access on the IIS site, wfetch manages kerberos fine. wfetch using negotiate also works, generating kerberos traffic in the event log.
Wfetch - DNS pointing to ISA Listener.
Will update shortly.
There is a call logged with MS about this now.
< Message edited by frobnitzz -- 30.Jun.2008 9:41:05 AM >
|
|
|
|
|
RE: Constrained Delegation with HTTP Authentication - 2.Jul.2008 4:29:33 AM
|
|
|
frobnitzz
Posts: 22
Joined: 11.Jun.2008
Status: offline
|
ah cool - negotiate is fine and gave kerb traffic.
Will keep this updated.
|
|
|
|
|
RE: Constrained Delegation with HTTP Authentication - 4.Jul.2008 8:46:31 AM
|
|
|
frobnitzz
Posts: 22
Joined: 11.Jun.2008
Status: offline
|
Brief(ish) update:
a. The listener doesn't like kerberos auth against the ISA itself. You have to force the ISA server to take NTLM from the Integrated auth by running a script found here : http://support.microsoft.com/kb/927265/en-us
b. You have to use a different URL than that of your internal site. For example, for internal name of site.johndom.com I created a Cname for web.johndom.com pointing back to site.johndom.com. ISA is configured to take web.johndom.com in the public name - then the To, is the internal name with the SPN being used the internal http/site.johndom.com
It's kinda working now, although RSS feeds are never loading and you can't edit anything, it just refreshes the page you are on. ISA is reporting Access Denied when you try and it appears to be trying Anonymous. Also - if you click sign in as new user, moss says you first need to be logged in. hmm
There is an alternative I've found to all this constrained delegation and thats to do no delegation but allow the client to authenticate directly. Still uses Kerberos to log the user in - only problem is that because you are not logging in to ISA, it doesn't know who you are - so all traffic is reported as coming from an anonymous connection... less than ideal.
John
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
