DelegConfig v2 (beta)

25 Comments

• If you are using this to test delegation within MOSS 2007 you will need to add the following line to your web.config:
  
  
  
  Thanks for the tool Brian. I used it for every MOSS deployment I do.
  

• Thanks. I had added a sessionState section to my web.config with InProc but based on your suggestion have also added the partitionResolverType attribute as well.
  

• I'm using v2 beta. After setting up the backend unc file share, I receive system SYSTEM(server$) is not a domain account and needs to be joined to the domain. My HTTP service cleaned up when I added it but the "UNC" service has complete failures. Any help is greatly appreciated.
  

• Hmm... That is probably because the TextBox that holds the original response is trying to postBack all the text to support ViewState. And in that postback there are some characters deemed "dangerous". That should be an easy fix. I'll just disable ViewState on that TextBox since I don't think we need to persist that between requests. Thanks for letting me know!
  

• I do have supporting "custom" (i.e. not in my hardcoded list) service types on my ToDo list. I don't have any particular timeframe for when that will be added though. What is the service type that you need to use? What is the SPN expected to look like?
  

• "SQL Server Analysis Services" is referred to as "SSAS" which is also available in the drop-down. The OLAP choice is for the older version of OLAP.
  

• Alistair,
  
  A few things there:
  
  1. You shouldn't really be using an IP address for your "host name". Use the virtual *name* instead. With Kerberos we have the "Service Principal Name" which usually should be a "name" versus an IP address. By using an IP address for the host name you're making SPNs a bit less intuitive. It is possible to get Kerberos working with an IP address instead but in some situations it will have less preditable behavior so I think it best to avoid it entirely.
  
  2. When load balancing you cannot use "Network Service" as the service account due to the whole "duplicate SPN" concept. You should change your service account to a domain user.
  
  3. Based on your question I did some more testing of DelegConfig against a load balanced site at my location. I agree the output isn't clear in that situation so I will rework that a bit so people will know right away to move towards a domain user and away from something like Network Service.
  

• Fredrik,
  
  I did not add a way to add a "custom" service type. I've considered that option, but have not taken the time to implement it. What exactly is the service type you're trying to use? If there is a SQL service type that I haven't included I would be happy to add it.
  

• JeffS,
  
  I actually copied some functionality from NBTSTAT to determine computer names. You provided only alias.company.com as the hostName so DelegConfig essentially does NBTSTAT against that to get the computer name, but failed. So we are left with not knowing the computer name. If alias.company.com is actually a load balancer that could be why. If you are using load balancing, however, you can't use NetworkService as the app pool user. If this is what you think might be happening, then create a "service account", add it to IIS_WPG, and use that instead.
  

• Jeff,
  When using a single "member server" with IIS, you can use either a domain user account or something like NetworkService. When load balancing you must use a domain user account. These 2 statements are true for IIS6, IIS7, and IIS7.5. With IIS 7.x, however, we have the new setting of userKernelMode which is set to true by default. What this means is that authentication is handled in the kernel. And because of that, it is MACHINE$ that gets all the settings, even if you were to change the appPool user to a domain user.
  As far as DelegConfig telling you that it can't determine the domain membership, I'm not exactly sure what the problem is on that. SOunds like a name resolution thing. If you give me your contact info I'd be happy to work with you to see if we can fix both your Kerberos problem and DelegConfig.
  

• You can recycle the appPool, reproduce the errors, then email me entire output of the various errors in the order that you recieve them?
  

• Jen,
  
  If setting DisableLoopbackCheck to 1 resolved your issue that means the problem you were having was NTLM failing. That setting is unrelated to Kerberos. It is a client (i.e. the browser) that decides whether or not to use Kerberos so the next question would be "why did the client decide to use NTLM?". The client decides to use NTLM after it asks the domain controller for a Kerberos ticket but it doesn't get one. Next question then is why didn't it get the ticket from the DC? It could be because of a couple generic buckets of reaons: 1. improperly set SPN, 2. DC is not reachable from the client.
  
  --Brian
  

• Thanks Robert. Could you provide me with an example on what is incorrect? What is the tool saying and what do you feel it should be saying instead?
  

• Hi Brian,
  
  I've setup a SharePoint 2010 farm, and I've configured kerberos and everything should be correct. However when I test the deployment using deleconfig i get the following message:
  
  You have connected from your browser to IIS using kerberos authentication.
  
  TokenImpersonationLevel: Impersonation
  
  This should be delegation but for some reason isn't. I've setup all the service accounts to allow delegation and the account that i'm connecting to the site with is not sensitive.
  
  What's a commen reason for this?
  
  It's running on windows 2008 r2.
  

• If you are using "constrained delegation" then "Impersonation" is what it should be. Only "open delegation" needs "delegate"
  

• This actually had to do with running the tool from the server itself. If I connected from a remote computer it said "delegation". Now, performancepoint services and excel services still cannot delegation credentials even tho deleconfig reports no errors. This could be a bug in SharePoint 2010 as I've heard others reporting it doesn't work :(
  

• I'm not sure I believe that sharepoint has anything to do with the problem. Kerberos is a feature of Windows, not Sharepoint or even IIS for that matter. If everything looks good in DelegConfig but things still aren't working, you might consider opening a support incident with us.
  

• For the most part, the tool is just for reporting purposes. So when you "add backend" that really is just instructing the tool to show you what settings are needed *if* that were the backend you wanted. Adding the backend in that way doesn't actually change any settings. After adding everything to the tool the way you'd want it, there would then be "Fix this for me" buttons. If you follow the advice of those buttons or text, then it should get things into a better working state for you.
  

• One of the things my code does is call a windows API that asks the computer at a specific IP or FQDN what its computer name is. If the domain trust levels are set such that the computer running DelegConfig is not permitted to get that remote computer name then this API gets back an ACCESS_DENIED and I'll report that message that you're seeing since I don't know what AD account to query for info. But... what I fail to do is assume for a moment that the name you provided is already the machine name. Another thing I do is simulate what nbtstat.exe does. nbtstat asks for the "name table" of a remote address using UDP on port 137. If you don't permit UDP traffic on port 137 then that simulated nbtstat will fail. So I try to get the remote computer's machine name in 2 different ways and if those don't work I am stuck.
  

• Kim,
  
  I've never heard of the problem you are describing. The check I do is relatively simple. I look at the "Authorization" header which is made up of 2 parts like the following:
  
  Authorization:
  
  If the type is "Negotiate" then it can only be either NTLM or Kerberos. All NTLM hashes start with "TlRMTVNTUA" which is a base64 encoded value of NTLMSSP. So if the hash doesn't start with that value your authentication type must be Kerberos.
  
  You can double-check that by writing simple ASP page with the following code then putting it in with the rest of your web site content.
  
  
  

• Kim,
  
  It claimed Kerberos because it was. As to why it was Kerberos before the reboot and not after, that is another question which I don't know the answer to.
  

• Nick,
  
  If you want to test as SSAS as the backend server, just click the "Add Backend" button and choose SSAS as the service type that you want. If you really only want to see SSAS as the first item, go into the wizard and configure that to be the first top.
  

• That error means that either in your machine.config somebody deleted the HttpModule for session state, or it was removed in the site's web.config. I think more likely it is something in the web.config. Just open the web.config in notepad and fix whatever appears to have removed that module. Once you find the section it will make more sense I'm sure.
  

• Brian,
  This tool works great but to get a service application like performancepoint or excel services working in SharePoint 2010 with kerberos requires some new steps. Can DelegConfig v2 check to see if all these steps are followed? It would help a lot. They need to allow delegation for the computer for the SPNs the service application needs to connect to, and they need to add a dummy spn to the service application app pool to set delegation for those same spns, and they need to make sure the Claims to Windows token service is running.
  
  http://blogs.msdn.com/b/andrasg/archive/2010/05/04/setting-up-sharepoint-2010-excel-services-to-get-external-data.aspx
  

• This tool is invaluable! After two days of googling and troubleshooting to get delegation to work, this tool pinpointed the issue! THANK YOU!