Wednesday, April 22, 2009 9:15 AM brian-murphy-booth

DelegConfig v2 (beta)

http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1887 

Requirements:

  • Needs to be setup as a virtual directory in IIS. 
  • Requires .NET framework 2.0 or higher configured on the virtual directory.

Notable Features:

  • Supports IIS 7.0 (useKernelMode / useAppPoolCredentials)
  • Allows adding backend servers of type UNC, HTTP, LDAP, OLAP, SQL, SSAS, and RDP
  • Allows chaining of multiple hops (versus only a single backend)
  • Performs duplicate SPN check against all trusted domains.
  • /Set/SPNs.aspx - Allows adding and removing of ServicePrincipalNames
  • /Set/Delegation.aspx - Allows changing Trust for Delegation settings.
  • /Set/Providers.aspx - Allows correcting of inadequate NTAuthenticationProviders settings.
  • /Report.aspx - Gives a picture of what is right and what is wrong.
  • /Wizard.aspx - A set of wizard steps that supports adding more tiers to /Report.aspx.
  • /Test.aspx - Allows double-hop tests for webServer-to-Sql or webServer-to-fileServer or webServer-to-webServer

Changes:

  • 7/15/2009 - Fixed problem with error stating IIS machine is not joined to a domain caused by HttpContext.Current being null on background threads.
  • 7/15/2009 - Added support for IIS 7.5's "ApplicationPoolIdentity" (Managed Service Accounts)
  • 7/27/2009 - Added code to strip leading slashes from the "hostName" entered into the wizard
  • 8/24/2009 - Fixed SetSPN.exe syntax suggested on Report.aspx
  • 8/24/2009 - Disabled ViewState on Test.aspx textboxes to address "HttpRequestValidationException"
  • 8/26/2009 - Now pass results of DomainController.FindOne to DirectoryEntry instead of NetBIOS domain names
  • 9/03/2009 - Added client-side javascript to Test.aspx to delete textbox value during postback. This fixes "dangerous characters" problem.
  • 9/30/2009 - Added a Search.aspx to allow searching of specific SPNs... for those that don't trust the Report.aspx output (you know who you are)
  • 11/16/2009 - Removed "Fix this for me" button when using an IP address for a host name.
  • 11/16/2009 - When a machine name cannot be determined for a DNS name, an additional suggestion is made regarding load balancing.
  • 11/19/2009 - Made a change to address the NullReferenceException being thrown due to code changes from 11/16
  • 12/03/2009 - Changed some code from TheadPool.QueueUserWorkItem to Page.RegisterAsyncTask to avoid potential for crash in msvcrt!_purecall.
  • 8/11/2010 - Fixed problem with report.aspx saying to set SPNs on appPool user instead of machine account.

Comments

# re: DelegConfig v2 (beta)

Friday, June 12, 2009 12:39 PM by cduden

If you are using this to test delegation within MOSS 2007 you will need to add the following line  to your web.config:

<sessionState mode="InProc" partitionResolverType="" />

Thanks for the tool Brian.  I used it for every MOSS deployment I do.

# re: DelegConfig v2 (beta)

Friday, June 12, 2009 12:59 PM by brian-murphy-booth

Thanks. I had added a sessionState section to my web.config with InProc but based on your suggestion have also added the partitionResolverType attribute as well.

# re: DelegConfig v2 (beta)

Tuesday, August 11, 2009 3:16 PM by Kapn.K

I'm using v2 beta. After setting up the backend unc file share, I receive system SYSTEM(server$) is not a domain account and needs to be joined to the domain. My HTTP service cleaned up when I added it but the "UNC" service has complete failures. Any help is greatly appreciated.

# re: DelegConfig v2 (beta)

Monday, August 24, 2009 2:31 PM by brian-murphy-booth

Hmm... That is probably because the TextBox that holds the original response is trying to postBack all the text to support ViewState. And in that postback there are some characters deemed "dangerous". That should be an easy fix. I'll just disable ViewState on that TextBox since I don't think we need to persist that between requests. Thanks for letting me know!

# re: DelegConfig v2 (beta)

Monday, August 24, 2009 5:15 PM by brian-murphy-booth

I do have supporting "custom" (i.e. not in my hardcoded list) service types on my ToDo list. I don't have any particular timeframe for when that will be added though. What is the service type that you need to use? What is the SPN expected to look like?

# re: DelegConfig v2 (beta)

Friday, October 2, 2009 4:35 PM by brian-murphy-booth

"SQL Server Analysis Services" is referred to as "SSAS" which is also available in the drop-down. The OLAP choice is for the older version of OLAP.

# re: DelegConfig v2 (beta)

Monday, November 16, 2009 2:08 PM by brian-murphy-booth

Alistair,

A few things there:

 1. You shouldn't really be using an IP address for your "host name". Use the virtual *name* instead. With Kerberos we have the "Service Principal Name" which usually should be a "name" versus an IP address. By using an IP address for the host name you're making SPNs a bit less intuitive. It is possible to get Kerberos working with an IP address instead but in some situations it will have less preditable behavior so I think it best to avoid it entirely.

 2. When load balancing you cannot use "Network Service" as the service account due to the whole "duplicate SPN" concept. You should change your service account to a domain user.

 3. Based on your question I did some more testing of DelegConfig against a load balanced site at my location. I agree the output isn't clear in that situation so I will rework that a bit so people will know right away to move towards a domain user and away from something like Network Service.

# re: DelegConfig v2 (beta)

Monday, November 16, 2009 2:13 PM by brian-murphy-booth

Fredrik,

I did not add a way to add a "custom" service type. I've considered that option, but have not taken the time to implement it. What exactly is the service type you're trying to use? If there is a SQL service type that I haven't included I would be happy to add it.

# re: DelegConfig v2 (beta)

Tuesday, November 24, 2009 12:38 PM by brian-murphy-booth

JeffS,

I actually copied some functionality from NBTSTAT to determine computer names. You provided only alias.company.com as the hostName so DelegConfig essentially does NBTSTAT against that to get the computer name, but failed. So we are left with not knowing the computer name. If alias.company.com is actually a load balancer that could be why. If you are using load balancing, however, you can't use NetworkService as the app pool user. If this is what you think might be happening, then create a "service account", add it to IIS_WPG, and use that instead.

# re: DelegConfig v2 (beta)

Friday, December 4, 2009 10:41 AM by brian-murphy-booth

Jeff,

When using a single "member server" with IIS, you can use either a domain user account or something like NetworkService. When load balancing you must use a domain user account. These 2 statements are true for IIS6, IIS7, and IIS7.5. With IIS 7.x, however, we have the new setting of userKernelMode which is set to true by default. What this means is that authentication is handled in the kernel. And because of that, it is MACHINE$ that gets all the settings, even if you were to change the appPool user to a domain user.

As far as DelegConfig telling you that it can't determine the domain membership, I'm not exactly sure what the problem is on that. SOunds like a name resolution thing. If you give me your contact info I'd be happy to work with you to see if we can fix both your Kerberos problem and DelegConfig.

# re: DelegConfig v2 (beta)

Friday, January 29, 2010 2:43 PM by brian-murphy-booth

You can recycle the appPool, reproduce the errors, then email me entire output of the various errors in the order that you recieve them?

# re: DelegConfig v2 (beta)

Tuesday, February 2, 2010 10:08 AM by brian-murphy-booth

Jen,

If setting DisableLoopbackCheck to 1 resolved your issue that means the problem you were having was NTLM failing. That setting is unrelated to Kerberos. It is a client (i.e. the browser) that decides whether or not to use Kerberos so the next question would be "why did the client decide to use NTLM?". The client decides to use NTLM after it asks the domain controller for a Kerberos ticket but it doesn't get one. Next question then is why didn't it get the ticket from the DC? It could be because of a couple generic buckets of reaons: 1. improperly set SPN, 2. DC is not reachable from the client.

--Brian

# re: DelegConfig v2 (beta)

Tuesday, February 9, 2010 11:47 AM by brian-murphy-booth

Thanks Robert. Could you provide me with an example on what is incorrect? What is the tool saying and what do you feel it should be saying instead?

# re: DelegConfig v2 (beta)

Wednesday, February 17, 2010 3:27 PM by mortenbpost

Hi Brian,

I've setup a SharePoint 2010 farm, and I've configured kerberos and everything should be correct. However when I test the deployment using deleconfig i get the following message:

You have connected from your browser to IIS using kerberos authentication.

TokenImpersonationLevel: Impersonation

This should be delegation but for some reason isn't. I've setup all the service accounts to allow delegation and the account that i'm connecting to the site with is not sensitive.

What's a commen reason for this?

It's running on windows 2008 r2.

# re: DelegConfig v2 (beta)

Wednesday, February 17, 2010 5:08 PM by brian-murphy-booth

If you are using "constrained delegation" then "Impersonation" is what it should be. Only "open delegation" needs "delegate"

# re: DelegConfig v2 (beta)

Thursday, February 18, 2010 2:35 AM by mortenbpost

This actually had to do with running the tool from the server itself. If I connected from a remote computer it said "delegation". Now, performancepoint services and excel services still cannot delegation credentials even tho deleconfig reports no errors. This could be a bug in SharePoint 2010 as I've heard others reporting it doesn't work :(

# re: DelegConfig v2 (beta)

Thursday, February 18, 2010 10:28 AM by brian-murphy-booth

I'm not sure I believe that sharepoint has anything to do with the problem. Kerberos is a feature of Windows, not Sharepoint or even IIS for that matter. If everything looks good in DelegConfig but things still aren't working, you might consider opening a support incident with us.

# re: DelegConfig v2 (beta)

Monday, February 22, 2010 2:13 PM by brian-murphy-booth

For the most part, the tool is just for reporting purposes. So when you "add backend" that really is just instructing the tool to show you what settings are needed *if* that were the backend you wanted. Adding the backend in that way doesn't actually change any settings. After adding everything to the tool the way you'd want it, there would then be "Fix this for me" buttons. If you follow the advice of those buttons or text, then it should get things into a better working state for you.

# re: DelegConfig v2 (beta)

Thursday, March 4, 2010 11:02 AM by brian-murphy-booth

One of the things my code does is call a windows API that asks the computer at a specific IP or FQDN what its computer name is. If the domain trust levels are set such that the computer running DelegConfig is not permitted to get that remote computer name then this API gets back an ACCESS_DENIED and I'll report that message that you're seeing since I don't know what AD account to query for info. But... what I fail to do is assume for a moment that the name you provided is already the machine name. Another thing I do is simulate what nbtstat.exe does. nbtstat asks for the "name table" of a remote address using UDP on port 137. If you don't permit UDP traffic on port 137 then that simulated nbtstat will fail. So I try to get the remote computer's machine name in 2 different ways and if those don't work I am stuck.

# re: DelegConfig v2 (beta)

Thursday, April 8, 2010 11:39 AM by brian-murphy-booth

Kim,

I've never heard of the problem you are describing. The check I do is relatively simple. I look at the "Authorization" header which is made up of 2 parts like the following:

Authorization: <Type> <Hash>

If the type is "Negotiate" then it can only be either NTLM or Kerberos. All NTLM hashes start with "TlRMTVNTUA" which is a base64 encoded value of NTLMSSP. So if the hash doesn't start with that value your authentication type must be Kerberos.

You can double-check that by writing simple ASP page with the following code then putting it in with the rest of your web site content.

<% Response.Write Request.ServerVariables("HTTP_AUTHORIZATION") %>

# re: DelegConfig v2 (beta)

Friday, April 9, 2010 1:48 PM by brian-murphy-booth

Kim,

It claimed Kerberos because it was. As to why it was Kerberos before the reboot and not after, that is another question which I don't know the answer to.

# re: DelegConfig v2 (beta)

Friday, April 9, 2010 1:50 PM by brian-murphy-booth

Nick,

If you want to test as SSAS as the backend server, just click the "Add Backend" button and choose SSAS as the service type that you want. If you really only want to see SSAS as the first item, go into the wizard and configure that to be the first top.

# re: DelegConfig v2 (beta)

Thursday, April 15, 2010 9:52 AM by brian-murphy-booth

That error means that either in your machine.config somebody deleted the HttpModule for session state, or it was removed in the site's web.config. I think more likely it is something in the web.config. Just open the web.config in notepad and fix whatever appears to have removed that module. Once you find the <HttpModules> section it will make more sense I'm sure.

# re: DelegConfig v2 (beta)

Friday, June 25, 2010 3:53 PM by wildert

Brian,

  This tool works great but to get a service application like performancepoint or excel services working in SharePoint 2010 with kerberos requires some new steps. Can DelegConfig v2 check to see if all these steps are followed? It would help a lot. They need to allow delegation for the computer for the SPNs the service application needs to connect to, and they need to add a dummy spn to the service application app pool to set delegation for those same spns, and they need to make sure the Claims to Windows token service is running.

blogs.msdn.com/.../setting-up-sharepoint-2010-excel-services-to-get-external-data.aspx

# re: DelegConfig v2 (beta)

Friday, September 10, 2010 8:05 AM by Decorum

This tool is invaluable! After two days of googling and troubleshooting to get delegation to work, this tool pinpointed the issue! THANK YOU!