DelegConfig (Kerberos/Delegation Configuration Reporting Tool)

Where is the tool?

  For 2.0+ framework - IIS 6.0, 7.0, 7.5 - http://blogs.iis.net/brian-murphy-booth/archive/2009/04/22/delegconfig-v2-beta.aspx

What is this tool?

  This is an ASP.NET application that I wrote a couple years ago that is meant to be called from Internet Explorer on an actual client machine. The tool (aspx page) attempts to look at all the common settings that contribute towards successful Kerberos authentication and delegation. I had originally written a  simple ASP page for my co-workers to demonstrate how to see whether a request had authenticated with Kerberos or NTLM by doing Response.Write Request.ServerVariables("HTTP_AUTHORIZATION"). After a little while I decided "why stop there?!" The tool will now check all the common pitfalls of Kerberos authentication except for a couple issues that I can't check for when the web request fails entirely (if my page won't even run, how can I check those settings?).

I'd like to hear your feedback!! If you have problems, constructive criticism, or praise please let me know. If you have comments or suggestions that will benefit the masses, I'll try to find time to implement your suggestions into the tool.

Usage Tips:

• READ THE "Explanation" SECTIONS!! This tool is meant to be a teacher. If you don't read your material, you probably aren't going to understand what to do or at least why you're doing something that it suggests you do.
• Did I mention that you should read the "Explanation" sections?? Do it!!
• There are some "Fix This" buttons that help automate addressing issues. Although it isn't 100% clear in some of the output, it is probably easiest to use the "Fix This" buttons instead of manually following any KB articles that are also included in the output. You can, however, do whichever you prefer since either method should fix the applicable configuration problem.
• If the DelegConfig tool doesn't work as expected, please see the "KNOWN PROBLEMS AND WORKAROUNDS" section below
• If you end up making changes to your configuration based on what the tool reports, it is common that you'll need to log on/off the workstation machine and/or restart the IIS service or back-end service before you see Kerberos/Delegation start to work as desired.
• Part of "Delegation" is authenticating with a back-end service. Don't forget to add the back-end server information with the applicable hyperlink to make sure everything looks good there too.

---------------------------------------------------------------
REQUIRED COMPONENTS:
---------------------------------------------------------------
  1. All files in this ZIP are required for the ASPX page to operate properly.
  2. ASP.NET version 1.1.4322.2300 or higher (also works with v2.0.50727) must be installed on the IIS server.

---------------------------------------------------------------
OPTIONAL COMPONENTS:
---------------------------------------------------------------
  1. For more accurate results the .Net framework should be installed on the Workstation/Client

---------------------------------------------------------------
SETUP:
---------------------------------------------------------------
  1. Unzip files to desired location that is *local* to the IIS server.
  2. In the IIS MMC create a new virtual directory that points to the folder with the unzipped files.
  3. Configure the virtual directory as an IIS application
    a. In the IIS MMC right-click the vDir and choose Properties.
    b. On the "Virtual Directory" tab click "Create" (if already configured as an IIS app you'll see a "Remove" button instead)
  4. Ensure that "Scripts Only" (recommended) or "Scripts and Executables" is enabled for this vDir.

---------------------------------------------------------------
USAGE:
---------------------------------------------------------------
  1. View the Default.aspx page through a web browser with an address such as "http://MyServer/MyVirtualDirectory/"

---------------------------------------------------------------
KNOWN PROBLEMS AND WORKAROUNDS.
---------------------------------------------------------------
General:
  Generally speaking if there are any problems running this tool's Default.aspx page (errors of any sort) it is probably because Kerberos isn't working yet. :-p. In that case it is best to start by requesting the page locally from the IIS server. Certain types of problems only exist when IE attempts to connect to IIS using Kerberos and Kerberos is usually not used when local to the IIS server. Requesting the Default.aspx locally from the server will avoid many types of problems this DelegConfig tool can encounter. Once you can get this page working locally from the IIS server the tool will then report some of the problems that could affect Kerberos and/or Delegation. Once some of those items are addressed and Kerberos is closer to working you may be able to do additional checks by requesting the ASPX page from a remote IE machine.

--------------
Problem:
[HttpException (0x8007052e): Failed to start monitoring changes to '\\ServerName\ShareName'.]

  ASP.net uses a hierarchical system of reading configuration files starting with Machine.Config, then web.config from the root of the web site, then finally web.config file from the virtual directory the ASPX application is running. Any time one of these files changes, IIS wants to be able to reload the file and restart the web application to ensure the most recent configuration is being used. If the dot net framework is not able to read from the root of the web site using the ASPNET account, this error will be returned. This is typical of when the home directory is a UNC path.

Workaround:
  1. If running IIS 6.0 this can sometimes be fixed by disabling "Run www service in IIS 5.0 Isolation Mode".
  OR
  2. To ensure that ASPNET can read from the root of the web site, temporarily change the "Home Directory" of the site to a local path. Once you have resolved the Kerberos and Delegation issues based on the results of the ASPX application you can change the home directory back to the desired UNC path.

--------------
Problem:
  Continuous password prompt with underlying 401.1 response. There are 2 common possibilities for this.

Additional Information:
  Looking in the security event logs shows:

POSSIBILITY ONE (notice the Logon Process of Kerberos):
  Event Type: Failure Audit
  Event Source: Security
  Event Category: Logon/Logoff
  Event ID: 529
  Date:  1/1/2005
  Time:  6:00:00 PM
  User:  NT AUTHORITY\SYSTEM
  Computer: COMPUTERNAME
  Description:
  Logon Failure:
    Reason:  Unknown user name or bad password
    User Name: 
    Domain:  
    Logon Type: 3
     Logon Process: Kerberos
    Authentication Package: Kerberos

Workaround:
  You receive an "HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials" error message when you try to access a Web site that is part of an IIS 6.0 application pool
  http://support.microsoft.com/?id=871179

POSSIBILITY TWO (notice the strange Logon Process):
  Event Type: Failure Audit
  Event Source: Security
  Event Category: Logon/Logoff
  Event ID: 537
  Date:  1/1/2005
  Time:  6:00:00 PM
  User:  NT AUTHORITY\SYSTEM
  Computer: COMPUTERNAME
  Description:
  Logon Failure:
    Reason:  An error occurred during logon
    User Name: someuser
    Domain:  SOMEDOMAIN
    Logon Type: 3
    Logon Process: Ðù²
    Authentication Package: NTLM
    Workstation Name: COMPUTERNAME
    Status code: 0xC000006D
    Substatus code: 0x0
    Source Network Address: 127.0.0.1

Workaround:
  You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or IIS 6
  http://support.microsoft.com/?id=896861