• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

SharePoint 2007 and Kerberos Constrained Delegation authentication?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> SharePoint Publishing >> SharePoint 2007 and Kerberos Constrained Delegation authentication? Page: [1]
Login
Message << Older Topic   Newer Topic >>
SharePoint 2007 and Kerberos Constrained Delegation aut... - 7.Dec.2007 5:52:21 AM   
mlindqvist

 

Posts: 10
Joined: 8.Nov.2007
Status: offline
Hi!

I really would like to use the Kerberos Constrained Delegation feature (KCD) to authenticate external users to be able to use a SQL Server 2005 Analysis Filter webpart that we've configured. I've setup the SPN's and delegated the ComputerAccounts necessary as well as the ServiceAccounts needed and everything works internally.
The SharePoint publishing rule works fine as well coming from internet via NTLM, but as soon as one is trying to use the Analysis Filter web part, authentication fails.

If we change the Authentication level in the Publishing Rule from NTLM to KCD I only get "
Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator" in the browser.
The eventviewer on the ISA also shows "Description: ISA Server failed to delegate credentials using Kerberos constrained delegation to the Web site published by the rule OWA Access. Check that the SPN: http/<SERVER> configured in ISA Server matches the SPN in Active Directory."

But the SPN's are there!? I've also changed the SPN on the Auth Delegation tab to the internal FQDN (instead of the external FQDN which ISA defaults to).

I've read the excellent post here http://forums.isaserver.org/m_2002038062/mpage_1/key_/tm.htm#2002038062 as well as Stefaan Pouseele's other blogs (which I found by googling).
Has anyone done this with SharePoint? All I can find on the internet is just biased towards Outlook.

Any help much appreciated!
Cheers - Mikael


< Message edited by mlindqvist -- 7.Dec.2007 5:53:43 AM >
Post #: 1
RE: SharePoint 2007 and Kerberos Constrained Delegation... - 25.Sep.2008 2:34:15 PM   
icroyal

 

Posts: 9
Joined: 10.Apr.2008
Status: offline
Did you ever fix this?  We're having the same exact issue.

(in reply to mlindqvist)
Post #: 2
RE: SharePoint 2007 and Kerberos Constrained Delegation... - 8.Oct.2008 10:02:58 PM   
joseph.a.paradi

 

Posts: 29
Joined: 20.Jun.2004
Status: offline
The only thing that I might suggest is checking the identity on the app pool that the Sharepoint site is using.  With KCD, I am pretty sure that the SPN needs to be defined on the app pool ID if the app pool is not running as Network Service.

(in reply to icroyal)
Post #: 3
RE: SharePoint 2007 and Kerberos Constrained Delegation... - 21.Oct.2008 6:35:59 AM   
frobnitzz

 

Posts: 52
Joined: 11.Jun.2008
Status: offline
http://forums.isaserver.org/m_2002068683/mpage_2/key_/tm.htm#2002072997

check my post, I've had great fun with KCD and MOSS.

(in reply to joseph.a.paradi)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> SharePoint Publishing >> SharePoint 2007 and Kerberos Constrained Delegation authentication? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts