Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: Constrained Delegation with HTTP Authentication
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: Constrained Delegation with HTTP Authentication - 7.Aug.2008 8:13:33 AM
|
|
|
frobnitzz
Posts: 22
Joined: 11.Jun.2008
Status: offline
|
weird - thought I'd replied to this yesterday.
Well.... still no better, the RSS never loads and you can't reach the edit page (or anything like that).
If you use FBA instead of HTTP it works.
Thought it might have had something to do with the SSO option on FBA but I unchecked that and it's still working.
Worthy of note is that I'm still using KCD with the FBA option - so that says to me the KCD side of things is fine, I've got nothing wrong with the SPN or AD object delegation options.
Got an MS MOSS specialist on the case atm.
|
|
|
|
|
RE: Constrained Delegation with HTTP Authentication - 2.Sep.2008 8:02:03 AM
|
|
|
frobnitzz
Posts: 22
Joined: 11.Jun.2008
Status: offline
|
HORAAH Resolved.
I'll paste the summary from the clever people at ms.
1. You configured Integrated authentication on ISA and tried to access the site using Kerberos. However this didn't work, because the client can't use the Kerberos Ticket on ISA which is designated for the MOSS Server Farm.
Therefore you had to change ISA to use NTLM only on the Listener, as described in http://support.microsoft.com/kb/927265/en-us
2. We found, that the Client POST request to access this function was blocked by ISA because of a known issue in ISA, described in http://support.microsoft.com/kb/945882/en-us
3. This was related to a problem with the application, not being able to impersonate the credentials for local host access, this could be fix be configuring the DisableLoopbackCheck in the Registry as described in http://support.microsoft.com/kb/887993/en-us
RESOLUTION:
After applying the changes as described in the KB Articles, your users could access the MOSS application through ISA.
|
|
|
|
|
RE: Constrained Delegation with HTTP Authentication - 30.Oct.2008 10:02:24 AM
|
|
|
frobnitzz
Posts: 22
Joined: 11.Jun.2008
Status: offline
|
While I remember:
Single Root DC, Johndom.com (2003 AD)
Single ISA Enterprise 2006
Single MOSS Farm SP1 with Seperate SQL 2005.
...Implementation Overview
The following is an overview of the steps required to enable SSO KCD for MOSS.
Active Directory
· Setspn the new url against the application pool account.
· Configure the AD user account and ISA computer account to be able to use the new spn (delegate tab).
ISA
· Install SP1.
· Run script found here http://support.microsoft.com/kb/927265/en-us
· Run script found here http://support.microsoft.com/kb/945882/en-us
· Create ADI listener & rule for portal.
· Configure ISA rule to use the new SPN.
CLIENT
· Add https://portal.johndom.com to Internet Explorers local intranet zone.
· Verify name resolution point’s portal to the ADI listener.
...Implementation Guide
Active Directory
Register Service Principle Names
The SPN’s to register come from the normal URL, with SPN prefixed.
The format is as follows: setspn –A HTTP/[url with spn prefix] [domain\application pool service account]
Open a command prompt (any machine in target domain).
For each web application, repeat the following:
Setspn –A HTTP/spnportal.leedslearning.net johndom\mossportal.svc
Setspn –A HTTP/spnportal johndom\mossportal.svc
Modify AD object delegation
The service account and ISA server objects must have their delegation properties changed.
Launch Active Directory Users and Computers.
Locate the application pool service account.
Under the properties of the account, select the delegation tab.
Select (if not already) the Trust this user for delegation to specified services only / Use Kerberos only.
Click Add, then enter the name of the service account you are modifying.
Click Select All then OK.
Click OK to close the properties dialogue.
Locate the ISA server object(s).
Under the properties of the account, select the delegation tab.
Select (if not already) the Trust this user for delegation to specified services only / Use any authentication protocol.
Click Add, then enter the name of the application pool service account.
Click Select All then OK.
Repeat for any other service accounts
Click OK to close the properties dialogue.
Repeat for any remaining ISA server objects.
ISA
Install Service Pack 1 and associated scripts
Download and install ISA Service Pack 1 from here: http://www.microsoft.com/downloads/details.aspx?FamilyId=D2FECA6D-81D7-430A-9B2D-B070A5F6AE50&displaylang=en
· Run post sp1 script found here http://support.microsoft.com/kb/927265/en-us
· Run post sp1 script found here http://support.microsoft.com/kb/945882/en-us
· Repeat for each ISA server in the array.
Create ADI listener
If an Active Directory Integrated (HTTP authentication) listener does not yet exist in your environment it should be created with the following settings:
Tab: Authentication
HTTP Authentication
Basic + Integrated
Windows
Tab: Authentication > Advanced
Require all users to authenticate
Tab: Connections
Enable both
Redirect all
Create Site Access Rule
The ADI site access rule should have the following settings:
Tab: From
Anywhere
Tab:Web Farm
Internal Site name is the public name/host header
Cookie based
Don't forward original host header
Appear from ISA
Tab: Public Name
The name you want to use outside which is the same as the host header/aam
Tab: Authentication Delegation
KCD
http://spnportal.johndom.com
Client
From your connecting client the site must exist in the Local Intranet zone in Internet Explorer.
Ping the target site to ensure that it resolves against the ADI listener IP address of ISA.
That should do the trick - I've done these steps in a couple of environments accross multiple sites with success every time.
John Sutherland
|
|
|
|
|
RE: Constrained Delegation with HTTP Authentication - 18.Nov.2008 12:35:43 PM
|
|
|
gga
Posts: 1
Joined: 18.Nov.2008
Status: offline
|
Hi all,
I installed kerberos on my ISA server, and behind this I have a sharepoint site.
Everything seems to be ok with firefox (when I add https://myserver.server.com into the about:config) but I have an error with IE else if I add https://myserver.server.com into the local intranet zone of IE). If I delete the site from the local zone intranet, I'll be prompted for the credentials and after that everything is OK.
Any idea ? I just want my credentials were sent automatically with IE.
Thanks
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
