List Archives

This forum is an archive of all posts to our mailing list over the past few years. The forum is set read only therefore to contribute you will need to join our list community. See more info about this here.

List Archives

Unanswered Active Topics

Forums Search

Forums >ActiveDir Mail List Archive >List Archives

Subject: [ActiveDir] Kerberos delegation

Prev Next

You are not authorized to post a reply.

Author

Messages

Parzival

Posts:38

08/15/2008 3:55 AM
Hi All, Setup: Client->SP01->SQL01->IS02->IS03 (note that the names/roles do not match!, all servers are IIS webservers) Problem: When I enable unconstraint delegation every server is able to retrieve a Kerberos ticket on my behalf. I’ve setup a webpage according to: http://support.microsoft.com/kb/314404 on all webservers. I see kerberos authentication on all webservers, except when setting constraint delegation, then the setup breaks after the SQL hop.. After enabling Constraint Delegation (Kerberos Only) and setting all services on all backend servers as possibilities, I see the following packet on the first server. Packet: 23 -7193.062500 192.168.10.2 192.168.10.1 KRB5 TGS-REQ KDCOptions: 40830000 (Forwardable, Renewable, Constrained Delegation, Canonicalize) Server Name (Service and Host): host/sp01.rootdomain.local 25 -7193.031250 192.168.10.1 192.168.10.2 KRB5 KRB Error: KRB5KDC_ERR_BADOPTION NT Status: STATUS_NO_MATCH I enabled Kerberos logging on the servers..and on the SP01 is see in the eventlog: A Kerberos Error Message was received: on logon session Client Time: Server Time: 7:18:42.0000 8/15/2008 Z Error Code: 0xd KDC_ERR_BADOPTION Extended Error: 0xc0000272 KLIN(0) Client Realm: Client Name: Server Realm: ROOTDOMAIN.LOCAL Server Name: host/sp01.rootdomain.local Target Name: host/sp01.rootdomain.local@ROOTDOMAIN.LOCAL<mailto:host/sp01.rootdomain.local@ROOTDOMAIN.LOCAL> Error Text: File: 9 Line: ae0 Error Data is in record data. Now I want to enable KDC extended error logging , but that does not seem to work.. according to an article I must do the following: To enable Kerberos logging on the KDC, follow these steps: 1. Install the checked build of Kerberos modules (Kerberos.dll and Kdcsvc.dll). To do this, follow these steps: a. Restart the domain controller in safe mode. b. Back up the Kerberos .dll files. c. Copy the checked build of Kerberos modules. 2. Add the following registry entries: ¢ Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc Value: KdcDebugLevel Value Type: REG_DWORD Value Data:0xffffffff ¢ Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro\Lsa\Kerberos\Parameters Value: LogToFile Value Type: REG_DWORD Value Data: 1 (enabled) ¢ Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc Value: KdcExtraLogLevel Value Type: REG8DWORD Value Data:0x4 3. Restart the KDC server. The log file Lsass.log is created in the %Systemroot%\System32 folder. But that did not create the lsass.log file… how can I get the checked build of Kerberos modules ?? or otherwise get more details? <more details also found: http://blog.avanadeadvisor.com/blogs/parzival/archive/2008/08/08/11587.aspx > Kind regards Roelf Zomerman

You are not authorized to post a reply.

Forums >ActiveDir Mail List Archive >List Archives > [ActiveDir] Kerberos delegation

ActiveForums 3.7

Syndicate

Friends

List Archives

List Archives

Friends

Members

Articles

Related Links

Ads