locked
Sharepoint 2010 via TMG with smartcard auth and kerberos delegation RRS feed

  • Question

  • Hi All.

    I have 2 web applications on SharePoint: 80 (NTLM) and 443 (cert auth for internal access with SC). names http://sharepoint and https://sharepoint respectively. On TMG (computer) i create listener with next settings:
    Authentication - SSL client sertificate + require ssl client cert
    Certificates - create and apply certificate with internal IP (because all join by IP) like 10.10.0.50 (test lab)
    on SP rules add next settings:
    To - sharepoint, uncheck forward the original, request from original and from tmg (tried both variants)
    Authentication delegation - KCD, spn http/sharepoint1
    Binding - redirect to http 80 (like user from http://social.technet.microsoft.com/Forums/da-DK/FSSPNext/thread/9fa18168-7bb6-48c0-8853-b26ff7d38797 and by the book Microsoft Press TMG Administrators Companion).

    On Domain Controller i did next things:
    Users and computers snap-in - for TMG computer account I check "Trust this computer for delegation to any service (Kerberos only)"
    from cmd by domain admin - setspn -a http/sharpoint1 tmg

    and from tests I saw:
    as client - run IE8, wrote http://10.10.0.50, tmg certification path good, it asking me to select certificate from SC, after that asking PIN, than it write Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)

    on TMG from Logs and reports:
    Denied Connection TMG 06.03.2012 13:20:40
    Log type: Web Proxy (Reverse)
    Status: 12202 Forefront TMG denied the specified Uniform Resource Locator (URL).  
    Rule: sp80
    Source: External (10.10.0.188:7362)
    Destination: Local Host (192.168.200.10:80)
    Request: GET http://sharepoint/
    Filter information: Req ID: 0990d4e4; Compression: client=No, server=No, compress rate=0% decompress rate=0%
    Protocol: https
    User: DOMAIN\spadmin

    as I see TMG auth me for my account, but give me an a error. well from the event viewer on TMG i saw
    Event 31517 Forefront TMG failed to delegate credentials using Kerberos constrained delegation to the Web site published by the rule sp80. This may occur when a Forefront TMG computer is not trusted for delegation to any authentication protocol in Active Directory.

    From DC event viewer tab security I saw:
    Event 4769 Audit success Kerberos Service Ticket Operations

    Account Information:
        Account Name:        TMG$@DOMAIN.LOC
        Account Domain:        DOMAIN.LOC
        Logon GUID:        {05bb8874-46ea-9665-c617-c03887d8d53e}
    Service Information:
        Service Name:        TMG$
        Service ID:        DOMAIN\TMG$
    Network Information:
        Client Address:        ::ffff:192.168.200.100
        Client Port:        10644
    Additional Information:
        Ticket Options:        0x40810000
        Ticket Encryption Type:    0x12
        Failure Code:        0x0
        Transited Services:    -

    Tried to test rule in TMG, and sometimes i saw error:

    Category: KCD error
    Error details: This Forefront TMG computer doesn't have the required trust for Kerberos Constrained Delegation.
    Action: Kerberos Constrained Delegation requires the Forefront TMG computer to be trusted for delegation for any authentication protocol and the Service Principal Name (SPN) used by Forefront TMG must be added to Active Directory.

    But in events on SP server no records.

    On DC i ran command "setspn -f -q http/sharepoint":

    Checking forest DC=domain,DC=loc
    CN=TMG,OU=comps,DC=domain,DC=loc
            MSSQLSvc/TMG.domain.loc:1433
            MSSQLSvc/TMG.domain.loc:ISARS
            MSSQLSvc/TMG.domain.loc:MSFW
            http/sharepoint
            ldap/TMG.domain.loc:2171
            ldap/TMG:2171
            E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/TMG.domain.loc:2171
            E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/TMG:2171
            tapinego/TMG
            tapinego/TMG.domain.loc
            WSMAN/TMG
            WSMAN/TMG.domain.loc
            RestrictedKrbHost/TMG
            HOST/TMG
            RestrictedKrbHost/TMG.domain.loc
            HOST/TMG.domain.loc
    Existing SPN found!

    If I specify trusted account directly in AD snap-in in Delegation tab and remove all spn records http/sharepoint1 answer is:

    HTTP response: 401 Unauthorized
    The test successfully completed for this URL.

    Then I enjoy site and get error 403 forbidden, but in IIS log i get 401 1 2148074254 error..

    I tried to add in SPN account name which running TMG, tried to specify trusted account directly in AD snap-in in delegation tab, tried to give trust delegation for SP computer, tried to redirect on 443 ssl port to SP, tried to change external certificate to a name like "sp.test" and then join in using that name, and some variants earlier with that - nothing helps me... As i see something wrong with KDC. Main question - what's i do wrong?
    Tuesday, March 6, 2012 12:15 PM

Answers

  • Well, now it works.

    I redirect from tmg 443 to iis 80, on TMG next settings:

    Rerquire all users to auth, kerberos delegation to http/sharepoint1

    In AD:

    on computer account TMG tab delegation trust to specified services only - Use any auth protocol and servicetype - http, user  or computer sharepoint1

    In IIS:

    on 80 web-app win auth delete NTLM auth, add negotiate auth, and in advanced sett - extended protection accept and switch on Enable kernel-mode auth.

    Now all working correctly from all places. Internal, External and Internet.

    UPD: I didn't add any SPN changes with setspn.exe
    Monday, March 19, 2012 8:35 AM

All replies

  • Hi,

    Thank you for the post.

    Please refer to this blog: http://blogs.technet.com/b/isablog/archive/2009/09/07/web-publishing-test-button-and-kcd-in-tmg.aspx.

    Regards,


    Nick Gu - MSFT

    Wednesday, March 7, 2012 6:09 AM
  • Hi.

    Thank you, I always find that topic, and tried to configure test workspace like user from that thread. That's not help's me:

    on TMG test rule button answer is:
    HTTP response: 401 Unauthorized
    The test successfully completed for this URL.
    Then I enjoy site and get error 403 forbidden (not TMG 403 page), and in IIS log i get 401 1 2148074254 error.

    Wednesday, March 7, 2012 7:14 AM
  • Well, now it works.

    I redirect from tmg 443 to iis 80, on TMG next settings:

    Rerquire all users to auth, kerberos delegation to http/sharepoint1

    In AD:

    on computer account TMG tab delegation trust to specified services only - Use any auth protocol and servicetype - http, user  or computer sharepoint1

    In IIS:

    on 80 web-app win auth delete NTLM auth, add negotiate auth, and in advanced sett - extended protection accept and switch on Enable kernel-mode auth.

    Now all working correctly from all places. Internal, External and Internet.

    UPD: I didn't add any SPN changes with setspn.exe
    Monday, March 19, 2012 8:35 AM