Problem with Kerberos Delegation

I have:
1. W2K3 Native Domain
2. Client W2K3 SP2
3. Server A - W2K3 SP2, IIS, SQL Server Reporting Services under Local System
4. For Server A - HTTP/SERVERA.DOMAIN; HTTP/SERVERA; HOST/SERVERA;
HOST/SERVERA.DOMAIN
5. Server B - W2K3 SP2, IIS, SQL 2K5 under DOMAIN\SQL
6. For Server B - HTTP/SERVERB.DOMAIN; HTTP/SERVERB; HOST/SERVERB;
HOST/SERVERB.DOMAIN
7. For DOMAIN\SQL - MSSQLSvc/SERVERB:1433 and MSSQLSvc/SERVERB.DOMAIN:1433
8. For Server A - unconstrained delegation; in web.config - impersonate="true" />
9. I have simple report with windows integrated security

If I try open http://ServerA/ReportServer/SimpleReport from Server A - all
work fine, kerbtray show all necessary tickets
If I try open http://ServerA/ReportServer/SimpleReport from Client - Logon
failed for NT AUTHORITY\ANONYMOUS

I understand, that a mistake in delegation on middle tier, authentication to
Server B falls back to NTLM. But, alas, I can`t understand in what
particularly mistake...

Pls, help

Re: Problem with Kerberos Delegation

Hi,

a) enable security audit logging for logon successes on your web box. Ensure
that the clients are actually authenticating using Kerberos to your web box.
If they are not, then no delegation is possible.

b) http://support.microsoft.com/?id=262177 to enable Kerberos event logging
on your servers,in case there is an underlying issue with Kerberos

c) Ensure that "Use Windows Integrated Authentication (requires a restart)"
is enabled on your clients, and that the client can contact a KDC.

Cheers
Ken

"Alex Krugor" wrote in message
news:AFCF3AD2-3233-4DD2-BA29-9C31D95A05EF@microsoft.com...
>I have:
> 1. W2K3 Native Domain
> 2. Client W2K3 SP2
> 3. Server A - W2K3 SP2, IIS, SQL Server Reporting Services under Local
> System
> 4. For Server A - HTTP/SERVERA.DOMAIN; HTTP/SERVERA; HOST/SERVERA;
> HOST/SERVERA.DOMAIN
> 5. Server B - W2K3 SP2, IIS, SQL 2K5 under DOMAIN\SQL
> 6. For Server B - HTTP/SERVERB.DOMAIN; HTTP/SERVERB; HOST/SERVERB;
> HOST/SERVERB.DOMAIN
> 7. For DOMAIN\SQL - MSSQLSvc/SERVERB:1433 and MSSQLSvc/SERVERB.DOMAIN:1433
> 8. For Server A - unconstrained delegation; in web.config - > impersonate="true" />
> 9. I have simple report with windows integrated security
>
> If I try open http://ServerA/ReportServer/SimpleReport from Server A - all
> work fine, kerbtray show all necessary tickets
> If I try open http://ServerA/ReportServer/SimpleReport from Client - Logon
> failed for NT AUTHORITY\ANONYMOUS
>
> I understand, that a mistake in delegation on middle tier, authentication
> to
> Server B falls back to NTLM. But, alas, I can`t understand in what
> particularly mistake...
>
> Pls, help

Re: Problem with Kerberos Delegation

Many thanks!
Realy, client authenticating to web box using NTLM (event 540). But don`t
have any error.
Why in the nativ w2k3 domain between two servers w2k3 can`t be established
Kerberos? If to open simply removed folder, that I see Kerberos. Any trouble
with HTTP SPN?

"Ken Schaefer" wrote:

> Hi,
>
> a) enable security audit logging for logon successes on your web box. Ensure
> that the clients are actually authenticating using Kerberos to your web box.
> If they are not, then no delegation is possible.
>
> b) http://support.microsoft.com/?id=262177 to enable Kerberos event logging
> on your servers,in case there is an underlying issue with Kerberos
>
> c) Ensure that "Use Windows Integrated Authentication (requires a restart)"
> is enabled on your clients, and that the client can contact a KDC.
>
> Cheers
> Ken
>
> "Alex Krugor" wrote in message
> news:AFCF3AD2-3233-4DD2-BA29-9C31D95A05EF@microsoft.com...
> >I have:
> > 1. W2K3 Native Domain
> > 2. Client W2K3 SP2
> > 3. Server A - W2K3 SP2, IIS, SQL Server Reporting Services under Local
> > System
> > 4. For Server A - HTTP/SERVERA.DOMAIN; HTTP/SERVERA; HOST/SERVERA;
> > HOST/SERVERA.DOMAIN
> > 5. Server B - W2K3 SP2, IIS, SQL 2K5 under DOMAIN\SQL
> > 6. For Server B - HTTP/SERVERB.DOMAIN; HTTP/SERVERB; HOST/SERVERB;
> > HOST/SERVERB.DOMAIN
> > 7. For DOMAIN\SQL - MSSQLSvc/SERVERB:1433 and MSSQLSvc/SERVERB.DOMAIN:1433
> > 8. For Server A - unconstrained delegation; in web.config - > > impersonate="true" />
> > 9. I have simple report with windows integrated security
> >
> > If I try open http://ServerA/ReportServer/SimpleReport from Server A - all
> > work fine, kerbtray show all necessary tickets
> > If I try open http://ServerA/ReportServer/SimpleReport from Client - Logon
> > failed for NT AUTHORITY\ANONYMOUS
> >
> > I understand, that a mistake in delegation on middle tier, authentication
> > to
> > Server B falls back to NTLM. But, alas, I can`t understand in what
> > particularly mistake...
> >
> > Pls, help
>
>

Re: Problem with Kerberos Delegation

Addition - other client (Client B) - self KDC, Windows Integrated
Authentication in IE

"Alex Krugor" wrote:

> Many thanks!
> Realy, client authenticating to web box using NTLM (event 540). But don`t
> have any error.
> Why in the nativ w2k3 domain between two servers w2k3 can`t be established
> Kerberos? If to open simply removed folder, that I see Kerberos. Any trouble
> with HTTP SPN?
>
> "Ken Schaefer" wrote:
>
> > Hi,
> >
> > a) enable security audit logging for logon successes on your web box. Ensure
> > that the clients are actually authenticating using Kerberos to your web box.
> > If they are not, then no delegation is possible.
> >
> > b) http://support.microsoft.com/?id=262177 to enable Kerberos event logging
> > on your servers,in case there is an underlying issue with Kerberos
> >
> > c) Ensure that "Use Windows Integrated Authentication (requires a restart)"
> > is enabled on your clients, and that the client can contact a KDC.
> >
> > Cheers
> > Ken
> >
> > "Alex Krugor" wrote in message
> > news:AFCF3AD2-3233-4DD2-BA29-9C31D95A05EF@microsoft.com...
> > >I have:
> > > 1. W2K3 Native Domain
> > > 2. Client W2K3 SP2
> > > 3. Server A - W2K3 SP2, IIS, SQL Server Reporting Services under Local
> > > System
> > > 4. For Server A - HTTP/SERVERA.DOMAIN; HTTP/SERVERA; HOST/SERVERA;
> > > HOST/SERVERA.DOMAIN
> > > 5. Server B - W2K3 SP2, IIS, SQL 2K5 under DOMAIN\SQL
> > > 6. For Server B - HTTP/SERVERB.DOMAIN; HTTP/SERVERB; HOST/SERVERB;
> > > HOST/SERVERB.DOMAIN
> > > 7. For DOMAIN\SQL - MSSQLSvc/SERVERB:1433 and MSSQLSvc/SERVERB.DOMAIN:1433
> > > 8. For Server A - unconstrained delegation; in web.config - > > > impersonate="true" />
> > > 9. I have simple report with windows integrated security
> > >
> > > If I try open http://ServerA/ReportServer/SimpleReport from Server A - all
> > > work fine, kerbtray show all necessary tickets
> > > If I try open http://ServerA/ReportServer/SimpleReport from Client - Logon
> > > failed for NT AUTHORITY\ANONYMOUS
> > >
> > > I understand, that a mistake in delegation on middle tier, authentication
> > > to
> > > Server B falls back to NTLM. But, alas, I can`t understand in what
> > > particularly mistake...
> > >
> > > Pls, help
> >
> >

Re: Problem with Kerberos Delegation

Hi,

Here are some links to check:

IIS and Kerberos Part 1 - What is Kerberos and how does it work?
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/19/ 512.aspx

IIS and Kerberos Part 2 - What are Service Principal Names?
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/11/19/ 606.aspx

IIS and Kerberos. Part 3 - A simple scenario
http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/16/ 1054.aspx

IIS and Kerberos Part 4 - A simple delegation scenario
http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/27/ 1282.aspx

Probably worth reading #3 first.

If client is authenticating using NTLM, and not Kerberos, and then most
common errors are:
a) "Use Integrated Windows Authentication" is not selected in IE (if that is
not selected, then NTLM only is used)
b) Web server is not sending: WWW-Authenticate: Negotiate HTTP header. It is
only sending WWW-Authenticate: NTLM header. Verify using telnet or packet
capture tool that IIS is sending the correct header
c) IE does not see website in "intranet" security zone. Kerberos Auth is not
attempted for sites in 'internet" security zone. Look at the little icon in
the bottom of IE status bar to verify the security zone
d) You may have duplicate SPNs. Ensure that HTTP/servername and
HTTP/servername.domain.local are not registered under any other accounts.
c) the web application pool that is hosting your SQL Server reporting
services web site - what account is that running under? If it is
Localsystem, Local Service or Network Service, then the relevant SPNs need
to be registered under the machine account in AD. If it's running as a
custom user identity then you need to move the SPNs to that custom user
account in AD. You can not use a custom local account.

Cheers
Ken


"Alex Krugor" wrote in message
news:51DF2BF4-BC8F-4DA1-A8B0-847A98FB63C6@microsoft.com...
> Many thanks!
> Realy, client authenticating to web box using NTLM (event 540). But don`t
> have any error.
> Why in the nativ w2k3 domain between two servers w2k3 can`t be established
> Kerberos? If to open simply removed folder, that I see Kerberos. Any
> trouble
> with HTTP SPN?
>
> "Ken Schaefer" wrote:
>
>> Hi,
>>
>> a) enable security audit logging for logon successes on your web box.
>> Ensure
>> that the clients are actually authenticating using Kerberos to your web
>> box.
>> If they are not, then no delegation is possible.
>>
>> b) http://support.microsoft.com/?id=262177 to enable Kerberos event
>> logging
>> on your servers,in case there is an underlying issue with Kerberos
>>
>> c) Ensure that "Use Windows Integrated Authentication (requires a
>> restart)"
>> is enabled on your clients, and that the client can contact a KDC.
>>
>> Cheers
>> Ken
>>
>> "Alex Krugor" wrote in message
>> news:AFCF3AD2-3233-4DD2-BA29-9C31D95A05EF@microsoft.com...
>> >I have:
>> > 1. W2K3 Native Domain
>> > 2. Client W2K3 SP2
>> > 3. Server A - W2K3 SP2, IIS, SQL Server Reporting Services under Local
>> > System
>> > 4. For Server A - HTTP/SERVERA.DOMAIN; HTTP/SERVERA; HOST/SERVERA;
>> > HOST/SERVERA.DOMAIN
>> > 5. Server B - W2K3 SP2, IIS, SQL 2K5 under DOMAIN\SQL
>> > 6. For Server B - HTTP/SERVERB.DOMAIN; HTTP/SERVERB; HOST/SERVERB;
>> > HOST/SERVERB.DOMAIN
>> > 7. For DOMAIN\SQL - MSSQLSvc/SERVERB:1433 and
>> > MSSQLSvc/SERVERB.DOMAIN:1433
>> > 8. For Server A - unconstrained delegation; in web.config - >> > impersonate="true" />
>> > 9. I have simple report with windows integrated security
>> >
>> > If I try open http://ServerA/ReportServer/SimpleReport from Server A -
>> > all
>> > work fine, kerbtray show all necessary tickets
>> > If I try open http://ServerA/ReportServer/SimpleReport from Client -
>> > Logon
>> > failed for NT AUTHORITY\ANONYMOUS
>> >
>> > I understand, that a mistake in delegation on middle tier,
>> > authentication
>> > to
>> > Server B falls back to NTLM. But, alas, I can`t understand in what
>> > particularly mistake...
>> >
>> > Pls, help
>>
>>

Re: Problem with Kerberos Delegation

Ur, hurrah, all works! ;-)))))))
My case - "WWW-Authenticate: NTLM"

I`m sincerely grateful for the help

Btw, in title "IIS and Kerberos. Part 3 - A simple scenario" string "See
Microsoft KB Article 832768 for your options", however Article ID 832768
"The data in the public folders is several days out of date in Exchange
Server 5.5", may be to a problem has no attitude, I think

"Ken Schaefer" wrote:

> Hi,
>
> Here are some links to check:
>
> IIS and Kerberos Part 1 - What is Kerberos and how does it work?
> http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/19/ 512.aspx
>
> IIS and Kerberos Part 2 - What are Service Principal Names?
> http://www.adopenstatic.com/cs/blogs/ken/archive/2006/11/19/ 606.aspx
>
> IIS and Kerberos. Part 3 - A simple scenario
> http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/16/ 1054.aspx
>
> IIS and Kerberos Part 4 - A simple delegation scenario
> http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/27/ 1282.aspx
>
> Probably worth reading #3 first.
>
> If client is authenticating using NTLM, and not Kerberos, and then most
> common errors are:
> a) "Use Integrated Windows Authentication" is not selected in IE (if that is
> not selected, then NTLM only is used)
> b) Web server is not sending: WWW-Authenticate: Negotiate HTTP header. It is
> only sending WWW-Authenticate: NTLM header. Verify using telnet or packet
> capture tool that IIS is sending the correct header
> c) IE does not see website in "intranet" security zone. Kerberos Auth is not
> attempted for sites in 'internet" security zone. Look at the little icon in
> the bottom of IE status bar to verify the security zone
> d) You may have duplicate SPNs. Ensure that HTTP/servername and
> HTTP/servername.domain.local are not registered under any other accounts.
> c) the web application pool that is hosting your SQL Server reporting
> services web site - what account is that running under? If it is
> Localsystem, Local Service or Network Service, then the relevant SPNs need
> to be registered under the machine account in AD. If it's running as a
> custom user identity then you need to move the SPNs to that custom user
> account in AD. You can not use a custom local account.
>
> Cheers
> Ken

Re: Problem with Kerberos Delegation

Hi,

Glad it works.

Thanks for picking up the KB article error. It should be ID 832769, not
832768

Cheers
Ken


"Alex Krugor" wrote in message
news:3C91A08A-FD2F-4435-862E-31848D9EBEB0@microsoft.com...
> Ur, hurrah, all works! ;-)))))))
> My case - "WWW-Authenticate: NTLM"
>
> I`m sincerely grateful for the help
>
> Btw, in title "IIS and Kerberos. Part 3 - A simple scenario" string "See
> Microsoft KB Article 832768 for your options", however Article ID 832768
> "The data in the public folders is several days out of date in Exchange
> Server 5.5", may be to a problem has no attitude, I think
>
> "Ken Schaefer" wrote:
>
>> Hi,
>>
>> Here are some links to check:
>>
>> IIS and Kerberos Part 1 - What is Kerberos and how does it work?
>> http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/19/ 512.aspx
>>
>> IIS and Kerberos Part 2 - What are Service Principal Names?
>> http://www.adopenstatic.com/cs/blogs/ken/archive/2006/11/19/ 606.aspx
>>
>> IIS and Kerberos. Part 3 - A simple scenario
>> http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/16/ 1054.aspx
>>
>> IIS and Kerberos Part 4 - A simple delegation scenario
>> http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/27/ 1282.aspx
>>
>> Probably worth reading #3 first.
>>
>> If client is authenticating using NTLM, and not Kerberos, and then most
>> common errors are:
>> a) "Use Integrated Windows Authentication" is not selected in IE (if that
>> is
>> not selected, then NTLM only is used)
>> b) Web server is not sending: WWW-Authenticate: Negotiate HTTP header. It
>> is
>> only sending WWW-Authenticate: NTLM header. Verify using telnet or packet
>> capture tool that IIS is sending the correct header
>> c) IE does not see website in "intranet" security zone. Kerberos Auth is
>> not
>> attempted for sites in 'internet" security zone. Look at the little icon
>> in
>> the bottom of IE status bar to verify the security zone
>> d) You may have duplicate SPNs. Ensure that HTTP/servername and
>> HTTP/servername.domain.local are not registered under any other accounts.
>> c) the web application pool that is hosting your SQL Server reporting
>> services web site - what account is that running under? If it is
>> Localsystem, Local Service or Network Service, then the relevant SPNs
>> need
>> to be registered under the machine account in AD. If it's running as a
>> custom user identity then you need to move the SPNs to that custom user
>> account in AD. You can not use a custom local account.
>>
>> Cheers
>> Ken
>