Wednesday, April 22, 2009 9:15 AM brian-murphy-booth

DelegConfig v2 (beta)

http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1887 

Requirements:

  • Needs to be setup as a virtual directory in IIS. 
  • Requires .NET framework 2.0 or higher configured on the virtual directory.

Notable Features:

  • Supports IIS 7.0 (useKernelMode / useAppPoolCredentials)
  • Allows adding backend servers of type UNC, HTTP, LDAP, OLAP, SQL, SSAS, and RDP
  • Allows chaining of multiple hops (versus only a single backend)
  • Performs duplicate SPN check against all trusted domains.
  • /Set/SPNs.aspx - Allows adding and removing of ServicePrincipalNames
  • /Set/Delegation.aspx - Allows changing Trust for Delegation settings.
  • /Set/Providers.aspx - Allows correcting of inadequate NTAuthenticationProviders settings.
  • /Report.aspx - Gives a picture of what is right and what is wrong.
  • /Wizard.aspx - A set of wizard steps that supports adding more tiers to /Report.aspx.
  • /Test.aspx - Allows double-hop tests for webServer-to-Sql or webServer-to-fileServer or webServer-to-webServer

Changes:

  • 7/15/2009 - Fixed problem with error stating IIS machine is not joined to a domain caused by HttpContext.Current being null on background threads.
  • 7/15/2009 - Added support for IIS 7.5's "ApplicationPoolIdentity" (Managed Service Accounts)
  • 7/27/2009 - Added code to strip leading slashes from the "hostName" entered into the wizard
  • 8/24/2009 - Fixed SetSPN.exe syntax suggested on Report.aspx
  • 8/24/2009 - Disabled ViewState on Test.aspx textboxes to address "HttpRequestValidationException"
  • 8/26/2009 - Now pass results of DomainController.FindOne to DirectoryEntry instead of NetBIOS domain names
  • 9/03/2009 - Added client-side javascript to Test.aspx to delete textbox value during postback. This fixes "dangerous characters" problem.
  • 9/30/2009 - Added a Search.aspx to allow searching of specific SPNs... for those that don't trust the Report.aspx output (you know who you are)
  • 11/16/2009 - Removed "Fix this for me" button when using an IP address for a host name.
  • 11/16/2009 - When a machine name cannot be determined for a DNS name, an additional suggestion is made regarding load balancing.
  • 11/19/2009 - Made a change to address the NullReferenceException being thrown due to code changes from 11/16
  • 12/03/2009 - Changed some code from TheadPool.QueueUserWorkItem to Page.RegisterAsyncTask to avoid potential for crash in msvcrt!_purecall.

Comments

# http://blogs.technet.com/askds/archive/2009/04/30/deleconfig-v2-released.aspx

Thursday, April 30, 2009 6:28 PM by TrackBack

# re: DelegConfig v2 (beta)

Friday, June 12, 2009 12:39 PM by cduden

If you are using this to test delegation within MOSS 2007 you will need to add the following line  to your web.config:

<sessionState mode="InProc" partitionResolverType="" />

Thanks for the tool Brian.  I used it for every MOSS deployment I do.

# re: DelegConfig v2 (beta)

Friday, June 12, 2009 12:59 PM by brian-murphy-booth

Thanks. I had added a sessionState section to my web.config with InProc but based on your suggestion have also added the partitionResolverType attribute as well.

# re: DelegConfig v2 (beta)

Tuesday, August 11, 2009 3:16 PM by Kapn.K

I'm using v2 beta. After setting up the backend unc file share, I receive system SYSTEM(server$) is not a domain account and needs to be joined to the domain. My HTTP service cleaned up when I added it but the "UNC" service has complete failures. Any help is greatly appreciated.

# re: DelegConfig v2 (beta)

Monday, August 24, 2009 2:31 PM by brian-murphy-booth

Hmm... That is probably because the TextBox that holds the original response is trying to postBack all the text to support ViewState. And in that postback there are some characters deemed "dangerous". That should be an easy fix. I'll just disable ViewState on that TextBox since I don't think we need to persist that between requests. Thanks for letting me know!

# re: DelegConfig v2 (beta)

Monday, August 24, 2009 5:15 PM by brian-murphy-booth

I do have supporting "custom" (i.e. not in my hardcoded list) service types on my ToDo list. I don't have any particular timeframe for when that will be added though. What is the service type that you need to use? What is the SPN expected to look like?

# re: DelegConfig v2 (beta)

Friday, October 02, 2009 4:35 PM by brian-murphy-booth

"SQL Server Analysis Services" is referred to as "SSAS" which is also available in the drop-down. The OLAP choice is for the older version of OLAP.

# re: DelegConfig v2 (beta)

Monday, November 16, 2009 2:08 PM by brian-murphy-booth

Alistair,

A few things there:

 1. You shouldn't really be using an IP address for your "host name". Use the virtual *name* instead. With Kerberos we have the "Service Principal Name" which usually should be a "name" versus an IP address. By using an IP address for the host name you're making SPNs a bit less intuitive. It is possible to get Kerberos working with an IP address instead but in some situations it will have less preditable behavior so I think it best to avoid it entirely.

 2. When load balancing you cannot use "Network Service" as the service account due to the whole "duplicate SPN" concept. You should change your service account to a domain user.

 3. Based on your question I did some more testing of DelegConfig against a load balanced site at my location. I agree the output isn't clear in that situation so I will rework that a bit so people will know right away to move towards a domain user and away from something like Network Service.

# re: DelegConfig v2 (beta)

Monday, November 16, 2009 2:13 PM by brian-murphy-booth

Fredrik,

I did not add a way to add a "custom" service type. I've considered that option, but have not taken the time to implement it. What exactly is the service type you're trying to use? If there is a SQL service type that I haven't included I would be happy to add it.

# re: DelegConfig v2 (beta)

Tuesday, November 24, 2009 12:38 PM by brian-murphy-booth

JeffS,

I actually copied some functionality from NBTSTAT to determine computer names. You provided only alias.company.com as the hostName so DelegConfig essentially does NBTSTAT against that to get the computer name, but failed. So we are left with not knowing the computer name. If alias.company.com is actually a load balancer that could be why. If you are using load balancing, however, you can't use NetworkService as the app pool user. If this is what you think might be happening, then create a "service account", add it to IIS_WPG, and use that instead.

# re: DelegConfig v2 (beta)

Friday, December 04, 2009 10:41 AM by brian-murphy-booth

Jeff,

When using a single "member server" with IIS, you can use either a domain user account or something like NetworkService. When load balancing you must use a domain user account. These 2 statements are true for IIS6, IIS7, and IIS7.5. With IIS 7.x, however, we have the new setting of userKernelMode which is set to true by default. What this means is that authentication is handled in the kernel. And because of that, it is MACHINE$ that gets all the settings, even if you were to change the appPool user to a domain user.

As far as DelegConfig telling you that it can't determine the domain membership, I'm not exactly sure what the problem is on that. SOunds like a name resolution thing. If you give me your contact info I'd be happy to work with you to see if we can fix both your Kerberos problem and DelegConfig.

# re: DelegConfig v2 (beta)

Friday, January 29, 2010 2:07 PM by Richard

Any more details on how to configure this on x64 Windows Server 2008, IIS 7 - running SharePoint 2010 and trying to work out a Kerberos issue.

Trying to setup DelegConfig v2 and getting various errors - particularly "Attempted to read or write protected memory"

# re: DelegConfig v2 (beta)

Friday, January 29, 2010 2:43 PM by brian-murphy-booth

You can recycle the appPool, reproduce the errors, then email me entire output of the various errors in the order that you recieve them?

# re: DelegConfig v2 (beta)

Monday, February 01, 2010 6:38 PM by Jen Dodd

Thanks for the tool Brian, it was very helpful.  As an FYI - I am pretty sure I had everything configured correctly for Kerberos on Server 2008 WFE and Server 2008 and SQL 2008 backend server but, my internal RSS feeds were still not working.  

I decided to take a break from Kerberos and look at a couple of other issues I was having, one being an "Access Denied" error on the crawl account for indexing.

I followed these steps to disable the loopback check:

1. Click Start, click Run, type regedit, and then click OK.

2. In Registry Editor, locate and then click the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

3. Right-click Lsa, point to New, and then click DWORD Value.

4. Type DisableLoopbackCheck, and then press ENTER.

5. Right-click DisableLoopbackCheck, and then click Modify.

6. In the Value data box, type 1, and then click OK.

7. Quit Registry Editor.

My crawl account was able to crawl all content databases AND my internal RSS feeds started working.  Coincidence?

# re: DelegConfig v2 (beta)

Tuesday, February 02, 2010 10:08 AM by brian-murphy-booth

Jen,

If setting DisableLoopbackCheck to 1 resolved your issue that means the problem you were having was NTLM failing. That setting is unrelated to Kerberos. It is a client (i.e. the browser) that decides whether or not to use Kerberos so the next question would be "why did the client decide to use NTLM?". The client decides to use NTLM after it asks the domain controller for a Kerberos ticket but it doesn't get one. Next question then is why didn't it get the ticket from the DC? It could be because of a couple generic buckets of reaons: 1. improperly set SPN, 2. DC is not reachable from the client.

--Brian

# re: DelegConfig v2 (beta)

Monday, February 08, 2010 3:19 PM by Robert

I've created a companion tool which helps you set up Kerberos constrained delegation.  If there are issues, then you can use your tool to help resolve these.

I noticed when using your tool that if you use an Instance Name instead of a port number for a database / cube, your tool incorrectly identifies a SPN.  You may want to check into this.

# re: DelegConfig v2 (beta)

Tuesday, February 09, 2010 11:47 AM by brian-murphy-booth

Thanks Robert. Could you provide me with an example on what is incorrect? What is the tool saying and what do you feel it should be saying instead?

Leave a Comment

(required) 
(required) 
(optional)
(required)