Welcome to ISAserver.org

Kerberos Constrained Delegation (KCD) OWA Publishing

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> Kerberos Constrained Delegation (KCD) OWA Publishing

Page: [1]

Message

<< Older Topic Newer Topic >>

Kerberos Constrained Delegation (KCD) OWA Publishing - 5.Dec.2006 9:36:45 PM

AnthonyP

Posts: 23
Joined: 5.Dec.2006
Status: offline

I'm having a bit of trouble publishing OWA for KCD in ISA 2006. I've set everything up to the best of my abilities and have followed some guidance online, but I'm still getting errors when trying to login to OWA.

Here's the setup..

I have a FE, BE, DC, ISA2K6, and a client machine. The client is sitting in the ISA2K6's external network range (192.168.1.x), while the rest of the machines are on the internal range (10.10.1.x). I've setup the publishing rule and when trying to access the URL I get 2 very distinct error message, but there's no real order to how or why I'm getting them.

Error code: 401 Unauthorized. The server requires authorization to fulfill the request. Access to the web server is denied. Contact the Server Administrator (12209).

Error code: 500 Internal Server Error. The network logon failed. (1790).

I've looked at each server and I do not see any denied request for my user account on any server. I am getting prompted for my client certificates and PIN. However, after I input those I get the above errors.

Any ideas on where I shoudl start looking?

Post #: 1

Featured Links*

RE: Kerberos Constrained Delegation (KCD) OWA Publishing - 5.Dec.2006 11:23:08 PM

AnthonyP

Posts: 23
Joined: 5.Dec.2006
Status: offline

Well.. I was running the default Exchange 2003 out of the box when doing the initial testing. Since then I've upgraded both FE and BE to Exchange 2003 SP2 (though I had to install hotfix KB831464 before it would let me go forward with the upgrade.

Now that's upgrade I am not getting prompted for my certificates... it just gives me an immediate error "The Network logon failed". I've rebooted the FE and BE after all the changes with the same effect.

Thanks for any ideas.

(in reply to AnthonyP)

Post #: 2

RE: Kerberos Constrained Delegation (KCD) OWA Publishing - 6.Dec.2006 3:41:08 AM

AnthonyP

Posts: 23
Joined: 5.Dec.2006
Status: offline

Well.. I'm back to square one after the update. Recreated the ISA rule and now the error is the same as above.

(in reply to AnthonyP)

Post #: 3

RE: Kerberos Constrained Delegation (KCD) OWA Publishing - 6.Dec.2006 9:15:55 AM

Jason Jones

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline

I assume youve seen this: http://www.isaserver.org/tutorials/Configuring-ISA-Firewalls-ISA-2006-RC-Support-User-Certificate-Authentication-using-Constrained-Delegation-Part1.html

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to AnthonyP)

Post #: 4

RE: Kerberos Constrained Delegation (KCD) OWA Publishing - 6.Dec.2006 4:15:40 PM

AnthonyP

Posts: 23
Joined: 5.Dec.2006
Status: offline

Yes... I've read through that as well. Same issue.

(in reply to Jason Jones)

Post #: 5

RE: Kerberos Constrained Delegation (KCD) OWA Publishing - 8.Dec.2006 3:00:54 PM

AnthonyP

Posts: 23
Joined: 5.Dec.2006
Status: offline

Anyone else have any ideas? I'm flustered.

(in reply to AnthonyP)

Post #: 6

RE: Kerberos Constrained Delegation (KCD) OWA Publishing - 8.Dec.2006 6:06:45 PM

Jason Jones

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline

Seems a pretty rare config at the moment, hence not a lot of experience out in the forums I guess

I know Tom hit quite a few issues when researching for the article, thats why I hoped it would help...

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to AnthonyP)

Post #: 7

RE: Kerberos Constrained Delegation (KCD) OWA Publishing - 9.Dec.2006 5:44:21 AM

spouseele

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Anthony,

did you check out Preparing the ISA Server 2006 for Kerberos Constrained Delegation?

HTH,
Stefaan

(in reply to Jason Jones)

Post #: 8

RE: Kerberos Constrained Delegation (KCD) OWA Publishing - 18.Dec.2006 10:40:10 AM

AnthonyP

Posts: 23
Joined: 5.Dec.2006
Status: offline

Stefaan,

I changed the SPN to match the FE server name which happened to be the FQDN of the server. e.g, changed from http/exchangefe to http/exchangefe.domain.com

Still no luck.

(in reply to spouseele)

Post #: 9

RE: Kerberos Constrained Delegation (KCD) OWA Publishing - 19.Dec.2006 12:35:55 AM

KenSchaefer

Posts: 1
Joined: 19.Dec.2006
Status: offline

Hi Anthony,

Can you tell us whether access is being blocked at the ISA Server or FE Exchange server?

Anything in the Event Logs on the ISA Server or FE Exchange Server or your DC?

If you enable account logon failure auditing, do you see anything in the security event logs of any of these servers?

Thanks

Cheers
Ken

(in reply to AnthonyP)

Post #: 10

RE: Kerberos Constrained Delegation (KCD) OWA Publishing - 21.Dec.2006 9:48:04 PM

AnthonyP

Posts: 23
Joined: 5.Dec.2006
Status: offline

quote:

ORIGINAL: KenSchaefer

Hi Anthony,

Can you tell us whether access is being blocked at the ISA Server or FE Exchange server?

Anything in the Event Logs on the ISA Server or FE Exchange Server or your DC?

If you enable account logon failure auditing, do you see anything in the security event logs of any of these servers?

Thanks

Cheers
Ken