Cannot get KCD working

0

I need help with Publishing SharePoint or OWA using KCD.
Basically I followed the instructions for KCD:
The published service is IIS and has a service principal set with http/mypublishedhost.mydomain, reverse lookup works via dns. Connecting directly works fine and I get my ticket http/mypublishedhost.mydomain@MYDOMAIN.
I set up my KCD Account for the kemp as normal user account:
upn: kcd_trusted@MY.DOMAIN
spn: http/kcd_trusted
Constrained Delegation for http/mypublishedhost.mydomain (allow any authentication protocol).

I had to replace internal names with dummy information, is domain name length a problem (we have internal domain name lenth summed to 27 for this subdomain)

When using FBA my client user is parsed successful.
Ticket requests seem to work, first the kemp gets the AS Ticket, but then repeats 4 TGS-Requests which are accepted by the KDC. The only thing I'm curious about is the enc_type of the message body is 23, the enc_type for PA-ENC-TIMESTAMP is 17. AES should be preferred.
I looks like the kemp does not want to use the retrieved S4U2SELF Tickets, my trace logs look this way:

Nov 24 09:07:10 mykemp01 ssomgr: #24490# << do_sso_ldap_check: bindrc:0 groupOK:1
Nov 24 09:07:10 mykemp01 ssomgr: #24490# >>> configure_kerberos_domain
Nov 24 09:07:10 mykemp01 ssomgr: #24490# Init Kerberos domain
Nov 24 09:07:10 mykemp01 ssomgr: #24490# create_keytab: Parse use
Nov 24 09:07:10 mykemp01 ssomgr: #24490# kinit_domain: krb5 ctx initialized
Nov 24 09:07:10 mykemp01 ssomgr: #24490# kinit_domain: Get kerberos cache
Nov 24 09:07:10 mykemp01 ssomgr: #24490# Set kerberos cache
Nov 24 09:07:10 mykemp01 ssomgr: #24490# kinit_domain: Forwardable flag set
Nov 24 09:07:10 mykemp01 ssomgr: #24490# kinit_domain: krb5 flags parsed
Nov 24 09:07:10 mykemp01 ssomgr: #24490# kinit_domain: Getting credentials for kcd_trusted@MY.DOMAIN
Nov 24 09:07:10 mykemp01 ssomgr: #24490# kinit_domain: kinit done
Nov 24 09:07:10 mykemp01 ssomgr: #24490# kinit_domain: krb5_gss_register_acceptor_identity
Nov 24 09:07:10 mykemp01 ssomgr: #24490# <<< configure_kerberos_domain - ret=0
Nov 24 09:07:10 mykemp01 ssomgr: #24490# ldap_check_thread(): blob=0x69e800 sz=65536
Nov 24 09:07:10 mykemp01 ssomgr: #24490# baseUserName: basename=|test_93|
Nov 24 09:07:10 mykemp01 ssomgr: #24490# >>> kcd_get_user_ticket
Nov 24 09:07:10 mykemp01 ssomgr: #24490# >>>resolve_destination_address: Attempt to resolve destination [10.x.x.x][2]
Nov 24 09:07:10 mykemp01 ssomgr: #24490# <<<resolve_destination_address: Resolved destination host name [mypublishedhost.my.domain]
Nov 24 09:07:10 mykemp01 ssomgr: #24490# kcd_get_user_ticket: user=[MY\test_93] [basename=[test_93]
Nov 24 09:07:10 mykemp01 ssomgr: #24490# kcd_get_user_ticket: Destination name=[http/mypublishedhost.my.domain@MY.DOMAIN]
Nov 24 09:07:10 mykemp01 ssomgr: #24490# kcd_get_user_ticket: kcd_ticket:0x7f0b1aa62ee0 [65536/65536]
Nov 24 09:07:10 mykemp01 ssomgr: #24490# >>> get_impersonator_cred_handle
Nov 24 09:07:10 mykemp01 ssomgr: #24490# >>> get_impersonator_cred_handle - handle=0x7f0b0c0162f0
Nov 24 09:07:10 mykemp01 ssomgr: #24490# kcd_get_user_ticket: Get a ticket on behalf of user test_93
Nov 24 09:07:10 mykemp01 ssomgr: #24490# kcd_get_user_ticket: Credentials aquired
Nov 24 09:07:10 mykemp01 ssomgr: #24490# init_accept_sec_context(): Target name: [kcd_trusted@MY.DOMAIN]
Nov 24 09:07:10 mykemp01 ssomgr: #24490# Target mech: [{ 1 3 6 1 5 5 2 }]
Nov 24 09:07:10 mykemp01 ssomgr: #24490# gss_accept_sec_context: Unspecified GSS failure.  Minor code may provide more information
Nov 24 09:07:10 mykemp01 ssomgr: #24490# gss_accept_sec_context: Wrong principal in request
Nov 24 09:07:10 mykemp01 ssomgr: #24490# establish_contexts: One side wants to continue after the other is done
Nov 24 09:07:10 mykemp01 ssomgr: #24490# gss_canonicalize_name: A required input parameter could not be read
Nov 24 09:07:10 mykemp01 ssomgr: #24490# gss_canonicalize_name: Unknown error
Nov 24 09:07:10 mykemp01 ssomgr: #24490# gss_display_name: A required input parameter could not be read
Nov 24 09:07:10 mykemp01 ssomgr: #24490# gss_display_name: An invalid name was supplied
Nov 24 09:07:10 mykemp01 ssomgr: #24490# gss_display_name: Unknown error
Nov 24 09:07:10 mykemp01 ssomgr: #24490# init_accept_sec_context(): Source name: []
Nov 24 09:07:10 mykemp01 ssomgr: #24490# gss_oid_to_str: A required input parameter could not be read
Nov 24 09:07:10 mykemp01 ssomgr: #24490# gss_oid_to_str: No error
Nov 24 09:07:10 mykemp01 ssomgr: #24490# init_accept_sec_context(): Source mech: []
Nov 24 09:07:10 mykemp01 ssomgr: #24490# gss_inquire_name: A required input parameter could not be read
Nov 24 09:07:10 mykemp01 ssomgr: #24490# gss_inquire_name: An invalid name was supplied
Nov 24 09:07:10 mykemp01 ssomgr: #24490# gss_inquire_name: 
Nov 24 09:07:10 mykemp01 ssomgr: #24490# kcd_get_user_ticket: error: delegated_cred_handle == GSS_C_NO_CREDENTIAL
Nov 24 09:07:10 mykemp01 ssomgr: #24490# Proxy name: [kcd_trusted@MY.DOMAIN]
Nov 24 09:07:10 mykemp01 ssomgr: #24490# Target name: [http/mypublishedhost.my.domain@MY.DOMAIN]
Nov 24 09:07:10 mykemp01 ssomgr: #24490# Delegated name: [kcd_trusted@MY.DOMAIN]
Nov 24 09:07:10 mykemp01 ssomgr: #24490# Delegated mech: [{ 1 2 840 113554 1 2 2 }]
Nov 24 09:07:10 mykemp01 ssomgr: #24490# <<< kcd_get_user_ticket - ret=-1

 

Any ideas? I really got stuck at this point.

0 comments