0

There is a small problem with the setting Kerberos constrained delegation in Active Directory.

The scheme works as follows: 1. Client workstation. 2. Web server with Windows 2008 Ent installed IIS (iis.domain.lab). Is a front-end server, the W3SVC service is started under the account LocalSystem. 3. The application server based on Windows Server 2008 Ent (app.domain.lab). Is the backend server, application service is running on a domain account svc_app_usr 4. The domain controller (dc.domain.lab)

On the IIS server is hosted specific application that the end user opens in browser. Since the IIS server applications on different servers - I need to configure constrained Kerberos delegation.

I did the following: 1. For svc_app_usr registered SPN type SERVICE_NAME/APP and SERVICE_NAME/APP.domain.lab 2. To set up a server iis constrained delegation Kerberos, using a domain account svc_app_usr

But there is the following problem: When i try to open the application through a browser - it does not happen. After Wireshark I see that the server is IIS, TGS requesting the domain controller receives a response error:

KRB5KDC_ERR_BADOPTION NT Status: STATUS_NO_MATCH NT Status: STATUS_NO_MATCH (0xc0000272) Unknown: 0x00000000 Unknown: 0x00000003

Tell me, please,where did I go wrong?

cortes_
  • 11
  • 4
  • http://blogs.iis.net/bretb/How-to-Use-DelegConfig – Greg Askew May 25 '15 at 13:50
  • Thank you, I saw this article. I got the following results https://imageshack.com/i/idxZyMO0p, but it does not solve my problem. I understand about the problem on the backend, but I do not understand exactly what it involves – cortes_ May 26 '15 at 10:27
  • Does it work with unconstrained delegation? – Greg Askew May 26 '15 at 12:17
  • Yes, with unconstrained delegation problem does not exist – cortes_ May 26 '15 at 14:09
  • If you perform a packet capture, does the SPN that your client is connecting to exactly match the SPN that is configured for the application? – Greg Askew May 26 '15 at 14:27
  • If I understand your question, the answer is - no. The situation is as follows: 1) When I run the browser from a workstation and open the Web application in the network dump I see that getting TGS type Server Name (Service and Instance): HTTP / iis.domain.lab 2) If you watch the network dump on the Web server IIS, I see the following http://pasted.co/081c5c93 – cortes_ May 27 '15 at 07:57
  • What I mean is if the SPN is iis or iis.domain.lab, is that what you are entering in the url of the browser. – Greg Askew May 27 '15 at 12:03
  • In the browser I enter iis.domain.lab – cortes_ May 27 '15 at 15:00

0 Answers0