RE: [ActiveDir] Kerberos Delegation

[Roger Seielstad]

By default, the IIS app pool and (I believe) sharepoint both run under Network Service. Therefore, when Sharepoint makes the request outbound, it will be making it within the context of the NetworkService account, which means its going to present the server's domain credentials.   -------- Roger Seielstad E-mail Geek   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: Wednesday, September 21, 2005 11:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Could I ask why he’d need to do that?   Cheers Ken   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, 22 September 2005 4:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation   So have you granted domain\IISServer$ access through ISA?   -------- Roger Seielstad E-mail Geek     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Wednesday, September 21, 2005 8:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Well I have some screen shots for you of AuthDiag and of wfetch, if you don’t mind I can send it to you offline.   This is the weird part, if I use wfetch to connect using Anonymous as authentication I get the web page requested.   If I specify any other auth type i.e. NTLM or Kerberos I get a ISA server page telling me I am not authorized to view this page.   With anonymous connection I get: WWW-Authenticate: Negotiate WWW-Authenticate: NTLM   With a specified auth type I don’t get any of that (The screen shots explain)   AuthDiag still only reports Test Authentication NTLM NO Kerberos.   I still have a copy of the old Metabase.xml to prove that it was storing the incorrect settings when IIS MMC was showing something else…..   Let me know if I can ping the screen shots to you.   Thanks Ken, am I going to get to see you at Redmond? C     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: 21 September 2005 03:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation   Odd.   If you use WFetch (it’s in the IIS6 Res Kit) or just plain telnet, and request a page, what WWW-Authenticate headers are coming back? You should see:   WWW-Authenticate: Negotiate WWW-Authenticate: NTLM   (basically the webserver sends back a list of the auth mechanisms it supports, and the browser picks the first one in the list that it supports). If you are only seeing the NTLM option, then something’s up with IIS or Sharepoint. If you are seeing both, then AuthDiag is lying to you.   Cheers Ken   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Wednesday, 21 September 2005 10:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation   Yeah Im not sure about that either at the moment IIS is REALLY ACTING WEIRD, KEN where are you :P - .   I had the Share Point website in the IIS MMC specify SPSAppPool (which was a App pool I created) when I checked the MetaBase.XML file ( you know I love looking at the guts of systemsJ ) it was still specifying DefaultAppPool (and I mean I had rebooted the server a few times) also DO NOT RUN:   Cscript adsutil.vbs set w3svc/1/ntauthenticationproviders “Negotiate,NTLM” Iisreset   I know it seems logical but I KEPT the quotations in there and what it ended up doing was: ““Negotiate,NTLM”” ***Note the double quotes   And all auth was being defaulted to Anonymous (thank heavens for a network sniffer J )   Even though I fixed these issues and I have made sure my Metabase.xml file is correct with “Negotiate,NTLM” and with the correct App Pool with the correct user etc,  when I run AuthDiag the only “Test Authentication” option I get is NTLM, the Server Settings Node though specifies “Negotiate,NTLM” for that Site.   When I check my ISA server I STILL see User – Anonymous so I am a bit stumped at the moment !!!   YEAH it going to be sooooo cool to meet up with you guys in Redmond next week J   C   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: 20 September 2005 10:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation   Hi Carlos   As I said, I'm just starting to look at Kerberos delegation, so take everything I say with a large pinch of salt.  :-)   Anyway, here's the logic I was following.   If I've understood it correctly, you want the server hosting SharePoint to authenticate to the ISA server as the end user.  Assuming you want to use constrained delegation (which is normal) then you need to specify the ISA Server somewhere in the configuration, because you are limiting (constraining) the scope of the delegation to the ISA Server.  If you look at the Delegation tab of an object in ADUC, you will see the section labeled "Services to which this account can present delegated credentials:"  It would seem logical to me to have to specify the ISA here.  Now whether you need to do configure this setting in ADUC on the account being used for the identity of the application pool, or the SharePoint server itself I don't know.    Cheers Tony   PS.  See you next week :-)   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Wednesday, 21 September 2005 1:38 a.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Hey Tony,   Well can you explain “but wouldn't you also need an SPN for the web service on the ISA Server?”  I don’t understand why, the ISA server is the server that is needing the authentication to allow the web server to browse the internet. So to elaborate:   I have a Share Point site it has a RSS feed web part, this web part is requesting a RSS feed for example http://www.dirteam.com/blogs/carlos/default.aspx now I monitor on the ISA 2004 server and I see the web server trying to access the internet the user specified = Anonymous. The delegation is so that the user viewing the Share Point site (hence calling the RSS web part) will be the user credentials passed to the ISA server to be able to browse the internet.   That’s why I don’t see why we need to register a SPN for the ISA server?   Thanks C   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: 20 September 2005 01:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation   Hi Carlos   I'm just starting to look at Kerberos delegation for something myself, but wouldn't you also need an SPN for the web service on the ISA Server?  And then specify that serviced in the delegation tab on the user object?   Cheers Tony   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Tuesday, 20 September 2005 9:31 a.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kerberos Delegation Hey all,   Ok late at night here and I’ve hit a mental block (don’t laugh Dean). I have set this up like a gazillion times but this time cant get it to work.   Environment:   Windows 2003 Native Forest Mode – All clients Windows XP SP2 and above   Single forest single domain setup   Web Server – Windows Server 2003 Web Edition Share Point Team Services installed.   That site has a web part that requires Kerb delegation for access to a ISA firewall in order to stream RSS feeds. I can see on the ISA server that when ever any user hits the site the HTTP request is sent as ANONYMOUS.   So what I have done:   I have - Set webserver for delegation (Kerb Only) I have - Created username in AD and set for Delegation (Kerb Only) I have - Set the Share Point Portal Application Pools (IIS 6.0)  to use the AD user mentioned above for the Identity of the App Pool (rebooted IIS server) a.       Purged all tickets as well. I have - registerd a SPN for the -A HTTP DOMAIN\User mentioned Above   Still get Anonymous access on the ISA box, and using some normal .net code can see that its not delegating the creds correctly, can anyone see what I am doing wrong or what I should be doing? Thanks I appreciate the help so late in my night J