View Complete Thread
  • Kerberos Constrained Delegation

    Nov 05, 2018 08:32 PM|pfeif4|LINK

    So I am wondering if this is possible as I am trying to replace TMG 2010 with ARR.

    In TMG, I have the server set up to request a client certificate and authenticate the user.  TMG then redirects to the backend server which is IIS and has Windows Auth turned on.  The user is logged in based on Kerberos Constrained Delegation. 

    TMG box is authorized to delegate to the backend iis server with AD.  TMG is also told to use the spn of http/backendserver

    So, I try the same thing in ARR and it is failing.  I saw some posts that ARR cannot delegate, so I am wondering if it is possible or what I am missing. 

    ARR is set to allow delegation to the backend server.  The backend server is the same as above with Windows Auth turned on. ARR has windows Auth turned on as well. 

    Is this possible?  Or am I just missing setting an SPN on the ARR box, so it knows how to set the KCD ticket?  What SPN should I use to mimic the TMG UI setting?