Error message when a user visits Web site that is published by using Microsoft ISA Server together with client certificate authentication: "Error Code: 403 Forbidden"

View products that this article applies to.

Symptoms

Consider the following scenario:

You have Kerberos constrained delegation configured to use client certificate authentication on a Web site.
This Web site is published by using Microsoft ISA Server together with client certificate authentication.

In this scenario, when a user visits the Web site, the user may receive the following error message:

Error Code: 403 Forbidden.
The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)

Additionally, the following entry is logged in the ISA Server Application log:

Type: Error
Date: 10/29/2007
Time: 22:59:16
Event ID: 21315
Source: Microsoft ISA Server Web Proxy
User: N/A
Computer: ISA2K6
Details: 
ISA Server failed to delegate credentials using Kerberos constrained delegation to the Web site published by the rule YourPublishingRule. Check that the SPN: http/dc-fqdn configured in ISA Server matches the SPN in Active Directory.

↑ Back to the top

Cause

This problem occurs because the computer object of ISA Server does not have sufficient permissions to read the attributes of the user account in the Active Directory directory service.

↑ Back to the top

Resolution

To resolve this problem, use one of the following methods:

Method 1

Add the computer account of the ISA Server to the Windows Authorization Access group. To do this, follow these steps:

Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
In Active Directory Users and Computers, click Builtin, and then double-click Windows Authorization Access Group.
Click the Members tab, and then add the ISA Server computer account to the Members list.

Method 2

Make sure that the following access requirements match the Service-for-User (S4U) caller.

Note In this case, the S4U caller is the ISA Server computer object.

The user object or the computer object.
The Remote Access information property.
The Remote Access Information property.

Note The GUID of this property is 037088f8-0ae1-11d2-b422-00a0c968f939. This property includes the following attributes:
- msNPAllowDialin
- msNPCallingStationID
- msRADIUSCallbackNumber
- msRADIUSFramedIPAddress
- msRADIUSFramedRoute
- msRADIUSServiceType
- TokenGroups
The token-groups-global-and-universal (TGGAU) property.

Note Microsoft Knowledge Base article 331951 describes how to enable applications to read the TGGAU attribute. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
331951 Some applications and APIs require access to authorization information on account objects

Specifically, you can try to add the security principal that is used by ISA Server to the Windows Authorization Access group. You can also add the Everyone group to the Pre-Windows 2000 Compatible Access group.

↑ Back to the top

More information

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

To make sure that you encounter this problem, you can collect network traces from the ISA Server-based computer and from a Kerberos debug log on the Key Distribution Center (KDC).

To enable Kerberos logging on the KDC, follow these steps:

Install the checked build of Kerberos modules (Kerberos.dll and Kdcsvc.dll). To do this, follow these steps:
1. Restart the domain controller in safe mode.
2. Back up the Kerberos .dll files.
3. Copy the checked build of Kerberos modules.
Add the following registry entries:
- Registry subkey:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc
  
  Value: KdcDebugLevel
  Value Type: REG_DWORD
  Value Data:0xffffffff
- Registry subkey:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro\Lsa\Kerberos\Parameters
  
  Value: LogToFile
  Value Type: REG_DWORD
  Value Data: 1 (enabled)
- Registry subkey:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc
  
  Value: KdcExtraLogLevel
  Value Type: REG8DWORD
  Value Data:0x4
Restart the KDC server.

The log file Lsass.log is created in the %Systemroot%\System32 folder.

If you encounter this problem, entries that resemble the following may be logged in the Lsass.log file:

392.1728> KDC-Error: GroupExpansion AuthZAC failed 5, lvl 
0392.1728> KDC-Error: Failed Authz check 

392.1728> KDC-(null): Entering FreeTicketInfo
392.1728> KDC-(null): Exiting FreeTicketInfo
392.1728> KDC-Error: KdcGetS4UTicketINfo failed - 6
392.1728> KDC-(null): Entering FreeTicketInfo
392.1728> KDC-(null): Exiting FreeTicketInfo
392.1728> KDC-(null): Entering KdcFreeInternalTicket
392.1728> KDC-(null): Exiting KdcFreeInternalTicket
392.1728> KDC-PAPI: I_GetTGSTicket returning 0x6

In the network traces, you can see entries that resemble the following:

10.10.10.1  10.10.10.10 KerberosV5  KerberosV5:AS Request Cname: username@domain.fqdn Realm: kcd.domain.fqdn Sname: krbtgt/kcd.domain.fqdn 
10.10.10.10 10.10.10.1  KerberosV5  KerberosV5:KRB_ERROR  - KDC_ERR_PREAUTH_REQUIRED (25)
10.10.10.1  10.10.10.10 KerberosV5  KerberosV5:TGS Request Realm: domain.fqdn 
10.10.10.10 10.10.10.1  KerberosV5  KerberosV5:KRB_ERROR  - KDC_ERR_C_PRINCIPAL_UNKNOWN (6)

↑ Back to the top

Applies to:

↑ Back to the top

Keywords: KB947124, kbprb, kbtshoot, kbexpertiseinter

↑ Back to the top

Article Info

Article ID	:	947124
Revision	:	2
Created on	:	1/1/2009
Published on	:	1/1/2009
Exists online	:	False
Views	:	543

Microsoft KB Archive Search

Error message when a user visits Web site that is published by using Microsoft ISA Server together with client certificate authentication: "Error Code: 403 Forbidden"

Symptoms

Cause

Resolution

Method 1

Method 2

More information

Applies to: