Constrained delegation doesn't work (Full Version)

All Forums >> [ISA 2006 Publishing] >> Web Publishing


thorstenrood -> Constrained delegation doesn't work (19.Jul.2007 4:36:36 PM)

Hi @all,

my ISA2006 gets me nuts: I want to publish the internal certificate authority web enrollment page for remote users outside the VPN corporate network to allow them renewing their smartcard certificates manually when they become due (autoenrollment won't reach them).

To ensure maximum protection, there's a seperate WebListener that requires SmartCard authentication and that's bound to a web publishing rule to the /certsrv/ and /certcontrol/ and /certcontrol/ directories for the designated web enrollment host. The web publishing rule is activated for constrained delegation and the listener is hardended to accept our own certificates only.

ISA server is a domain member and computer account is trusted for delegation. Certificate Services web enrollment page requires integration windows authentication (kerberos) and runs with the default network service identity. Forest level is W2K3 native.

When smartcard users login, they get prompted for their card/certificate/PIN and delegation then immediately fails with isa error 12202 ("denied URL"). Event log shows event ID 21315 "ISA Server failed to delegate the credentials using Kerberos constrained delegation to ... Check that the SPN ... matches SPN in Active Directory."

The http SPN is not explicitly registered for the web enrollment host computer object, but even doing this does not change the misbehavior. If I temporarily allow for user-individual prompting in delegation options, everything is fine but obviously I want to enforce user identity by kerberos delegation. Most of them even don't know their passwords any more... ;-)

What's going wrong with constrained delegation here?

Thanks much!

rlar039 -> RE: Constrained delegation doesn't work (8.Sep.2015 6:21:33 AM)

Add this problem last week and find absolutly no documentation regarding any issue even on Microsoft
web site. So as far as I can see there is two solution possible


2- This solution is not documented anywhere, we had a duplicated SPN entry onto our network that cause the
same error as KB947124

Removing the extry SPN entry and restarting the ISA services did the trick.

Page: [1]