RESOLVED Constrained Delegation with HTTP Authentication (Full Version)

All Forums >> [ISA 2006 Publishing] >> Web Publishing



Message

frobnitzz -> RESOLVED Constrained Delegation with HTTP Authentication (17.Jun.2008 7:51:41 AM)

Please help!!!

I need to be able to use integrated authentication on my clients, so I get a streamlined logon to desktop > access site. This will ultimately be for accessing a sharepoint farm – but for now if I can just get it to work with a basic website I'll be pleased!

Pulling my hair out. 2 weeks I've been trying all kinds of rule combinations, read more guides than you can shake a stick at (nothing specific to this though) Can't get around it prompting 3 times (putting Enterprise Admin details in) and giving:

Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)

ISA logging gives:

12232 The server denied the specified Uniform Resource Locator (URL). Contact the server administrator.

It thinks the user is Anonymous.

If I use html forms on the listener, with constrained delegation – it works. Doesn't this say that the constrained delegation must be ok?

It's like the clients arn't passing on the logon details..?

Help!!!







CONFIGURATION

Environment as:

-Single root domain – Johndom.com (2003 AD)
-ISA 2006 – Patched with KB939455, KB942639, KB951510 (JDISA01)
-IIS 6 on Server 2003 SP1 (JDFAP01)
-XP SP2 Workstation (JDCLIENT01)

Website:
 
-site.johncom.com / 80 / with header
-It's own web app with identity = johndom\spnsite
-Anonymous = off
-Integrated is the only checkbox on

ISA config / Rule details (I'll list the important bits only):

-From = Anywhere
-To: Published site = site.johndom.com / Comp Name = jdfp01.johndom.com / Forward original host header = no / Requests appear from ISA
-Public Name = site.johndom.com
-Authentication Delegation = Kerberos constrained Delegation / SPN = http/site.johndom.com
-Users = All Authenticated Users

Listener Details:
 
-Authentication – HTTP Authentication / Integrated
--Advanced – Require users to auth = no / allow client auth over http = yes

SPN Registration Details:

-setspn -A HTTP/site.johndom.com johndom\spnsite
-setspn –L spnsite:

C:\Documents and Settings\ea>setspn -L spnsite
Registered ServicePrincipalNames for CN=spnsite,OU=Service Accounts,OU=Administ
ration,DC=JOHNDOM,DC=COM:
  http/site.johndom.com
  http/site

AD Object Properties:

-Service Account SPNSITE – Delegation = Trust to specified only, Kerberos only / http  site.johndom.com
-ISA Server JDISA01 - Delegation = Trust to specified only, Use any auth protocol / http  site.johndom.com + http  jdfp01

Workstation Details:

-XP SP2
-IE 6
-Integrated is on in the IE settings
-Site in Local Intranet







There is beer/wine on it's way to the person who solves this!

Infact - I'd be happy if you just told me HTTP auth doesn't work with constrained delegation!!! lol

Thanks & Best Regards,
John 



Jason Jones -> RE: Constrained Delegation with HTTP Authentication (17.Jun.2008 8:54:49 AM)

Need a bit of time to digest your setup.

However, it should work, as I have Exchange 2007 working with Integrated HTTP Authentication and KCD. So, the "concept" is sound! :-)

First guess would be the SPN setup, as this is normally the place it all goes wrong...

Have you seen the following issue? Not sure if this is relevant? http://support.microsoft.com/kb/951509

Can you provide more details on your publishing rules? Also, do you get ISA alerts with reference to KCD issues?

Cheers

JJ



frobnitzz -> RE: Constrained Delegation with HTTP Authentication (17.Jun.2008 10:40:42 AM)

Hi,

Yes I've applied that patch and run the script already [:(]

I get a Kerberos error on the client - forgot to include it above. I think the fact it worked ok with forms and constrained threw me off the scent.

I've searched and read loads on it, but can't see anything that applies to me. Can't be duplicate machine, only one domain with 7 machines. The SPN looks how I'm sure it should, I've removed the SPN, put it in again etc.

I have another Dev environment and it behaves exactly the same!

Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date:  17/06/2008
Time:  15:21:12
User:  N/A
Computer: JDCLIENT01
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/jdisa01.johndom.com.  This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (JOHNDOM.COM), and the client realm.   Please contact your system administrator.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

On the publishing rule constrained delegation tab, for the SPN, I've tried using http/jdfap01.johndom.com, http/*, HTTP/site.johndom.com.....

Not much more I can say about the rule itself.

In addition, the sharepoint rule I have configured the same and behaves the same. If I point the sites DNS record directly at the MOSS front end, I get Kerberos logged in no problem, so the SPN setup must be ok In terms of which SPN I have registered?



frobnitzz -> RE: Constrained Delegation with HTTP Authentication (19.Jun.2008 6:47:35 AM)

The fact that ISA thinks that the requests are anonymous (during logging) > is that a big problem at this stage? Would you normally expect to see the actual log in name listed?

Just seems to me like the credentials are not being passed on by the browser?

Thanks,
John



Jason Jones -> RE: Constrained Delegation with HTTP Authentication (19.Jun.2008 7:05:28 AM)

Initial requests will likely be anonymous, but then you should see the domain\user or user@domain.com reference in the logs.



frobnitzz -> RE: Constrained Delegation with HTTP Authentication (19.Jun.2008 7:10:02 AM)

Yes makes sense. It only ever lists Anon though so musn't be getting anything else from the client.



Jason Jones -> RE: Constrained Delegation with HTTP Authentication (19.Jun.2008 8:45:02 AM)

Is the client logged into the domain or using cached credentials?



frobnitzz -> RE: Constrained Delegation with HTTP Authentication (19.Jun.2008 8:48:52 AM)

Logged on to the domain. Using Enterprise Admin. Behaves the same no matter where I do it from, XP client, 2003 Member Server etc

I just tried changing the IIS app site ID to local system and the constrained delegation to http/*

no luck.




Jason Jones -> RE: Constrained Delegation with HTTP Authentication (19.Jun.2008 8:59:43 AM)

Even if KCD was failing, you should still be able to authenticate to the listener.

From memory, the browser will only send credentials if the URL is in the intranet zone - can you try this?

I would use netmon/wireshark to look at how the browser is sending credentials to ISA. You may also want to look at a tool called WFetch as this can be used to choose the authentication type for a web request...this may show up any other problems...

Cheers

JJ




Jason Jones -> RE: Constrained Delegation with HTTP Authentication (19.Jun.2008 9:05:59 AM)

The only other thing I can think of is that I have never done this config over HTTP, always HTTPS. Maybe you could get a test SSL cert so that you rule out this element?



frobnitzz -> RE: Constrained Delegation with HTTP Authentication (19.Jun.2008 9:12:19 AM)

It's in the intranet zone, your memory serves you right :)

Recently secured it with a wildcard after having exactly the same thought, only client to ISA though - not end to end.

Interestingly, when I changed to run the IIS web app to local system - I couldn't connect to the site pointing direct to the box anymore. It should reg SPN for local system (using machine netbios) automatically shouldn't it?

Changed back to my domain spn account and it connected again.

I'll get some tracing results done.

ty so far :)



Jason Jones -> RE: Constrained Delegation with HTTP Authentication (19.Jun.2008 9:23:10 AM)

Just a thought, can you try setting the SPN in ISA to use jdfp01.johndom.com as this will match the entry in the computer name field of the To tab.

However, I still think things are going wrong at the listener.

Do you get any ISA alerts complaining about KCD when access fails? If not, this will point back to the listener being an issue...



frobnitzz -> RE: Constrained Delegation with HTTP Authentication (20.Jun.2008 7:26:22 AM)

Hi,

I can confirm it's going wrong at the listener, doesn't matter what I put in the rule's SPN field - it's won't get any further. Which leads me to think it's not getting that far.

As an experiment I've configured it to use SSL client certificates. Works a treat. I then went on to configure MOSS to use 443 and to accept user certificates - perfect, logs the user in no problem.

The only issue with doing it like this, is that if the user has more than one user cert it prompts you as to which one you would like to use - also if means re-configuring as an end to end SSL solution.

To re-itterate it also works with Form Based Authentication. It's just HTTP Auth it doesn't like.

John



Jason Jones -> RE: Constrained Delegation with HTTP Authentication (20.Jun.2008 9:38:47 AM)

I have only really used 'Integrated HTTP Authentication' listeners with Exchange 2007 for Outlook Anywhere. Outlook 2007 has a built-in option to use negotiate, so maybe the browser is not able to cope with the same authentication process?

How about turning off the "Enable Integrated Windows Authentication" option in the browser as this will force NTLM as opposed to Kerberos?

It may be worth looking at Wfetch to see if you can get this to work - it's a cool little app [;)]

The fact it works with smartcards and forms does appear to indicate that the HTTP listener may have some limitations...post back your results and I can ask "elsewhere" to try and confirm...

Cheers

JJ



Jason Jones -> RE: Constrained Delegation with HTTP Authentication (20.Jun.2008 9:40:01 AM)

P.S. You should be using an end-to-end SSL solution with SSL bridging anyhow [8D]



frobnitzz -> RE: Constrained Delegation with HTTP Authentication (30.Jun.2008 9:38:50 AM)

Hi Jason,

Been away for a week, a nice break to sunny Devon :)

Turning off integrated in the browser results in the 403 url forbidden straight away. If I take the site out of local intranet, I get prompted once - but then 403.


Wfetch - DNS pointing Direct to the IIS server.

At the moment it's giving me a 401.2 when I try to connect with kerberos, but if I go via browser (IE6) I get the right ticket (http/site.johndom.com in kerbtray) and it logs straight in. Event logs show Kerberos logon activity, so I'm sure it's not falling back to ntlm. If I enable anon access on the IIS site, wfetch manages kerberos fine. wfetch using negotiate also works, generating kerberos traffic in the event log.

Wfetch - DNS pointing to ISA Listener.

Will update shortly.

There is a call logged with MS about this now.



Jason Jones -> RE: Constrained Delegation with HTTP Authentication (1.Jul.2008 6:46:42 PM)

IIRC you need to specifiy 'Negotiate' in wfetch to test kerberos auth...

Be interested in feedback from MS [;)]



frobnitzz -> RE: Constrained Delegation with HTTP Authentication (2.Jul.2008 4:29:33 AM)

ah cool - negotiate is fine and gave kerb traffic.

Will keep this updated.



frobnitzz -> RE: Constrained Delegation with HTTP Authentication (4.Jul.2008 8:46:31 AM)

Brief(ish) update:

a. The listener doesn't like kerberos auth against the ISA itself. You have to force the ISA server to take NTLM from the Integrated auth by running a script found here : http://support.microsoft.com/kb/927265/en-us

b. You have to use a different URL than that of your internal site. For example, for internal name of site.johndom.com I created a Cname for web.johndom.com pointing back to site.johndom.com. ISA is configured to take web.johndom.com in the public name - then the To, is the internal name with the SPN being used the internal http/site.johndom.com
 
It's kinda working now, although RSS feeds are never loading and you can't edit anything, it just refreshes the page you are on. ISA is reporting Access Denied when you try and it appears to be trying Anonymous. Also - if you click sign in as new user, moss says you first need to be logged in. hmm

There is an alternative I've found to all this constrained delegation and thats to do no delegation but allow the client to authenticate directly. Still uses Kerberos to log the user in - only problem is that because you are not logging in to ISA, it doesn't know who you are - so all traffic is reported as coming from an anonymous connection... less than ideal.

John



Jason Jones -> RE: Constrained Delegation with HTTP Authentication (11.Jul.2008 12:46:12 PM)

a/b kinda make sense.

This is the approach I often use when publishing applications internally as in this scenario it is feasible to lose ISA server pre-authentication as the client is a domain member and the trust model is stronger. However, I would agree that it would be nice to perform pre-auth if possible...I think I need to lab this one and have a play [:)]

Thanks for the continued updates [;)]



Page: [1] 2   next >   >>