Re: Kerberos to NTLM delegation timeout
- From: stcheng@xxxxxxxxxxxxxxxxxxxx (Steven Cheng[MSFT])
- Date: Tue, 14 Aug 2007 08:15:11 GMT
Hi Marc,
From your description, I understand you're using constrained delegationamong two windows 2k3 server for your ASP.NET application which connect to
a remote SQL Server2k5 db. However, you found the kerberos delegation will
occur error randomly, correct?
Based on my experience, for such kerberos delegation problem, most of them
are likely caused by environment configuration settings or some network
related issues. And normally, it will require troubleshooting over all the
boxes from front clients to the backend servers and also the domain
controller box, network tracing is also necessary for get detailed error
infomraiton. Therefore, it may not be easy to completely resolve such
problem through the newsgroup support interface, but we'll try best to help
you track down on this issue.
According to the symptom you mentioned, it seems the kerberos ticket will
always get timeout after a certain period and lock/unlock or logout/login
seems be able to overcome it temporarily. Have you checked the KDC to see
whether the timeout or any expire related setting is as expected? Also, it
is helpful to use some network trace utility to capture the http message
and lookup what's the error message when the kerberos delegation failed,
you need to capture the message between both IE client<--->web application
server and web application server <--> backend db server.
Here are some existing document and reference on kerberos delegation issue
which can provide some systematic troubleshooting ideas:
#Kerberos authentication and troubleshooting delegation issues
http://support.microsoft.com/kb/907272
#Troubleshooting Kerberos Delegation
http://www.microsoft.com/downloads/details.aspx?FamilyID=99B0F94F-E28A-4726-
BFFE-2F64AE2F59A2&displaylang=en
Sincerely,
Steven Cheng
Microsoft MSDN Online Support Lead
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
.
- References:
- Kerberos to NTLM delegation timeout
- From: Marc Castrechini
- Re: Kerberos to NTLM delegation timeout
- From: Marc Castrechini
- Kerberos to NTLM delegation timeout
- Prev by Date: Problem deploying forms authorization
- Next by Date: RE: Problem deploying forms authorization
- Previous by thread: Re: Kerberos to NTLM delegation timeout
- Next by thread: Problem deploying forms authorization
- Index(es):
Relevant Pages
|
