Wednesday, April 22, 2009 9:15 AM brian-murphy-booth

DelegConfig v2 (beta)

http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1887 

Requirements:

  • Needs to be setup as a virtual directory in IIS. 
  • Requires .NET framework 2.0 or higher configured on the virtual directory.

Notable Features:

  • Supports IIS 7.0 (useKernelMode / useAppPoolCredentials)
  • Allows adding backend servers of type UNC, HTTP, LDAP, OLAP, SQL, SSAS, and RDP
  • Allows chaining of multiple hops (versus only a single backend)
  • Performs duplicate SPN check against all trusted domains.
  • /Set/SPNs.aspx - Allows adding and removing of ServicePrincipalNames
  • /Set/Delegation.aspx - Allows changing Trust for Delegation settings.
  • /Set/Providers.aspx - Allows correcting of inadequate NTAuthenticationProviders settings.
  • /Report.aspx - Gives a picture of what is right and what is wrong.
  • /Wizard.aspx - A set of wizard steps that supports adding more tiers to /Report.aspx.
  • /Test.aspx - Allows double-hop tests for webServer-to-Sql or webServer-to-fileServer or webServer-to-webServer

Changes:

  • 7/15/2009 - Fixed problem with error stating IIS machine is not joined to a domain cause by HttpContext.Current being null on background threads.
  • 7/15/2009 - Added support for IIS 7.5's "ApplicationPoolIdentity" (Managed Service Accounts)
  • 7/27/2009 - Added code to strip leading slashes from the "hostName" entered into the wizard
  • 8/24/2009 - Fixed SetSPN.exe syntax suggested on Report.aspx
  • 8/24/2009 - Disabled ViewState on Test.aspx textboxes to address "HttpRequestValidationException"
  • 8/26/2009 - Now pass results of DomainController.FindOne to DirectoryEntry instead of NetBIOS domain names
  • 9/03/2009 - Added client-side javascript to Test.aspx to delete textbox value during postback. This fixes "dangerous characters" problem.
  • 9/30/2009 - Added a Search.aspx to allow searching of specific SPNs... for those that don't trust the Report.aspx output (you know who you are)
  • 11/16/2009 - Removed "Fix this for me" button when using an IP address for a host name.
  • 11/16/2009 - When a machine name cannot be determined for a DNS name, an additional suggestion is made regarding load balancing.
  • 11/19/2009 - Made a change to address the NullReferenceException being thrown due to code changes from 11/16

Comments

# http://blogs.technet.com/askds/archive/2009/04/30/deleconfig-v2-released.aspx

Thursday, April 30, 2009 6:28 PM by TrackBack

# re: DelegConfig v2 (beta)

Friday, June 12, 2009 12:39 PM by cduden

If you are using this to test delegation within MOSS 2007 you will need to add the following line  to your web.config:

<sessionState mode="InProc" partitionResolverType="" />

Thanks for the tool Brian.  I used it for every MOSS deployment I do.

# re: DelegConfig v2 (beta)

Friday, June 12, 2009 12:59 PM by brian-murphy-booth

Thanks. I had added a sessionState section to my web.config with InProc but based on your suggestion have also added the partitionResolverType attribute as well.

# re: DelegConfig v2 (beta)

Tuesday, August 11, 2009 3:16 PM by Kapn.K

I'm using v2 beta. After setting up the backend unc file share, I receive system SYSTEM(server$) is not a domain account and needs to be joined to the domain. My HTTP service cleaned up when I added it but the "UNC" service has complete failures. Any help is greatly appreciated.

# re: DelegConfig v2 (beta)

Monday, August 24, 2009 2:31 PM by brian-murphy-booth

Hmm... That is probably because the TextBox that holds the original response is trying to postBack all the text to support ViewState. And in that postback there are some characters deemed "dangerous". That should be an easy fix. I'll just disable ViewState on that TextBox since I don't think we need to persist that between requests. Thanks for letting me know!

# re: DelegConfig v2 (beta)

Monday, August 24, 2009 5:15 PM by brian-murphy-booth

I do have supporting "custom" (i.e. not in my hardcoded list) service types on my ToDo list. I don't have any particular timeframe for when that will be added though. What is the service type that you need to use? What is the SPN expected to look like?

# re: DelegConfig v2 (beta)

Friday, October 02, 2009 4:35 PM by brian-murphy-booth

"SQL Server Analysis Services" is referred to as "SSAS" which is also available in the drop-down. The OLAP choice is for the older version of OLAP.

# re: DelegConfig v2 (beta)

Thursday, November 12, 2009 1:06 PM by Alistair Connor

Hi Brian,

this is a great tool...

Question : I have a web farm with a "Big IP" hardware load balancer.

I ran the Wizard over this (I give the IP of the virtual server), in order to understand the interaction between Kerberos and the load balancer.

Doesn't work too good... the virtual server obviously doesn't have domain membership...

"The domain or workstation membership of NETWORK SERVICE (http://10.104.91.32$) could not be determined. "

Am I missing something, misusing the tool, or what?

# re: DelegConfig v2 (beta)

Monday, November 16, 2009 3:37 AM by Fredrik.E

I tried to add a sql server as back-end server.

Problem is that i don't know how to put in a custom service name.

The customer is not using standard MSSQLSvc as service name.

I can't add custom Service Name in your tool since its automaticly put MSSQLSvc in front.

Is there a workaround ?  

# re: DelegConfig v2 (beta)

Monday, November 16, 2009 2:08 PM by brian-murphy-booth

Alistair,

A few things there:

 1. You shouldn't really be using an IP address for your "host name". Use the virtual *name* instead. With Kerberos we have the "Service Principal Name" which usually should be a "name" versus an IP address. By using an IP address for the host name you're making SPNs a bit less intuitive. It is possible to get Kerberos working with an IP address instead but in some situations it will have less preditable behavior so I think it best to avoid it entirely.

 2. When load balancing you cannot use "Network Service" as the service account due to the whole "duplicate SPN" concept. You should change your service account to a domain user.

 3. Based on your question I did some more testing of DelegConfig against a load balanced site at my location. I agree the output isn't clear in that situation so I will rework that a bit so people will know right away to move towards a domain user and away from something like Network Service.

# re: DelegConfig v2 (beta)

Monday, November 16, 2009 2:13 PM by brian-murphy-booth

Fredrik,

I did not add a way to add a "custom" service type. I've considered that option, but have not taken the time to implement it. What exactly is the service type you're trying to use? If there is a SQL service type that I haven't included I would be happy to add it.

# re: DelegConfig v2 (beta)

Tuesday, November 17, 2009 3:35 PM by Gijsbert

Hi Brian,

I get a "TokenImpersonationLevel: Impersonation" warning when running report locally. Presume that's because it is running on the IIS server itself. Domain name used is in the local zone. I do need to pass credentials to a backend DC/Ldap server (what's the account this service is using?).

When running report from a remote client in the same domain I get the "Object reference not set to an instance of an object" message. See the stack trace below.

When running from a remote client my application apparently is assigned the null account when accessing the Ldap server on another server/DC using impersonation, generating the "There is no such object on the server" when trying to open a valid Ldap path. When running my application locally at the IIS server, things run fine.

Any hints?

[NullReferenceException: Object reference not set to an instance of an object.]
  BBooth.Status.DomainAccountStatus..ctor(Hop hop) in C:\Archive\Code-Custom\ASPX\Sites\DelegConfig.2.0\Core\Status\DomainAccountStatus.cs:21
  BBooth.Report.OverallReport.GetDomainAccountStatus() in C:\Archive\Code-Custom\ASPX\Sites\DelegConfig.2.0\Web\Report\OverallReport.ascx.cs:36
  BBooth.Report.OverallReport.SetStatus() in C:\Archive\Code-Custom\ASPX\Sites\DelegConfig.2.0\Web\Report\OverallReport.ascx.cs:29
  BBooth.Report.OverallReport.Page_Load(Object sender, EventArgs e) in C:\Archive\Code-Custom\ASPX\Sites\DelegConfig.2.0\Web\Report\OverallReport.ascx.cs:21
  System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +24
  System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) +41
  System.Web.UI.Control.OnLoad(EventArgs e) +131
  System.Web.UI.Control.LoadRecursive() +65
  System.Web.UI.Control.LoadRecursive() +190
  System.Web.UI.Control.LoadRecursive() +190
  System.Web.UI.Control.LoadRecursive() +190
  System.Web.UI.Control.LoadRecursive() +190
  System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2427

# re: DelegConfig v2 (beta)

Wednesday, November 18, 2009 5:00 AM by Fredrik.E

Hi. Again.

Instead of MSSQLSvc service they  customize it 2 MSSQL$PROD02

And your tool recognize that This server can "account can delegate to the following services: " under Trusted For Delegation?  and under More information , there it tells me MSSQL$PROD02/FQDN : portnumber. but i dont have the option 2 chose this for testing .

//Regards Fredrik E

Leave a Comment

(required) 
(required) 
(optional)
(required)