HTTP 401.1 using Kerberos delegation (Full Version)

All Forums >> [ISA 2006 Publishing] >> SharePoint Publishing



Message


enricoklein -> HTTP 401.1 using Kerberos delegation (22.Oct.2007 9:13:32 AM)

Hi,

can someone please help me out with this.

I keep getting HTTP Error 401.1 after entering my credentials, both when connecting from outside through ISA as when connecting internally. When I remove the SPN HTTP/<fqdn> from the Application Pool account I can login fine from the internal network (fallback to NTLM?), but receive http error 403 when connecting through ISA.

What am I missing? :S

Best regards,
Enrico Klein




Jason Jones -> RE: HTTP 401.1 using Kerberos delegation (23.Oct.2007 4:45:23 AM)

By default, SharePoint is not configured to support Kerberos authentication, only Windows authentication (NTLM). It can be configured as shown here:

http://support.microsoft.com/kb/832769

However, the recommended best practice for SharePoint is to use NTLM delegation, as defined when you use the SharePoint publishing wizard.

Cheers

JJ




enricoklein -> RE: HTTP 401.1 using Kerberos delegation (23.Oct.2007 4:56:58 AM)

Hi Jason,

thanks for your reply!

I have already added the SPN's HTTP/<fqdn> to the domain account used as Application Pool Identity for Sharepoint, and IIS is configured for "negotiate,NTLM", but still no go.
As soon as I remove the SPN and restart IIS I can login from the internal network, so I guess it fallsback to NTLM then.

We use a Radius based OTP solution, I don't think NTLM delegation works with Radius, or does it?

Any other tips? Thanks again!

Best regards,
Enrico




Jason Jones -> RE: HTTP 401.1 using Kerberos delegation (23.Oct.2007 5:13:31 AM)

Have you tried enabling the "collect additional credentials" on the web listener? It is located on the authentication tab.

This will allow you to define a windows username and password in addtion to RADIUS details on a single HTML form. ISA can then delegate the windows credentials in NTLM format to SharePoint, in addition to authenticating the RADIUS OTP.

Cheers

JJ

P.S. I would still suggest you go with Microsoft's recommendation and configure SharePoint for NTLM and then use ISA NTLM delegation.




Page: [1]