locked
Forefornt UAg KCD on Sharepoint RRS feed

  • Question

  • Hello everyyone,

     

    i'm trying to setup the simple Kerberos contrined delegation on forefront UAG SP1 for a sharepoint portal to which i need to to login in Kerberos only,
    all servers are in the same domain and kerberos is working fine on sharepoint when you access it directly

    i delegated the right to ask for a kerberos ticket to the forefront uag server and configured kcd for the sharepoint app

    i however get a : user has no right to access the portal error when i try to access my sharepoitn portal through UAG and if i look and the event viewer i see this error :

    cab anyone help figure out the problem ?

     

    thanks !

     

     

     


    Hitch Bardawil
    Tuesday, September 27, 2011 1:32 PM

All replies

  • Hi,

    did u register a spn for your sharepoint site? Check that with setspn -l servername and look for http/ services.

    Cheers,

    Andreas


    Andreas Hecker - Blog: http://microsoft-iag.blogspot.com/ Please remember to use “Mark as Answer” or "vote as helpful" on the posts that help you.
    Tuesday, September 27, 2011 4:38 PM
  • hello Andreas

     

    i configured the uag server computer account to allow kerberos delegation to all

    isn't that supposed to be enough ?


    Hitch Bardawil
    Tuesday, September 27, 2011 5:21 PM
  • Hi,

    no unfortunately not. Service-Principal-Names and their registration in ad are very important. Please read this article to get an idea of how kcd really works http://technet.microsoft.com/en-us/library/bb794858.aspx and then check your ad for correct spn registration for your sharepoint server.

    Cheers,

    Andreas


    Andreas Hecker - Blog: http://microsoft-iag.blogspot.com/ Please remember to use “Mark as Answer” or "vote as helpful" on the posts that help you.
    Tuesday, September 27, 2011 6:31 PM
  • hello,

    i did the modification on my UAG computer account to have the correct SPN of the sharepoint site,

    but i'm still having the same error !

    it seems like my server is trying to negociate but ends up requesting NTLM instead of kerberos if i trace the traffic !

    any ideas on what's goin on ?

    this is weird since i've already done it lots of time there must be something off

     


    Hitch Bardawil
    Wednesday, October 12, 2011 1:20 PM