|
thorstenrood -> Constrained delegation doesn't work (19.Jul.2007 4:36:36 PM)
|
Hi @all,
my ISA2006 gets me nuts: I want to publish the internal certificate authority web enrollment page for remote users outside the VPN corporate network to allow them renewing their smartcard certificates manually when they become due (autoenrollment won't reach them).
To ensure maximum protection, there's a seperate WebListener that requires SmartCard authentication and that's bound to a web publishing rule to the /certsrv/ and /certcontrol/ and /certcontrol/ directories for the designated web enrollment host. The web publishing rule is activated for constrained delegation and the listener is hardended to accept our own certificates only.
ISA server is a domain member and computer account is trusted for delegation. Certificate Services web enrollment page requires integration windows authentication (kerberos) and runs with the default network service identity. Forest level is W2K3 native.
When smartcard users login, they get prompted for their card/certificate/PIN and delegation then immediately fails with isa error 12202 ("denied URL"). Event log shows event ID 21315 "ISA Server failed to delegate the credentials using Kerberos constrained delegation to ... Check that the SPN ... matches SPN in Active Directory."
The http SPN is not explicitly registered for the web enrollment host computer object, but even doing this does not change the misbehavior. If I temporarily allow for user-individual prompting in delegation options, everything is fine but obviously I want to enforce user identity by kerberos delegation. Most of them even don't know their passwords any more... ;-)
What's going wrong with constrained delegation here?
Thanks much!
Thorsten
|
|
|
|