• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

HTTP 401.1 using Kerberos delegation

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> SharePoint Publishing >> HTTP 401.1 using Kerberos delegation Page: [1]
Login
Message << Older Topic   Newer Topic >>
HTTP 401.1 using Kerberos delegation - 22.Oct.2007 9:13:32 AM   
enricoklein

 

Posts: 51
Joined: 8.Mar.2005
From: netherlands
Status: offline
Hi,

can someone please help me out with this.

I keep getting HTTP Error 401.1 after entering my credentials, both when connecting from outside through ISA as when connecting internally. When I remove the SPN HTTP/<fqdn> from the Application Pool account I can login fine from the internal network (fallback to NTLM?), but receive http error 403 when connecting through ISA.

What am I missing? :S

Best regards,
Enrico Klein
Post #: 1
RE: HTTP 401.1 using Kerberos delegation - 23.Oct.2007 4:45:23 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
By default, SharePoint is not configured to support Kerberos authentication, only Windows authentication (NTLM). It can be configured as shown here:

http://support.microsoft.com/kb/832769

However, the recommended best practice for SharePoint is to use NTLM delegation, as defined when you use the SharePoint publishing wizard.

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to enricoklein)
Post #: 2
RE: HTTP 401.1 using Kerberos delegation - 23.Oct.2007 4:56:58 AM   
enricoklein

 

Posts: 51
Joined: 8.Mar.2005
From: netherlands
Status: offline
Hi Jason,

thanks for your reply!

I have already added the SPN's HTTP/<fqdn> to the domain account used as Application Pool Identity for Sharepoint, and IIS is configured for "negotiate,NTLM", but still no go.
As soon as I remove the SPN and restart IIS I can login from the internal network, so I guess it fallsback to NTLM then.

We use a Radius based OTP solution, I don't think NTLM delegation works with Radius, or does it?

Any other tips? Thanks again!

Best regards,
Enrico

(in reply to Jason Jones)
Post #: 3
RE: HTTP 401.1 using Kerberos delegation - 23.Oct.2007 5:13:31 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Have you tried enabling the "collect additional credentials" on the web listener? It is located on the authentication tab.

This will allow you to define a windows username and password in addtion to RADIUS details on a single HTML form. ISA can then delegate the windows credentials in NTLM format to SharePoint, in addition to authenticating the RADIUS OTP.

Cheers

JJ

P.S. I would still suggest you go with Microsoft's recommendation and configure SharePoint for NTLM and then use ISA NTLM delegation.

< Message edited by Jason Jones -- 23.Oct.2007 5:14:53 AM >


_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to enricoklein)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> SharePoint Publishing >> HTTP 401.1 using Kerberos delegation Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts