Speaking of being here next week - keep me informed on the
activities...
-------- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Wednesday, September 21, 2005 5:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Yeah Im not sure about
that either at the moment IIS is REALLY ACTING WEIRD, KEN where are you :P -
. I had the Share Point
website in the IIS MMC specify SPSAppPool (which was a App pool I created) when
I checked the MetaBase.XML file ( you know I love looking at the guts of
systemsJ ) it was still
specifying DefaultAppPool (and I mean I had rebooted the server a few times)
also DO NOT RUN: Cscript adsutil.vbs
set w3svc/1/ntauthenticationproviders “Negotiate,NTLM” Iisreset I know it seems logical
but I KEPT the quotations in there and what it ended up doing was:
““Negotiate,NTLM””
***Note the double quotes And all auth was being
defaulted to Anonymous (thank heavens for a network sniffer J
) Even though I fixed
these issues and I have made sure my Metabase.xml file is correct with
“Negotiate,NTLM” and with the correct App Pool with the correct user etc,
when I run AuthDiag the only “Test Authentication” option I get is NTLM,
the Server Settings Node though specifies “Negotiate,NTLM” for that Site.
When I check my ISA
server I STILL see User – Anonymous so I am a bit stumped at the moment
!!! YEAH it going to be
sooooo cool to meet up with you guys in Redmond next week J C From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Tony
Murray Hi
Carlos As I said, I'm just
starting to look at Kerberos delegation, so take everything I say with a large
pinch of salt. :-) Anyway, here's the
logic I was following. If I've understood it
correctly, you want the server hosting SharePoint to authenticate to the ISA
server as the end user. Assuming you want to use constrained delegation
(which is normal) then you need to specify the ISA Server somewhere in the
configuration, because you are limiting (constraining) the scope of the
delegation to the ISA Server. If you look at the Delegation tab of an
object in ADUC, you will see the section labeled "Services to which this account
can present delegated credentials:" It would seem logical to me to have to
specify the ISA here. Now whether you need to do configure this setting in
ADUC on the account being used for the identity of the application pool, or the
SharePoint server itself I don't know. Cheers Tony PS. See you next
week :-) From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Carlos
Magalhaes Hey
Tony, Well can you explain
“but wouldn't you also
need an SPN for the web service on the ISA Server?” I don’t understand
why, the ISA server is the server that is needing the authentication to allow
the web server to browse the internet.
I have a Share Point
site it has a RSS feed web part, this web part is requesting a RSS feed for
example http://www.dirteam.com/blogs/carlos/default.aspx
now I monitor on the ISA 2004 server and I see the web server trying to access
the internet the user specified = Anonymous. The delegation is so that the user
viewing the Share Point site (hence calling the RSS web part) will be the user
credentials passed to the ISA server to be able to browse the
internet. That’s why I don’t see
why we need to register a SPN for the ISA server? Thanks From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Tony
Murray Hi
Carlos I'm just starting to
look at Kerberos delegation for something myself, but wouldn't you also
need an SPN for the web service on the ISA Server? And then specify that
serviced in the delegation tab on the user object? Cheers Tony From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Carlos
Magalhaes Hey
all, Ok late at night here and I’ve hit a
mental block (don’t laugh Dean). I have set this up like a gazillion times but
this time cant get it to work. Environment:
Windows 2003 Native Forest Mode –
All clients Windows XP SP2 and above Single forest single domain
setup Web Server – Windows Server 2003 Web
Edition Share Point Team Services
installed. That site has a web part that
requires Kerb delegation for access to a ISA firewall in order to stream RSS
feeds. I can see on the ISA server that when ever any user hits the site the
HTTP request is sent as ANONYMOUS. So what I have
done:
a. Purged all
tickets as well.
Still get Anonymous access on the
ISA box, and using some normal .net code can see that its not delegating the
creds correctly, can anyone see what I am doing wrong or what I should be
doing?
Carlos This e-mail message has been scanned for Viruses and
Content and cleared by NetIQ MailMarshal
at Gen-i
This e-mail message has been scanned for Viruses and
Content and cleared by NetIQ MailMarshal
at Gen-i
|
- RE: [ActiveDir] Kerberos Delegation Roger Seielstad
- RE: [ActiveDir] Kerberos Delegation Roger Seielstad
- RE: [ActiveDir] Kerberos Delegation Ken Schaefer
- RE: [ActiveDir] Kerberos Delegation Roger Seielstad
- RE: [ActiveDir] Kerberos Delegation Brian Desmond
- RE: [ActiveDir] Kerberos Delegation Carlos Magalhaes
- RE: [ActiveDir] Kerberos Delegation Roger Seielstad
- RE: [ActiveDir] Kerberos Delegation Carlos Magalhaes
- RE: [ActiveDir] Kerberos Delegation Carlos Magalhaes
- RE: [ActiveDir] Kerberos Delegation Ken Schaefer
- RE: [ActiveDir] Kerberos Delegation Carlos Magalhaes