Kerberos constrained delegation

0

There is a small problem with the setting Kerberos constrained delegation in Active Directory.

The scheme works as follows: 1. Client workstation. 2. Web server with Windows 2008 Ent installed IIS (iis.domain.lab). Is a front-end server, the W3SVC service is started under the account LocalSystem. 3. The application server based on Windows Server 2008 Ent (app.domain.lab). Is the backend server, application service is running on a domain account svc_app_usr 4. The domain controller (dc.domain.lab)

On the IIS server is hosted specific application that the end user opens in browser. Since the IIS server applications on different servers - I need to configure constrained Kerberos delegation.

I did the following: 1. For svc_app_usr registered SPN type SERVICE_NAME/APP and SERVICE_NAME/APP.domain.lab 2. To set up a server iis constrained delegation Kerberos, using a domain account svc_app_usr

But there is the following problem: When i try to open the application through a browser - it does not happen. After Wireshark I see that the server is IIS, TGS requesting the domain controller receives a response error:

KRB5KDC_ERR_BADOPTION NT Status: STATUS_NO_MATCH NT Status: STATUS_NO_MATCH (0xc0000272) Unknown: 0x00000000 Unknown: 0x00000003

Tell me, please,where did I go wrong?

iis
kerberos
delegation
asked on Server Fault May 25, 2015 by cortes_

0 Answers

Nobody has answered this question yet.


User contributions licensed under CC BY-SA 3.0