FIX: The "Const SE_VPS_VALUE = 2" setting does not work for users if the UPN is not associated with a real domain

View products that this article applies to.

Symptoms

Consider the following scenario:

You publish a web server and authenticate all requests in a Microsoft Forefront Threat Management Gateway (TMG) 2010 environment.
You set Authentication delegation to Kerberos constrained delegation (KCD).
You use the 960146 update to change the user name and domain name format that is used in the Kerberos ticket for KCD.
You set the Const SE_VPS_VALUE setting to 2 to obtain the fully qualified domain name (FQDN). For example, you use use the following setting:

User: FirstName.LastName Realm: MyCompany.EMEA.INTRA

In this scenario, the KCD fails if the domain part of the user principal name (UPN) does not match a real domain. For example if the user is User: FirstName.LastName from the EMEA domain but the user UPN is FirstName.LastName@MyCompany, and if the MyCompany domain does not exist, the KCD delegation fails. This is because TMG tries to contact the MyCompany domain.

↑ Back to the top

Cause

This problem occurs because of the manner in which the TMG delegation module handles the domain and user name information that is retrieved during authentication to create the delegation request.

↑ Back to the top

Resolution

To resolve this problem, install Rollup 5 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2.

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

More Information

This update adds a new option (Const SE_VPS_VALUE =3) to update 960146.

To apply this update, follow these steps:

Download the Rollup 5 package that is mentioned in "Resolution" section.
Install the hotfix rollup package on all TMG Server computers.
Start Windows Notepad.
Copy the script from the 960146 update, and then paste the script into Notepad.
In line 3 (Const SE_VPS_VALUE =2), change the value from 2 to 3.
Save the file to one of the TMG 2010 servers by using the .vbs file name extension. For example, name the file as follows:

TMG2010UseFQDNInKerberosTicket.vbs
To run the script, double-click the .vbs file that you saved.

Notes

The script in this procedure uses the default value of 2 for the Const SE_VPS_VALUE property. You can change this value according to the following options:
- If you set Const SE_VPS_VALUE = 0, the domain NETBIOS name is used for the domain name. For example:
  
  User: FirstName.LastName
  Realm: MyCompany
- If you set Const SE_VPS_VALUE = 1, the user principal name (UPN) is used for the user name, and the FQDN is used for the domain name. For example:
  
  User: FirstName.LastName@MyCompany.EMEA.INTRA
  Realm: MyCompany.EMEA.INTRA
- If you set Const SE_VPS_VALUE = 2, the FQDN is used for the domain name. For example:
  
  User: FirstName.LastName
  Realm: MyCompany.EMEA.INTRA
- If you set Const SE_VPS_VALUE = 3, the FQDN is used for the domain name. For example:
  
  User: FirstName.LastName
  Realm: MyCompany.EMEA.INTRA
This new option that is added by this update produces the same output as that of the second list option, but uses "DS_CANONICAL_NAME" instead of the user UPN format to retrieve the domain information.