Odd. If you use WFetch (it’s in the IIS6
Res Kit) or just plain telnet, and request a page, what WWW-Authenticate
headers are coming back? You should see: WWW-Authenticate: Negotiate WWW-Authenticate: NTLM (basically the webserver sends back a list
of the auth mechanisms it supports, and the browser picks the first one in the
list that it supports). If you are only seeing the NTLM option, then something’s
up with IIS or Sharepoint. If you are seeing both, then AuthDiag is lying to
you. Cheers Ken From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Yeah Im not sure about that either at the
moment IIS is REALLY ACTING WEIRD, KEN where are you :P - . I had the Share Point website in the IIS
MMC specify SPSAppPool (which was a App pool I created) when I checked the MetaBase.XML
file ( you know I love looking at the guts of systemsJ ) it was still
specifying DefaultAppPool (and I mean I had rebooted the server a few times)
also DO NOT RUN: Cscript
adsutil.vbs set w3svc/1/ntauthenticationproviders “Negotiate,NTLM” Iisreset I know it seems logical but I KEPT the
quotations in there and what it ended up doing was: ““Negotiate,NTLM”” ***Note the
double quotes And all auth was being
defaulted to Anonymous (thank heavens for a network sniffer J ) Even though I fixed these
issues and I have made sure my Metabase.xml file is correct with
“Negotiate,NTLM” and with the correct App Pool with the correct
user etc, when I run AuthDiag the only “Test Authentication”
option I get is NTLM, the Server Settings Node though specifies
“Negotiate,NTLM” for that Site. When I check my ISA
server I STILL see User – Anonymous so I am a bit stumped at the moment
!!! YEAH it going to be
sooooo cool to meet up with you guys in C From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Tony Murray Hi Carlos As I said, I'm just starting to look at
Kerberos delegation, so take everything I say with a large pinch of salt.
:-) Anyway, here's the logic I was following. If I've understood it correctly, you want
the server hosting SharePoint to authenticate to the ISA server as the end user.
Assuming you want to use constrained delegation (which is normal) then you need
to specify the ISA Server somewhere in the configuration, because you are
limiting (constraining) the scope of the delegation to the ISA
Server. If you look at the Delegation tab of an object in ADUC, you will
see the section labeled "Services to which this account can present
delegated credentials:" It would seem logical to me to have to
specify the ISA here. Now whether you need to do configure this setting
in ADUC on the account being used for the identity of the application pool, or
the SharePoint server itself I don't know. Cheers Tony PS. See you next week :-) From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Hey Tony, Well can you explain “but wouldn't you also need an SPN for the web service on the
ISA Server?” I don’t understand why, the ISA server is the
server that is needing the authentication to allow the web server to browse the
internet.
I have a Share Point site it has a RSS
feed web part, this web part is requesting a RSS feed for example http://www.dirteam.com/blogs/carlos/default.aspx
now I monitor on the ISA 2004 server and I see the web server trying to access
the internet the user specified = Anonymous. The delegation is so that the user
viewing the Share Point site (hence calling the RSS web part) will be the user
credentials passed to the ISA server to be able to browse the internet. That’s why I don’t see why we
need to register a SPN for the ISA server? Thanks From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Hi Carlos I'm just starting to look at Kerberos
delegation for something myself, but wouldn't you also need an SPN for the
web service on the ISA Server? And then specify that serviced in the
delegation tab on the user object? Cheers Tony From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Carlos Magalhaes Hey all, Ok late at night here and I’ve hit a mental block
(don’t laugh Dean). I have set this up like a gazillion times but this
time cant get it to work. Environment: Windows 2003 Native Forest Mode – All clients Windows
XP SP2 and above Single forest single domain setup Web Server – Windows Server 2003 Web Edition Share Point Team Services installed. That site has a web part that requires Kerb delegation for
access to a ISA firewall in order to stream RSS feeds. I can see on the ISA
server that when ever any user hits the site the HTTP request is sent as
ANONYMOUS. So what I have done:
a. Purged all
tickets as well.
Still get Anonymous access on the ISA box, and using some normal
.net code can see that its not delegating the creds correctly, can anyone see
what I am doing wrong or what I should be doing?
|
- RE: [ActiveDir] Kerberos Delegation Ken Schaefer
- RE: [ActiveDir] Kerberos Delegation Carlos Magalhaes
- RE: [ActiveDir] Kerberos Delegation Roger Seielstad
- RE: [ActiveDir] Kerberos Delegation Roger Seielstad
- RE: [ActiveDir] Kerberos Delegation Ken Schaefer
- RE: [ActiveDir] Kerberos Delegation Roger Seielstad
- RE: [ActiveDir] Kerberos Delegation Brian Desmond
- RE: [ActiveDir] Kerberos Delegation Carlos Magalhaes
- RE: [ActiveDir] Kerberos Delegation Roger Seielstad
- RE: [ActiveDir] Kerberos Delegation Carlos Magalhaes
- RE: [ActiveDir] Kerberos Delegation Carlos Magalhaes