HTTP 401 on WebAppl. with Kerberos Auth RRS feed

  • Question

  • Hi all,

    Trying to figure out how to get this working. A webapp (Topdesk) is published under the portal hostname. TopDesk has been setup with Kerberos Authentication. A SPN has been setup in TopDesk like this http/servername.domain

    When i do a setspn -q http/servername.domain i get a big list of servers and services that are registered with a service account. That service account is only used for Kerberos auth, and has the option enabled to be delegated for authentication to any service (kerberos only).

    I published the application and set it up for Kerberos Auth. When i logon to UAG portal and open the application i get a "You do not have permissions to view this folder or page".

    The Webmonitor shows a Unable to reply to a HTTP 401 request.

    Fiddler does not give any information.

    I started a capture in Network Monitor and see some Kerberos v5 messages. 

    First one: KerberosV5:TGS Request Realm: DOMAIN Sname: http/servername.domain
    Second: KerberosV5:KRB_ERROR  - KDC_ERR_BADOPTION (13)

    I am a little lost now on what i can do. But could this point to a situation where the Logon FORM of the application doesnt understand what UAG is trying to do with its LoginForm.xml? In other words, could this be that i have to make a custom Form? Or is the issue different, maybe one step before the FORM thingy?

    I also checked TMG logging and saw some messages about a Kerberos Ticket being generated and delivered to me. After that the  401 message came in.

    Thanks for the help!

    Monday, July 23, 2012 12:23 PM

All replies

  • Hi,

    Did you ever get anywhere with TOPdesk and UAG Kerberos Auth.  I have the same issue....

    Tuesday, September 17, 2013 3:09 PM
  • Any luck? Same issue here...
    Thursday, January 30, 2014 10:41 AM
  • Yes all working with TOPDesk, UAG & Kerberos, however issues with the inital login page due to JavaScript.  Also problem moving between pages when more than one page... Don't suppose you've done anything with this?

    Wednesday, March 26, 2014 1:24 PM
  • Also "You do not have permissions to view this folder or page" after I click to login to Topdesk via UAG.

    Then a "Back" in my browser and click again to login and it works fine...

    This is only not acceptable for my company so I will create a reverse proxy in the near future...

    • Edited by Fastide Wednesday, April 9, 2014 1:55 PM
    Wednesday, April 9, 2014 12:50 PM
  • We got around these issues by using the same server (external name) name internally & externally, (use hosts file on UAG if necessary to point external name to internal address!).  Used the application public hostname.
    Thursday, May 8, 2014 3:18 PM