Constrained delegation issues

Kerberos Kerberos at deanplant.co.uk
Fri Jul 19 03:12:33 EDT 2013


Hi List,

First time poster looking for some debugging help on a constrained
delegation issue. After spending a few days on this problem I am hoping
someone can point me to what may be wrong

Background. I am carrying out Certificate to Kerberos constrained
delegation under 2008 R2 IIS 7.5 for ActiveSync connections.

The IIS server computer account is set with "Trust this computer for
delegation" and "Use any authentication"
I have added http/name and http/name.domain.cc for the IIS proxy and
exchange

No matter what I try I can not get past the TGS Request stage and receive a
Client Principal error.

In packet captures I see, note user and domain changed, CC is as is.

KerberosV5:AS Request Cname: user at domain.cc Realm: DOMAIN.CC Sname:
krbtgt/DOMAIN.CC
KerberosV5:KRB_ERROR  - KDC_ERR_PREAUTH_REQUIRED (25)
KerberosV5:TGS Request
KerberosV5:KRB_ERROR  - KDC_ERR_C_PRINCIPAL_UNKNOWN (6)

The certificate is authenticating to IIS and in the TGS request I see

    + MsgType: KRB_TGS_REQ (12)
    + Tag3:
    - PaData:
     + SequenceOfHeader:
     + PaData: PA-TGS-REQ (1)
     + PaData: PA_S4U_X509_USER (130)
     + PaData: PA-FOR-USER (129)

In the PA_S4U_X509_USER I see the correct UPN and realm information.

In the PA-FOR-USER I noticed the realm has been truncated to domain.c
instead of domain.cc


- Kerberos: TGS Request
  + Length: Length = 3057
  - TgsReq: Kerberos TGS Request
   + ApplicationTag:
   - KdcReq: KRB_TGS_REQ (12)
    + SequenceHeader:
    + Tag1:
    + Pvno: 5
    + Tag2:
    + MsgType: KRB_TGS_REQ (12)
    + Tag3:
    - PaData:
     + SequenceOfHeader:
     - PaData: PA-TGS-REQ (1)
      + SequenceHeader:
      + Tag1:
      + PaDataType: PA-TGS-REQ (1)
      + Tag2:
      + OctetStringHeader:
      + KrbApReq: KRB_AP_REQ (14)
     + PaData: PA_S4U_X509_USER (130)
     - PaData: PA-FOR-USER (129)
      + SequenceHeader:
      + Tag1:
      + PaDataType: PA-FOR-USER (129)
      + Tag2:
      + OctetStringHeader:
      - PaForUser:
       + SequenceHeader:
       + Tag0:
       + UserName: user at domain.cc
       + Tag1:
       + Realm: DOMAIN.C
       + Tag2:


Points I have checked,
The UPN is correct,
The account exists on all DC's
SPN's are correct
Trusted for delegation is correct
The computer account exists
The correct UPN is in the certificate
Use the delegconfig tool which reports all is good.

So the question is would the PA-FOR-USER realm issue cause this problem
even if it is correct in the PA_S4U_X509_USER.

One other point is that the Server name/computer account is in upper case
but references in Kerberos packet captures show it in lower case. I know
the domain part needs to be upper case but can a change of case in computer
accounts cause issues.

Sorry for the rambling I have spent way too much time trying to figure out
what is wrong.

Thanks in advance.


More information about the Kerberos mailing list