Kerberos/NTLM Authentication (Full Version)

All Forums >> [ISA 2006 Publishing] >> SharePoint Publishing



Message


eastmarw -> Kerberos/NTLM Authentication (24.Sep.2009 11:38:54 AM)

I have a firewall policy that works as expected with SSO an NTLM but the minute i change it to use Kerberos, it will fail with a 403 error.

The Event log states the following

Event Type:    Error
Event Source:    Kerberos
Event Category:    None
Event ID:    3
Date:        9/24/2009
Time:        11:26:18 AM
User:        N/A
Computer:    BDOWSPISAIFE04
Description:
A Kerberos Error Message was received:
        on logon session
Client Time:
Server Time: 15:26:18.0000 9/24/2009 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: BDO.COM
Server Name: host/bdowspisaife04.bdo.com
Target Name: host/bdowspisaife04.bdo.com@BDO.COM
Error Text:
File: 9
Line: b22
Error Data is in record data.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 30 15 a1 03 02 01 03 a2   0.....
0008: 0e 04 0c bb 00 00 c0 00   ......
0010: 00 00 00 03 00 00 00      .......

Another error is:

Event Type:    Error
Event Source:    Kerberos
Event Category:    None
Event ID:    3
Date:        9/24/2009
Time:        11:30:06 AM
User:        N/A
Computer:    BDOWSPISAIFE04
Description:
A Kerberos Error Message was received:
        on logon session
Client Time:
Server Time: 15:30:6.0000 9/24/2009 Z
Error Code: 0x7  KDC_ERR_S_PRINCIPAL_UNKNOWN
Extended Error:
Client Realm:
Client Name:
Server Realm: BDO.COM
Server Name: http/bdoworld-homedev.bdo.com
Target Name: http/bdoworld-homedev.bdo.com@BDO.COM
Error Text:
File: 9
Line: b22
Error Data is in record data.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

The other error is:

Event Type:    Error
Event Source:    Kerberos
Event Category:    None
Event ID:    3
Date:        9/24/2009
Time:        11:30:06 AM
User:        N/A
Computer:    BDOWSPISAIFE04
Description:
A Kerberos Error Message was received:
        on logon session BDO.COM\bdowspisaife04$
Client Time:
Server Time: 15:30:6.0000 9/24/2009 Z
Error Code: 0x34 KRB_ERR_RESPONSE_TOO_BIG
Extended Error:
Client Realm:
Client Name:
Server Realm: bdo
Server Name: krbtgt/bdo
Target Name: krbtgt/bdo@bdo
Error Text:
File: e
Line: 6c0
Error Data is in record data.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


The Event log for ISA has the following error:

Event Type:    Error
Event Source:    Microsoft ISA Server Web Proxy
Event Category:    None
Event ID:    21314
Date:        9/24/2009
Time:        11:30:06 AM
User:        N/A
Computer:    BDOWSPISAIFE04
Description:
ISA Server tried to delegate credentials, but the Web site does not accept the credentials provided by the authentication delegation scheme configured in the Web publishing rule BDOWorld-Homedev. Verify that the credentials delegation scheme configured in the Web publishing rule matches an authentication protocol enabled on the published Web site.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Anyone have any experience with getting Kerberos to work?  The sharepoint application owners indicate that IIS is setup with Integrated authentication already.




Jason Jones -> RE: Kerberos/NTLM Authentication (24.Sep.2009 12:12:49 PM)

Has Sharepoint been confiured to specifically support Keberos? It looks like the correct SPN configuration has not be done, hence the KDC_ERR_S_PRINCIPAL_UNKNOWN error.

How is your publishing rule configured?

What do you get if you use the "test rule" button in your publishing rule?

Cheers

JJ




eastmarw -> RE: Kerberos/NTLM Authentication (24.Sep.2009 1:15:29 PM)

Jason,

The Test Rule completes successfully with the exception of the "443" error or


Testing URL https://bdoworld-homedev.bdo.com:443/
Category: Published server certificate error
Error details: 0x80090322 - The target principal name is incorrect.
Action: Go to http://go.microsoft.com/fwlink/?LinkId=115965


This error is because we are using a "Wildcard" certificate and according to M$ it is a bug in ISA.  The firewall policy will work on 443.

The rule is configured for Netotiate (Kerberos/NTLM), and is forms based.  I can't say for sure the the Sharepoint server is set up properly but in ISA it indicates that in order to use the Kerberos for authentication you must have IIS setup to accept Integrate Authentication.  I have not done anything with the SETSPN to set a Service Princapal Name, which might be my whole issue.  I have to look into how to do this as I am not sure if the SPN needs to be the ISA server or the DNS name of the Sharepoint server(s)




Jason Jones -> RE: Kerberos/NTLM Authentication (24.Sep.2009 5:25:36 PM)

There's quite a bit more to Kerberos enable Sharepoint than make sure IIS is set for Windows auth. Have a look here:

http://technet.microsoft.com/en-us/library/cc263449.aspx

Get this right and I'm sure I will fall into place [;)]

Cheers

JJ




Page: [1]