• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Kerberos/NTLM Authentication

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> SharePoint Publishing >> Kerberos/NTLM Authentication Page: [1]
Login
Message << Older Topic   Newer Topic >>
Kerberos/NTLM Authentication - 24.Sep.2009 11:38:54 AM   
eastmarw

 

Posts: 50
Joined: 11.Sep.2008
Status: offline
I have a firewall policy that works as expected with SSO an NTLM but the minute i change it to use Kerberos, it will fail with a 403 error.

The Event log states the following

Event Type:    Error
Event Source:    Kerberos
Event Category:    None
Event ID:    3
Date:        9/24/2009
Time:        11:26:18 AM
User:        N/A
Computer:    BDOWSPISAIFE04
Description:
A Kerberos Error Message was received:
        on logon session
Client Time:
Server Time: 15:26:18.0000 9/24/2009 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: BDO.COM
Server Name: host/bdowspisaife04.bdo.com
Target Name: host/bdowspisaife04.bdo.com@BDO.COM
Error Text:
File: 9
Line: b22
Error Data is in record data.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 30 15 a1 03 02 01 03 a2   0.....
0008: 0e 04 0c bb 00 00 c0 00   ......
0010: 00 00 00 03 00 00 00      .......

Another error is:

Event Type:    Error
Event Source:    Kerberos
Event Category:    None
Event ID:    3
Date:        9/24/2009
Time:        11:30:06 AM
User:        N/A
Computer:    BDOWSPISAIFE04
Description:
A Kerberos Error Message was received:
        on logon session
Client Time:
Server Time: 15:30:6.0000 9/24/2009 Z
Error Code: 0x7  KDC_ERR_S_PRINCIPAL_UNKNOWN
Extended Error:
Client Realm:
Client Name:
Server Realm: BDO.COM
Server Name: http/bdoworld-homedev.bdo.com
Target Name: http/bdoworld-homedev.bdo.com@BDO.COM
Error Text:
File: 9
Line: b22
Error Data is in record data.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

The other error is:

Event Type:    Error
Event Source:    Kerberos
Event Category:    None
Event ID:    3
Date:        9/24/2009
Time:        11:30:06 AM
User:        N/A
Computer:    BDOWSPISAIFE04
Description:
A Kerberos Error Message was received:
        on logon session BDO.COM\bdowspisaife04$
Client Time:
Server Time: 15:30:6.0000 9/24/2009 Z
Error Code: 0x34 KRB_ERR_RESPONSE_TOO_BIG
Extended Error:
Client Realm:
Client Name:
Server Realm: bdo
Server Name: krbtgt/bdo
Target Name: krbtgt/bdo@bdo
Error Text:
File: e
Line: 6c0
Error Data is in record data.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


The Event log for ISA has the following error:

Event Type:    Error
Event Source:    Microsoft ISA Server Web Proxy
Event Category:    None
Event ID:    21314
Date:        9/24/2009
Time:        11:30:06 AM
User:        N/A
Computer:    BDOWSPISAIFE04
Description:
ISA Server tried to delegate credentials, but the Web site does not accept the credentials provided by the authentication delegation scheme configured in the Web publishing rule BDOWorld-Homedev. Verify that the credentials delegation scheme configured in the Web publishing rule matches an authentication protocol enabled on the published Web site.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Anyone have any experience with getting Kerberos to work?  The sharepoint application owners indicate that IIS is setup with Integrated authentication already.

_____________________________

Dream On Alice, This Ain't Wonderland
Post #: 1
RE: Kerberos/NTLM Authentication - 24.Sep.2009 12:12:49 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Has Sharepoint been confiured to specifically support Keberos? It looks like the correct SPN configuration has not be done, hence the KDC_ERR_S_PRINCIPAL_UNKNOWN error.

How is your publishing rule configured?

What do you get if you use the "test rule" button in your publishing rule?

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to eastmarw)
Post #: 2
RE: Kerberos/NTLM Authentication - 24.Sep.2009 1:15:29 PM   
eastmarw

 

Posts: 50
Joined: 11.Sep.2008
Status: offline
Jason,

The Test Rule completes successfully with the exception of the "443" error or


Testing URL https://bdoworld-homedev.bdo.com:443/
Category: Published server certificate error
Error details: 0x80090322 - The target principal name is incorrect.
Action: Go to http://go.microsoft.com/fwlink/?LinkId=115965


This error is because we are using a "Wildcard" certificate and according to M$ it is a bug in ISA.  The firewall policy will work on 443.

The rule is configured for Netotiate (Kerberos/NTLM), and is forms based.  I can't say for sure the the Sharepoint server is set up properly but in ISA it indicates that in order to use the Kerberos for authentication you must have IIS setup to accept Integrate Authentication.  I have not done anything with the SETSPN to set a Service Princapal Name, which might be my whole issue.  I have to look into how to do this as I am not sure if the SPN needs to be the ISA server or the DNS name of the Sharepoint server(s)

(in reply to Jason Jones)
Post #: 3
RE: Kerberos/NTLM Authentication - 24.Sep.2009 5:25:36 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
There's quite a bit more to Kerberos enable Sharepoint than make sure IIS is set for Windows auth. Have a look here:

http://technet.microsoft.com/en-us/library/cc263449.aspx

Get this right and I'm sure I will fall into place

Cheers

JJ


_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to eastmarw)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> SharePoint Publishing >> Kerberos/NTLM Authentication Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts