Kerberos Constrained Delegation RSS

2 replies

Last post Nov 07, 2018 10:15 PM by pfeif4

  • Kerberos Constrained Delegation

    Nov 05, 2018 08:32 PM|pfeif4|LINK

    So I am wondering if this is possible as I am trying to replace TMG 2010 with ARR.

    In TMG, I have the server set up to request a client certificate and authenticate the user.  TMG then redirects to the backend server which is IIS and has Windows Auth turned on.  The user is logged in based on Kerberos Constrained Delegation. 

    TMG box is authorized to delegate to the backend iis server with AD.  TMG is also told to use the spn of http/backendserver

    So, I try the same thing in ARR and it is failing.  I saw some posts that ARR cannot delegate, so I am wondering if it is possible or what I am missing. 

    ARR is set to allow delegation to the backend server.  The backend server is the same as above with Windows Auth turned on. ARR has windows Auth turned on as well. 

    Is this possible?  Or am I just missing setting an SPN on the ARR box, so it knows how to set the KCD ticket?  What SPN should I use to mimic the TMG UI setting? 

    Thanks

    Mark 

  • Re: Kerberos Constrained Delegation

    Nov 07, 2018 02:17 AM|Brando Zhang|LINK

    Hi pfeif4,

    As far as I know, we could set the ARR server work with the Kerberos Constrained Delegation.

    I suggest you could refer to below article to know how to set the Kerberos Constrained Delegation works with the ARR.

    https://blogs.technet.microsoft.com/latam/2015/06/24/kerberos-authentication-and-application-request-routing/ 

    We could u

    Best Regards,

    Brando

  • Re: Kerberos Constrained Delegation

    Nov 07, 2018 10:15 PM|pfeif4|LINK

    Thank you - Was reading that as well.  My confusion has been over most of the articles reference the kerberos from the desktop to the web site.  I will check this out to see if it helps with the double hop.  Looks promising.  

    Thanks

    Mark