Kerberos Constrained Delegation (KDC) and HTTP 401 RRS feed

  • Question

  • I setup UAG SP1 to user ADFS 2.0 for authentication. It works like a charm including SSO with back end web sites with federated authentication.

    Next up is SSO with a web site in IIS 7.5 requiring "Windows" authentication in Web.config and with IIS set to "Windows Integrated" (Negotiate). I works fine when accessed from a regular browser on the UAG server.

    When I access the app from my trunk portal, I get "You do not have permissions to view this folder or page." and Web Monitor log reads "The request from user domain\\user at source IP address ... to trunk federationserver; Secure=1 failed because the request was unable to reply to an HTTP 401 request from application TestKCD of type internal05. The session ID is 94337D54-C445-4207-ADC9-E21AAE80711A."

    Now, just before that are entries that state that the protocol transition went fine ("The S4U2Self Kerberos token for user niels with source IP address ...  was retrieved successfully. The application is TestKCD of type internal05 on trunk federationserver; Secure:1.")

    Any ideas on why I can do the S4U, but no luck in accessing the app from the portal? (I thought I had set SPN's correctly)

    Thursday, February 10, 2011 10:30 PM


  • This is probably because of some mismatch in the properties of the Kerneros ticket that UAG has obtained for thsi user, Niels. In complex environments, there are situations where the DC issue a ticket that the website isn't configured to accept. This is far from trivial, so I would suggest you contact Microsoft and open a support case, unless you have already resolved this.
    Ben Ari
    Microsoft CSS UAG/IAG Support
    Sammamish, WA
    • Marked as answer by Erez Benari Tuesday, May 17, 2011 11:08 PM
    Tuesday, May 17, 2011 11:08 PM