Help and Support
 

powered byLive Search

Error message when a user visits Web site that is published by using Microsoft ISA Server together with client certificate authentication: "Error Code: 403 Forbidden"

View products that this article applies to.
Article ID:947124
Last Review:March 3, 2008
Revision:1.2
Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 (http://support.microsoft.com/kb/322756/) How to back up and restore the registry in Windows XP and Windows Vista

SYMPTOMS

Consider the following scenario:
You have Kerberos constrained delegation configured to use client certificate authentication on a Web site.
This Web site is published by using Microsoft ISA Server together with client certificate authentication.
In this scenario, when a user visits the Web site, the user may receive the following error message:
Error Code: 403 Forbidden.
The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)
Additionally, the following entry is logged in the ISA Server Application log: 
Type: Error
Date: 10/29/2007
Time: 22:59:16
Event ID: 21315
Source: Microsoft ISA Server Web Proxy
User: N/A
Computer: ISA2K6
Details: 
ISA Server failed to delegate credentials using Kerberos constrained delegation to the Web site published by the rule YourPublishingRule. Check that the SPN: http/dc-fqdn configured in ISA Server matches the SPN in Active Directory.

Back to the top

CAUSE

This problem occurs because the computer object of ISA Server does not have sufficient permissions to read the attributes of the user account in the Active Directory directory service.

Back to the top

RESOLUTION

To resolve this problem, make sure that the following access requirements match the Service-for-User (S4U) caller.

Note In this case, the S4U caller is the ISA Server computer object.
The user object or the computer object.
The Remote Access information property.
The Remote Access Information property.

Note The GUID of this property is 037088f8-0ae1-11d2-b422-00a0c968f939. This property includes the following attributes:
msNPAllowDialin
msNPCallingStationID
msRADIUSCallbackNumber
msRADIUSFramedIPAddress
msRADIUSFramedRoute
msRADIUSServiceType
TokenGroups
The token-groups-global-and-universal (TGGAU) property.

Note Microsoft Knowledge Base article 331951 describes how to enable applications to read the TGGAU attribute. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
331951 (http://support.microsoft.com/kb/331951/) Some applications and APIs require access to authorization information on account objects
Specifically, you can try to add the security principal that is used by ISA Server to the Windows Authorization Access group. You can also add the Everyone group to the Pre-Windows 2000 Compatible Access group.

Back to the top

MORE INFORMATION

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

To make sure that you encounter this problem, you can collect network traces from the ISA Server-based computer and from a Kerberos debug log on the Key Distribution Center (KDC).

To enable Kerberos logging on the KDC, follow these steps:
1.Install the checked build of Kerberos modules (Kerberos.dll and Kdcsvc.dll). To do this, follow these steps:
a. Restart the domain controller in safe mode.
b. Back up the Kerberos .dll files.
c. Copy the checked build of Kerberos modules.
2.Add the following registry entries:
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc
Value: KdcDebugLevel
Value Type: REG_DWORD
Value Data:0xffffffff
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro\Lsa\Kerberos\Parameters
Value: LogToFile
Value Type: REG_DWORD
Value Data: 1 (enabled)
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc
Value: KdcExtraLogLevel
Value Type: REG8DWORD
Value Data:0x4
3.Restart the KDC server.
The log file Lsass.log is created in the %Systemroot%\System32 folder.

If you encounter this problem, entries that resemble the following may be logged in the Lsass.log file: 
392.1728> KDC-Error: GroupExpansion AuthZAC failed 5, lvl 
0392.1728> KDC-Error: Failed Authz check 

392.1728> KDC-(null): Entering FreeTicketInfo
392.1728> KDC-(null): Exiting FreeTicketInfo
392.1728> KDC-Error: KdcGetS4UTicketINfo failed - 6
392.1728> KDC-(null): Entering FreeTicketInfo
392.1728> KDC-(null): Exiting FreeTicketInfo
392.1728> KDC-(null): Entering KdcFreeInternalTicket
392.1728> KDC-(null): Exiting KdcFreeInternalTicket
392.1728> KDC-PAPI: I_GetTGSTicket returning 0x6
In the network traces, you can see entries that resemble the following: 
10.10.10.1  10.10.10.10 KerberosV5  KerberosV5:AS Request Cname: username@domain.fqdn Realm: kcd.domain.fqdn Sname: krbtgt/kcd.domain.fqdn 
10.10.10.10 10.10.10.1  KerberosV5  KerberosV5:KRB_ERROR  - KDC_ERR_PREAUTH_REQUIRED (25)
10.10.10.1  10.10.10.10 KerberosV5  KerberosV5:TGS Request Realm: domain.fqdn 
10.10.10.10 10.10.10.1  KerberosV5  KerberosV5:KRB_ERROR  - KDC_ERR_C_PRINCIPAL_UNKNOWN (6)

Back to the top

APPLIES TO
Microsoft Internet Security and Acceleration Server 2004 Standard Edition
Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
Microsoft Internet Security and Acceleration Server 2006 Standard Edition
Microsoft Internet Security and Acceleration Server 2000 Standard Edition
Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition

Back to the top

Keywords: 
kbexpertiseinter kbtshoot kbprb KB947124

Back to the top

Article Translations

 

Other Support Options

  • Need More Help?
    Contact a Support professional by Email, Online or Phone.
  • Customer Service
    For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
  • Newsgroups
    Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.