Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Problem configuring kerberos delegation on a windows 2003 domain

182 views

Skip to first unread message

Lima Valdes Emil

unread,

Feb 29, 2008, 1:38:05 PM2/29/08

to Kerb...@mit.edu

Hi all,

I扉e been trying to configure Kerberos delegation on a Windows 2003 domain but I haven't got any good result yet. I followed a Microsoft Document on [1] to configure Kerberos in order to build a .NET 2.0 SOA solution. The following is the Kerberos trace when I try to access page A in a scenario like this:

IE -----> Page_A.aspx ----> Service_A.asmx
WebApp on IIS WebService on IIS
Server A The same server A
App pool on domain App pool on domain
account A account B

Kerberos trace:
---------------

500.652> Kerb-Bnd: Calling kdc 129.170.140.8 for realm SMNYL.COM.MX
500.652> Kerb-Warn: KerbGetTgsTicket failed to unpack KDC reply: 0x3c
HTTP a_service.smnyl.com.mx
500.652> Kerb-Warn: KerbGetTgsTicket KerbCallKdc: error 0x7
500.652> Kerb-Warn: Failed to get TGS ticket for service 0xc000018b :
HTTP a_service.smnyl.com.mx
500.652> Kerb-Warn: d:\nt\ds\security\protocols\kerberos\client2\kerbtick.cxx, line 3833
500.652> Kerb-SPN: KerbInsertSpnCacheEntry spn cache disabled
500.652> Kerb-Warn: TARGET_UNKNOWN for SMNYL.COM.MX\account_a LogonId 0:0xfbc9, target HTTP a_service.smnyl.com.mx
500.652> Kerb-Warn: SpInitLsaModeContext failed to get outbound ticket, KerbGetServiceTicket failed with 0xc000018b

---------------

ASP.NET error
---------------
Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.

Exception Details: System.Security.SecurityException: WSE594: InitializeSecurityContext call failed with the following error message: The network path was not found.
----------------

Regards,
Emil.

[1] http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerbdel.mspx

Michael B Allen

unread,

Feb 29, 2008, 1:57:31 PM2/29/08

to Lima Valdes Emil, kerb...@mit.edu

On 2/29/08, Lima Valdes Emil <el...@monterrey-newyorklife.com.mx> wrote:
> Kerberos trace:

> 500.652> Kerb-Warn: KerbGetTgsTicket failed to unpack KDC reply: 0x3c
> HTTP a_service.smnyl.com.mx

Hi Emil,

All of your diagnostics are very Windows specific which isn't going to
translate well here. You might try to get a capture and generally
adjust your terminology into "failed to get a TGT", "the SPN is",
"service ticket this", "credential that", ...

Is the "HTTP a_service.smnyl.com.mx" supposed to be an SPN? Perhaps
that should be "HTTP/a_service.smnyl.com.mx"?

Mike

--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

0 new messages