Kerberos to NTLM delegation timeout

From: "Marc Castrechini" <castro_9@xxxxxxxxxxxxxxxx>
Date: Mon, 13 Aug 2007 14:19:35 -0400

I apologize if this is available but there is so much on getting delegation
getting to work we aren't coming up with anything.

First off we are using constrained delegation to run a dual server
environment for ASP.NET 2.0 application under IIS 6.0 and SQL Server 2005.
All Windows Server 2k3. Our Active Directory is balanced two different
servers.

A subset of our users are receiving delegation errors at what seems like
random, inconsistent times of the day. Most of the time the majority of the
users are working fine.

Basically the Kerberos ticket appears to either expire or be overridden by
an NTLM ticket causing a double hop failure.

We have determined that the problem can temporarily be solved by doing the
following:
Close IE -> Control-Alt-Delete -> Lock -> UnLock

However, one the original problem happens this only seems to fix it for a
short while until the same error is experienced again.

Any direction or ideas at all would be greatly appreciated.

- Marc Castrechini

.

Follow-Ups:
- Re: Kerberos to NTLM delegation timeout
  - From: Marc Castrechini

Prev by Date: RE: 401 with Forms Authentication and Roles
Next by Date: Re: Kerberos to NTLM delegation timeout
Previous by thread: Padding is invalid and cannot be removed.
Next by thread: Re: Kerberos to NTLM delegation timeout
Index(es):
- Date
- Thread

Relevant Pages

Re: Unix Bind and Windows DNS coexist problem with forwarder ON
... not a web server. ... Here is the MS KB link of how i setup in Microsoft DNS server. ... I setup delegation in UNIX BIND server to Windows 2003 ... >>> The above does not describe delegation. ...
(microsoft.public.windows.server.dns)
Re: PROBLEM: ASP on IIS 5 secured via "Windows Integrated Authentication" accessing "
... I have two virtual directories on same server with Integrated ... If i use basic authentication, ... as .NET framework config file) as well as Delegation as specified by the ... > could do whatever you want in your ASP page on behalf of the Domain Admin. ...
(microsoft.public.inetserver.iis.security)
Re: Using NT Authentication with Linked Server
... You are running into a double hop (or delegation) scenario. ... User trying to connect to SQL Server is not sensitive and can be ... how to register SPNs for your SQL Service account). ... Use sp_addlinkedsrvlogin on the first linked server (server B in your ...
(microsoft.public.sqlserver.security)
Re: Windows (Trusted) Authentication and SQL Server
... I can still run the application when logged in locally to the IIS machine, ... > The account whose credentials are being delegated must be a domain account ... > be marked in Active Directory as trusted for delegation. ... > Server) does not need to be marked as trusted. ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: Choosing between ASTs and Threads
... While I haven't used VMS since long before threads existed there, ... > True Master/Slave scenario, ... (and of course such delegation has significant overheads of its own): ... > connections to a VMS server application. ...
(comp.os.vms)