FIX: You cannot log on when FQDN is used and Authentication delegation is set to "Kerberos constrained delegation" in a Forefront Threat Management Gateway 2010 environment

Article translations Article translations
Article ID: 2783332 - View products that this article applies to.
Expand all | Collapse all

Symptoms

Consider the following scenario:
  • You publish a web server and authenticate all requests in a Microsoft Forefront Threat Management Gateway 2010 environment.
  • You set Authentication delegation to Kerberos constrained delegation (KCD).
  • You set the Const SE_VPS_VALUE property to 2 to use the fully qualified domain name (FQDN) in the Kerberos ticket as described in the following article:
    960146 An update is available for ISA Server 2006 to control the domain name and user name format in Kerberos Constrained Delegation scenarios
In this scenario, you cannot log on to the web server.

Resolution

To resolve this problem, install the hotfix package that is described in the following Microsoft Knowledge Base article:
2735208 Rollup 3 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More information

By default, TMG 2010 uses the "Domain NETBIOS name\User name" format when it requests a Kerberos ticket. Therefore, the domain name and the user name in the Kerberos ticket resemble the following:
User: FirstName.LastName
Realm: MyCompany
Update 960146 introduced a design change in TMG to control how to format the domain name and the user name by using script.

However, when the Const SE_VPS_VALUE property is set to 2, the FQDN is used for the domain name format. This does not work for users whose name part before the @ sign for the Security Accounts Manager (SAM) account differs from the user principal name (UPN) authentication account.

For example, authentication is successful when SAM and UPN match as follows:
SAM: domain\username 
UPN: username@domain.com
Authentication is unsuccessful when SAM and UPN do not match as follows:
SAM: domain\username
UPN: userUPN@domain.com

References

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Properties

Article ID: 2783332 - Last Review: January 10, 2013 - Revision: 1.0
Applies to
  • Microsoft Forefront Threat Management Gateway 2010 Service Pack 2, when used with:
    • Microsoft Forefront Threat Management Gateway 2010 Enterprise
Keywords: 
kbqfe kbfix kbexpertiseinter kbbug kbsurveynew KB2783332

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com