Alex Parker

Windows Integrated Authentication, Kerberos, and Delegation FAQ

This document is a collection of all the references that I found helpful in troubleshooting my organization's integrated authentication issues using Kerberos.  This is a living document so I will update it as I find useful things.   --Alex

Troubleshooting Kerberos Delegation
http://www.microsoft.com/downloads/details.aspx?FamilyID=99b0f94f-e28a-4726-bffe-2f64ae2f59a2&displaylang=en

HOW TO: Troubleshoot Kerberos-Related Issues in IIS
http://support.microsoft.com/?id=326985

HOWTO: Use Kerberos with the ServerXMLHTTP Component in MSXML (Sample asp files can be found here)
http://support.microsoft.com/default.aspx?scid=kb;en-us;314404

HOWTO: Use Delegation in Windows 2000 with COM+
http://support.microsoft.com/default.aspx?scid=kb;EN-US;283201

HOW TO: Configure Windows SharePoint Services to Use Kerberos Authentication
http://support.microsoft.com/?id=832769

I like to script everything, so here is an example of a script that configures the necessary properties on the user/machine account in active directory in order to get delegation to work.

How to Use the UserAccountControl Flags to Manipulate User Account Properties
http://support.microsoft.com/?id=305144

Programatically set trusted for delegation using VBScript (Original sample http://www.microsoft.com/technet/community/scriptcenter/user/scrug52.mspx):

      Function SetDelegation()

            Const ADS_TRUSTED_FOR_DELEGATION = &h80000

            Set objUser = GetObject ("LDAP://cn=myserver,ou=dept,dc=organization,dc=com")

            intUAC = objUser.Get("userAccountControl")

            If ADS_TRUSTED_FOR_DELEGATION AND intUAC Then

                  Wscript.echo "Already enabled"

            Else

                  objUser.Put "userAccountControl", intUAC XOR ADS_TRUSTED_FOR_DELEGATION

                  objUser.SetInfo

                  WScript.Echo "Delegation enabled."

            End If

      End Function

 

      Function SetAuthDelegation()

            Const ADS_TRUSTED_TO_AUTH_FOR_DELEGATION = &h1000000

            Set objUser = GetObject ("LDAP://cn=myserver,ou=dept,dc=organization,dc=com")

            intUAC = objUser.Get("userAccountControl")

            If ADS_TRUSTED_TO_AUTH_FOR_DELEGATION AND intUAC Thenn

                  Wscript.echo "Already enabled"

            Else

                  objUser.Put "userAccountControl", intUAC XOR ADS_TRUSTED_TO_AUTH_FOR_DELEGATION

                  objUser.SetInfo

                  WScript.Echo "Trusted to Authentication for Delegation enabled."

            End If

      End Function

 

      Function UnSetDelegation()

            Const ADS_TRUSTED_FOR_DELEGATION = &h80000

            Set objUser = GetObject ("LDAP://cn=myserver,ou=dept,dc=organization,dc=com")

            intUAC = objUser.Get("userAccountControl")

            If ADS_TRUSTED_FOR_DELEGATION AND intUAC Then

                  objUser.Put "userAccountControl", intUAC XOR ADS_TRUSTED_FOR_DELEGATION

                  objUser.SetInfo

                  Wscript.echo "Delegation disabled"

            Else

                  WScript.Echo "Delegation already disabled."

            End If

      End Function

 

      Function UnSetAuthDelegation()

            Const ADS_TRUSTED_TO_AUTH_FOR_DELEGATION = &h1000000

            Set objUser = GetObject ("LDAP://cn=myserver,ou=dept,dc=organization,dc=com")

            intUAC = objUser.Get("userAccountControl")

            If ADS_TRUSTED_TO_AUTH_FOR_DELEGATION AND intUAC Then

                  objUser.Put "userAccountControl", intUAC XOR ADS_TRUSTED_TO_AUTH_FOR_DELEGATION

                  objUser.SetInfo

                  Wscript.echo "Trusted to Authentication for Delegation disabled"

            Else

                  WScript.Echo "Trusted to Authentication for Delegation already disabled."

            End If

      End Function