RE: [ActiveDir] Kerberos Delegation

[Tony Murray]

Hi Carlos   As I said, I'm just starting to look at Kerberos delegation, so take everything I say with a large pinch of salt.  :-)   Anyway, here's the logic I was following.   If I've understood it correctly, you want the server hosting SharePoint to authenticate to the ISA server as the end user.  Assuming you want to use constrained delegation (which is normal) then you need to specify the ISA Server somewhere in the configuration, because you are limiting (constraining) the scope of the delegation to the ISA Server.  If you look at the Delegation tab of an object in ADUC, you will see the section labeled "Services to which this account can present delegated credentials:"  It would seem logical to me to have to specify the ISA here.  Now whether you need to do configure this setting in ADUC on the account being used for the identity of the application pool, or the SharePoint server itself I don't know.    Cheers Tony   PS.  See you next week :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Wednesday, 21 September 2005 1:38 a.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Hey Tony,   Well can you explain “but wouldn't you also need an SPN for the web service on the ISA Server?”  I don’t understand why, the ISA server is the server that is needing the authentication to allow the web server to browse the internet. So to elaborate:   I have a Share Point site it has a RSS feed web part, this web part is requesting a RSS feed for example http://www.dirteam.com/blogs/carlos/default.aspx now I monitor on the ISA 2004 server and I see the web server trying to access the internet the user specified = Anonymous. The delegation is so that the user viewing the Share Point site (hence calling the RSS web part) will be the user credentials passed to the ISA server to be able to browse the internet.   That’s why I don’t see why we need to register a SPN for the ISA server?   Thanks C   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: 20 September 2005 01:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation   Hi Carlos   I'm just starting to look at Kerberos delegation for something myself, but wouldn't you also need an SPN for the web service on the ISA Server?  And then specify that serviced in the delegation tab on the user object?   Cheers Tony   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Tuesday, 20 September 2005 9:31 a.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kerberos Delegation Hey all,   Ok late at night here and I’ve hit a mental block (don’t laugh Dean). I have set this up like a gazillion times but this time cant get it to work.   Environment:   Windows 2003 Native Forest Mode – All clients Windows XP SP2 and above   Single forest single domain setup   Web Server – Windows Server 2003 Web Edition Share Point Team Services installed.   That site has a web part that requires Kerb delegation for access to a ISA firewall in order to stream RSS feeds. I can see on the ISA server that when ever any user hits the site the HTTP request is sent as ANONYMOUS.   So what I have done:   I have - Set webserver for delegation (Kerb Only) I have - Created username in AD and set for Delegation (Kerb Only) I have - Set the Share Point Portal Application Pools (IIS 6.0)  to use the AD user mentioned above for the Identity of the App Pool (rebooted IIS server) a.       Purged all tickets as well. I have - registerd a SPN for the -A HTTP DOMAIN\User mentioned Above   Still get Anonymous access on the ISA box, and using some normal .net code can see that its not delegating the creds correctly, can anyone see what I am doing wrong or what I should be doing? Thanks I appreciate the help so late in my night J   Carlos This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i