Kerberos to NTLM delegation timeout

M

Marc Castrechini

I apologize if this is available but there is so much on getting delegation
getting to work we aren't coming up with anything.

First off we are using constrained delegation to run a dual server
environment for ASP.NET 2.0 application under IIS 6.0 and SQL Server 2005.
All Windows Server 2k3. Our Active Directory is balanced two different
servers.

A subset of our users are receiving delegation errors at what seems like
random, inconsistent times of the day. Most of the time the majority of the
users are working fine.

Basically the Kerberos ticket appears to either expire or be overridden by
an NTLM ticket causing a double hop failure.

We have determined that the problem can temporarily be solved by doing the
following:
Close IE -> Control-Alt-Delete -> Lock -> UnLock

However, one the original problem happens this only seems to fix it for a
short while until the same error is experienced again.

Any direction or ideas at all would be greatly appreciated.

- Marc Castrechini
 
M

Marc Castrechini

Some additional info we have found:
If the problem occurs:
1) The Lock Computer solution typically lasts about 20 minutes

2) Logging out complete typically lasts about 24 hours.

TIA,
- Marc
 
S

Steven Cheng[MSFT]

Hi Marc,

From your description, I understand you're using constrained delegation
among two windows 2k3 server for your ASP.NET application which connect to
a remote SQL Server2k5 db. However, you found the kerberos delegation will
occur error randomly, correct?

Based on my experience, for such kerberos delegation problem, most of them
are likely caused by environment configuration settings or some network
related issues. And normally, it will require troubleshooting over all the
boxes from front clients to the backend servers and also the domain
controller box, network tracing is also necessary for get detailed error
infomraiton. Therefore, it may not be easy to completely resolve such
problem through the newsgroup support interface, but we'll try best to help
you track down on this issue.

According to the symptom you mentioned, it seems the kerberos ticket will
always get timeout after a certain period and lock/unlock or logout/login
seems be able to overcome it temporarily. Have you checked the KDC to see
whether the timeout or any expire related setting is as expected? Also, it
is helpful to use some network trace utility to capture the http message
and lookup what's the error message when the kerberos delegation failed,
you need to capture the message between both IE client<--->web application
server and web application server <--> backend db server.

Here are some existing document and reference on kerberos delegation issue
which can provide some systematic troubleshooting ideas:

#Kerberos authentication and troubleshooting delegation issues
http://support.microsoft.com/kb/907272

#Troubleshooting Kerberos Delegation
http://www.microsoft.com/downloads/details.aspx?FamilyID=99B0F94F-E28A-4726-
BFFE-2F64AE2F59A2&displaylang=en

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,901
Latest member
Noble71S45

Latest Threads

Top