Article ID: 947124 - View products that this article applies to.
Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/322756/ )How to back up and restore the registry in Windows XP and Windows Vista
Consider the following scenario:
Additionally, the following entry is logged in the ISA Server Application log:
Error Code: 403 Forbidden.
The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)
Type: Error Date: 10/29/2007 Time: 22:59:16 Event ID: 21315 Source: Microsoft ISA Server Web Proxy User: N/A Computer: ISA2K6 Details: ISA Server failed to delegate credentials using Kerberos constrained delegation to the Web site published by the rule YourPublishingRule. Check that the SPN: http/dc-fqdn configured in ISA Server matches the SPN in Active Directory.
This problem occurs because the computer object of ISA Server does not have sufficient permissions to read the attributes of the user account in the Active Directory directory service.
To resolve this problem, use one of the following methods:
Method 1Add the computer account of the ISA Server to the Windows Authorization Access group. To do this, follow these steps:
Method 2Make sure that the following access requirements match the Service-for-User (S4U) caller.
Note In this case, the S4U caller is the ISA Server computer object.
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
To make sure that you encounter this problem, you can collect network traces from the ISA Server-based computer and from a Kerberos debug log on the Key Distribution Center (KDC).
To enable Kerberos logging on the KDC, follow these steps:
If you encounter this problem, entries that resemble the following may be logged in the Lsass.log file:
In the network traces, you can see entries that resemble the following:
392.1728> KDC-Error: GroupExpansion AuthZAC failed 5, lvl 0392.1728> KDC-Error: Failed Authz check 392.1728> KDC-(null): Entering FreeTicketInfo 392.1728> KDC-(null): Exiting FreeTicketInfo 392.1728> KDC-Error: KdcGetS4UTicketINfo failed - 6 392.1728> KDC-(null): Entering FreeTicketInfo 392.1728> KDC-(null): Exiting FreeTicketInfo 392.1728> KDC-(null): Entering KdcFreeInternalTicket 392.1728> KDC-(null): Exiting KdcFreeInternalTicket 392.1728> KDC-PAPI: I_GetTGSTicket returning 0x6
10.10.10.1 10.10.10.10 KerberosV5 KerberosV5:AS Request Cname: email@example.com Realm: kcd.domain.fqdn Sname: krbtgt/kcd.domain.fqdn 10.10.10.10 10.10.10.1 KerberosV5 KerberosV5:KRB_ERROR - KDC_ERR_PREAUTH_REQUIRED (25) 10.10.10.1 10.10.10.10 KerberosV5 KerberosV5:TGS Request Realm: domain.fqdn 10.10.10.10 10.10.10.1 KerberosV5 KerberosV5:KRB_ERROR - KDC_ERR_C_PRINCIPAL_UNKNOWN (6)
Article ID: 947124 - Last Review: January 1, 2009 - Revision: 2.0
Contact us for more help