Location: List Archives

List Archives

This forum is an archive of all posts to our mailing list over the past few years.  The forum is set read only therefore to contribute you will need to join our list community.  See more info about this here.

 

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Forums >ActiveDir Mail List Archive >List Archives
Subject: [ActiveDir] Constrained delegation for the internal resource on VPN appliance.
Prev Next
You are not authorized to post a reply.

AuthorMessages
samhigensUser is Offline

Posts:40

06/17/2010 3:26 PM  

Hi All,

We have a way to set up Kerberos Constrained Delegation based SSO technique on the Juniper SSL VPN device. In that we set a user account to delegate the HTTP service on the web server by setting an SPN for the account. You check with the prcedure to do this in the below mentioned link to a PDF

http://www.juniper.net/techpubs/software/ive/guides/howtos/SSLConstrainedDelegation.pdf



In this I find the SSL appliance is able to get a TGT on the behalf of the Delegated account, then fetch a S4U2Self ticket for the actual external user trying to accessing the web service, then finally request for the TGS for the external user fails stating "KDC could not fullfill the requested option" as a reponse from the DC. This error corresponds to standard KDC error "BADOPTION". I have tried this over and over but am not sure if am missing on something here. According to the packet capture it seems that Domain controller in not able to address the TGS-REQ when the Constrained delegation option is set in the requested KDC options.

I have checked that the ADSIedit that the "AllowedToDelegate" attribute is set correctly.



Any sugggestions appreciated.





With Regards.....
Sumanto Chakraborty

_________________________________________________________________
The world on four wheels in MSN Autos
http://autos.in.msn.com/
You are not authorized to post a reply.
Forums >ActiveDir Mail List Archive >List Archives > [ActiveDir] Constrained delegation for the internal resource on VPN appliance.



ActiveForums 3.7
Friends

Friends

VisualClickButoton
Members

Members

MembershipMembership:
Latest New UserLatest:MrPTSai
New TodayNew Today:0
New YesterdayNew Yesterday:0
User CountOverall:5234
People OnlinePeople Online:
VisitorsVisitors:22
MembersMembers:0
TotalTotal:22
Online NowOnline Now:

Ads

Copyright 2009 ActiveDir.org
Terms Of Use