locked
Sharepoint 2010 published via TMG internally with Kerberos auth for SSO not working RRS feed

  • Question

  • I am trying to configure TMG\Sharepoint 2010 to use Kerberos auth. I had the site published with direct client auth (NTLM) and it was working but we would get multiple auth prompts as you navigated I decided to switch to Kerberos to match other sites published via TMG.

    I have done the following:

    Sharepoint AAM's have been configured, IIS providers are negotiate and ntlm (tried removing ntlm with no luck), Sharepoint app pool is running as a domain ID with the SPN set.

    On the TMG side, both computer objects are setup with delegation authority in AD. Sharepoint publishing rule was used and authentication is set to Kerberos.

    When I attempt to hit the site I get the following in the browser:

    • Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)

    When I look at the TMG logs I get the following (names and IP's removed):

    Denied Connection x 8/19/2011 11:54:58 PM
    Log type: Web Proxy (Reverse)
    Status: 12309 The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator.
    Source: x.x.x.x:4599
    Destination: x.x.x.x:80
    Request: GET http://x/default.aspx
    Filter information: Req ID: 05f4d23f; Compression: client=Yes, server=No, compress rate=0% decompress rate=0%
    Protocol: http

    User: anonymous

    Failed Connection Attempt x 8/19/2011 11:54:58 PM
    Log type: Web Proxy (Reverse)
    Status: 5 Access is denied.
    Source: x.x.x.x:4599
    Destination: x.x.x.x:80
    Request: GET http://x/default.aspx
    Filter information: Req ID: 05f4d240; Compression: client=Yes, server=No, compress rate=0% decompress rate=0%
    Protocol: http
    User: anonymous
    Any help is appreciated. Thanks!
    Saturday, August 20, 2011 3:58 AM

Answers

  • Thank you for the link. This issue has been resolved. It was a duplicate SPN in AD.

    To check for this I ran the command below:

    setspn -f -q http/{object}

    This returned 2 ID's set to the same object. Removed the un-used one and the problem is resolved. Hopefully this helps someone else.

    Thanks!

    Thursday, August 25, 2011 6:26 PM

All replies

  • Hi,

    Thank you for the post.

    I found this thread may help you: http://forums.isaserver.org/m_2002068683/mpage_2/key_/tm.htm#2002072997.

    Regards,

     


    Nick Gu - MSFT
    Thursday, August 25, 2011 9:05 AM
  • Thank you for the link. This issue has been resolved. It was a duplicate SPN in AD.

    To check for this I ran the command below:

    setspn -f -q http/{object}

    This returned 2 ID's set to the same object. Removed the un-used one and the problem is resolved. Hopefully this helps someone else.

    Thanks!

    Thursday, August 25, 2011 6:26 PM