• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Kerberos Constrained Delegation (KCD) OWA Publishing

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> Kerberos Constrained Delegation (KCD) OWA Publishing Page: [1]
Login
Message << Older Topic   Newer Topic >>
Kerberos Constrained Delegation (KCD) OWA Publishing - 5.Dec.2006 9:36:45 PM   
AnthonyP

 

Posts: 23
Joined: 5.Dec.2006
Status: offline
I'm having a bit of trouble publishing OWA for KCD in ISA 2006.  I've set everything up to the best of my abilities and have followed some guidance online, but I'm still getting errors when trying to login to OWA. 
 
Here's the setup..
 
I have a FE, BE, DC, ISA2K6, and a client machine.  The client is sitting in the ISA2K6's external network range (192.168.1.x), while the rest of the machines are on the internal range (10.10.1.x).  I've setup the publishing rule and when trying to access the URL I get 2 very distinct error message, but there's no real order to how or why I'm getting them.
 
Error code: 401 Unauthorized.  The server requires authorization to fulfill the request.  Access to the web server is denied.  Contact the Server Administrator (12209).
 
Error code: 500 Internal Server Error.  The network logon failed. (1790).
 
I've looked at each server and I do not see any denied request for my user account on any server.  I am getting prompted for my client certificates and PIN.  However, after I input those I get the above errors. 
 
Any ideas on where I shoudl start looking?
Post #: 1
RE: Kerberos Constrained Delegation (KCD) OWA Publishing - 5.Dec.2006 11:23:08 PM   
AnthonyP

 

Posts: 23
Joined: 5.Dec.2006
Status: offline
Well.. I was running the default Exchange 2003 out of the box when doing the initial testing.  Since then I've upgraded both FE and BE to Exchange 2003 SP2 (though I had to install hotfix KB831464 before it would let me go forward with the upgrade. 

Now that's upgrade I am not getting prompted for my certificates... it just gives me an immediate error "The Network logon failed".  I've rebooted the FE and BE after all the changes with the same effect.

Thanks for any ideas.

(in reply to AnthonyP)
Post #: 2
RE: Kerberos Constrained Delegation (KCD) OWA Publishing - 6.Dec.2006 3:41:08 AM   
AnthonyP

 

Posts: 23
Joined: 5.Dec.2006
Status: offline
Well.. I'm back to square one after the update.  Recreated the ISA rule and now the error is the same as above.

(in reply to AnthonyP)
Post #: 3
RE: Kerberos Constrained Delegation (KCD) OWA Publishing - 6.Dec.2006 9:15:55 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
I assume youve seen this: http://www.isaserver.org/tutorials/Configuring-ISA-Firewalls-ISA-2006-RC-Support-User-Certificate-Authentication-using-Constrained-Delegation-Part1.html

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to AnthonyP)
Post #: 4
RE: Kerberos Constrained Delegation (KCD) OWA Publishing - 6.Dec.2006 4:15:40 PM   
AnthonyP

 

Posts: 23
Joined: 5.Dec.2006
Status: offline
Yes... I've read through that as well.  Same issue.

(in reply to Jason Jones)
Post #: 5
RE: Kerberos Constrained Delegation (KCD) OWA Publishing - 8.Dec.2006 3:00:54 PM   
AnthonyP

 

Posts: 23
Joined: 5.Dec.2006
Status: offline
Anyone else have any ideas?  I'm flustered.

(in reply to AnthonyP)
Post #: 6
RE: Kerberos Constrained Delegation (KCD) OWA Publishing - 8.Dec.2006 6:06:45 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Seems a pretty rare config at the moment, hence not a lot of experience out in the forums I guess

I know Tom hit quite a few issues when researching for the article, thats why I hoped it would help...

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to AnthonyP)
Post #: 7
RE: Kerberos Constrained Delegation (KCD) OWA Publishing - 9.Dec.2006 5:44:21 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Anthony,

did you check out Preparing the ISA Server 2006 for Kerberos Constrained Delegation?

HTH,
Stefaan

(in reply to Jason Jones)
Post #: 8
RE: Kerberos Constrained Delegation (KCD) OWA Publishing - 18.Dec.2006 10:40:10 AM   
AnthonyP

 

Posts: 23
Joined: 5.Dec.2006
Status: offline
Stefaan,

I changed the SPN to match the FE server name which happened to be the FQDN of the server.  e.g, changed from http/exchangefe to http/exchangefe.domain.com

Still no luck.

(in reply to spouseele)
Post #: 9
RE: Kerberos Constrained Delegation (KCD) OWA Publishing - 19.Dec.2006 12:35:55 AM   
KenSchaefer

 

Posts: 1
Joined: 19.Dec.2006
Status: offline
Hi Anthony,

Can you tell us whether access is being blocked at the ISA Server or FE Exchange server?

Anything in the Event Logs on the ISA Server or FE Exchange Server or your DC?

If you enable account logon failure auditing, do you see anything in the security event logs of any of these servers?

Thanks

Cheers
Ken

(in reply to AnthonyP)
Post #: 10
RE: Kerberos Constrained Delegation (KCD) OWA Publishing - 21.Dec.2006 9:48:04 PM   
AnthonyP

 

Posts: 23
Joined: 5.Dec.2006
Status: offline
quote:

ORIGINAL: KenSchaefer

Hi Anthony,

Can you tell us whether access is being blocked at the ISA Server or FE Exchange server?

Anything in the Event Logs on the ISA Server or FE Exchange Server or your DC?

If you enable account logon failure auditing, do you see anything in the security event logs of any of these servers?

Thanks

Cheers
Ken


Hi Ken,

Got it figured out.  The certificate name did not match the name of the site I was publishing.  Fixed the site name and all is well.. Thanks!

(in reply to KenSchaefer)
Post #: 11

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> Kerberos Constrained Delegation (KCD) OWA Publishing Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts