Kerberos/NTLM Authentication

Kerberos/NTLM Authentication (Full Version)

All Forums >> [ISA 2006 Publishing] >> SharePoint Publishing

Message

eastmarw -> Kerberos/NTLM Authentication (24.Sep.2009 11:38:54 AM)
I have a firewall policy that works as expected with SSO an NTLM but the minute i change it to use Kerberos, it will fail with a 403 error. The Event log states the following Event Type: Error Event Source: Kerberos Event Category: None Event ID: 3 Date: 9/24/2009 Time: 11:26:18 AM User: N/A Computer: BDOWSPISAIFE04 Description: A Kerberos Error Message was received: on logon session Client Time: Server Time: 15:26:18.0000 9/24/2009 Z Error Code: 0xd KDC_ERR_BADOPTION Extended Error: 0xc00000bb KLIN(0) Client Realm: Client Name: Server Realm: BDO.COM Server Name: host/bdowspisaife04.bdo.com Target Name: host/bdowspisaife04.bdo.com@BDO.COM Error Text: File: 9 Line: b22 Error Data is in record data. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 30 15 a1 03 02 01 03 a2 0.¡....¢ 0008: 0e 04 0c bb 00 00 c0 00 ...»..À. 0010: 00 00 00 03 00 00 00 ....... Another error is: Event Type: Error Event Source: Kerberos Event Category: None Event ID: 3 Date: 9/24/2009 Time: 11:30:06 AM User: N/A Computer: BDOWSPISAIFE04 Description: A Kerberos Error Message was received: on logon session Client Time: Server Time: 15:30:6.0000 9/24/2009 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: Client Realm: Client Name: Server Realm: BDO.COM Server Name: http/bdoworld-homedev.bdo.com Target Name: http/bdoworld-homedev.bdo.com@BDO.COM Error Text: File: 9 Line: b22 Error Data is in record data. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. The other error is: Event Type: Error Event Source: Kerberos Event Category: None Event ID: 3 Date: 9/24/2009 Time: 11:30:06 AM User: N/A Computer: BDOWSPISAIFE04 Description: A Kerberos Error Message was received: on logon session BDO.COM\bdowspisaife04$ Client Time: Server Time: 15:30:6.0000 9/24/2009 Z Error Code: 0x34 KRB_ERR_RESPONSE_TOO_BIG Extended Error: Client Realm: Client Name: Server Realm: bdo Server Name: krbtgt/bdo Target Name: krbtgt/bdo@bdo Error Text: File: e Line: 6c0 Error Data is in record data. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. The Event log for ISA has the following error: Event Type: Error Event Source: Microsoft ISA Server Web Proxy Event Category: None Event ID: 21314 Date: 9/24/2009 Time: 11:30:06 AM User: N/A Computer: BDOWSPISAIFE04 Description: ISA Server tried to delegate credentials, but the Web site does not accept the credentials provided by the authentication delegation scheme configured in the Web publishing rule BDOWorld-Homedev. Verify that the credentials delegation scheme configured in the Web publishing rule matches an authentication protocol enabled on the published Web site. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Anyone have any experience with getting Kerberos to work? The sharepoint application owners indicate that IIS is setup with Integrated authentication already.

Jason Jones -> RE: Kerberos/NTLM Authentication (24.Sep.2009 12:12:49 PM)
Has Sharepoint been confiured to specifically support Keberos? It looks like the correct SPN configuration has not be done, hence the KDC_ERR_S_PRINCIPAL_UNKNOWN error. How is your publishing rule configured? What do you get if you use the "test rule" button in your publishing rule? Cheers JJ

eastmarw -> RE: Kerberos/NTLM Authentication (24.Sep.2009 1:15:29 PM)
Jason, The Test Rule completes successfully with the exception of the "443" error or Testing URL https://bdoworld-homedev.bdo.com:443/ Category: Published server certificate error Error details: 0x80090322 - The target principal name is incorrect. Action: Go to http://go.microsoft.com/fwlink/?LinkId=115965 This error is because we are using a "Wildcard" certificate and according to M$ it is a bug in ISA. The firewall policy will work on 443. The rule is configured for Netotiate (Kerberos/NTLM), and is forms based. I can't say for sure the the Sharepoint server is set up properly but in ISA it indicates that in order to use the Kerberos for authentication you must have IIS setup to accept Integrate Authentication. I have not done anything with the SETSPN to set a Service Princapal Name, which might be my whole issue. I have to look into how to do this as I am not sure if the SPN needs to be the ISA server or the DNS name of the Sharepoint server(s)

Jason Jones -> RE: Kerberos/NTLM Authentication (24.Sep.2009 5:25:36 PM)
There's quite a bit more to Kerberos enable Sharepoint than make sure IIS is set for Windows auth. Have a look here: http://technet.microsoft.com/en-us/library/cc263449.aspx Get this right and I'm sure I will fall into place [;)] Cheers JJ

Page: [1]