Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. A user cannot access a Web site that is published in ISA Server 2006 by using Kerberos constrained delegation if the user is not in the same domain as the ISA Server computer

A user cannot access a Web site that is published in ISA Server 2006 by using Kerberos constrained delegation if the user is not in the same domain as the ISA Server computer

View products that this article applies to.

Symptoms

Consider the following scenario:
  • You publish a Web site in Microsoft Internet Security and Acceleration (ISA) Server 2006.
  • In the Web publishing rule, you configure ISA Server to use Kerberos constrained delegation (KCD) to delegate user credentials to the Web site.
  • A user authenticates with ISA Server by specifying a user principal name (UPN) in the credential.
  • The user is not in the same domain as the ISA Server computer.
In this scenario, when the user tries to access the published Web site, the user receives the following error message:
The page cannot be displayed
Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)
Note This problem does not occur if the user specifies a Security Account Manager (SAM)-compatible user name in the credential.

↑ Back to the top

Cause

ISA Server does not correctly parse the domain name from the UPN credential. Instead, ISA Server uses its own domain name in the ticket-granting service (TGS) request to request a Kerberos ticket on behalf of the user. If the user belongs to a different domain, the Active Directory directory service does not know the service name. Therefore, the Active Directory directory service does not give ISA Server a ticket for authentication.

↑ Back to the top

Resolution

To resolve this problem, apply the hotfix rollup package that is described in the following article in the Microsoft Knowledge Base: For more information, click the following article number to view the article in the Microsoft Knowledge Base:
942639 Description of the ISA Server 2006 hotfix package: September 24, 2007

↑ Back to the top

Workaround

To work around this problem, a user can specify a SAM-compatible user name in the credential when the user authenticates with ISA Server. A SAM-compatible user name resembles the following:
DomainName\Username
Note This workaround may still fail if the user account is a member of a domain in a trusted forest. For more information about this limitation, click the following article number to view the article in the Microsoft Knowledge Base:
949015 Applications that perform KCD delegation may not finish the S4U process on a computer that is running Windows Server 2008 or Windows Server 2003

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

Keywords: KB942637, kbqfe, kbexpertiseinter

↑ Back to the top

Article Info
Article ID : 942637
Revision : 2
Created on : 6/20/2008
Published on : 6/20/2008
Exists online : False
Views : 357