An update is available for ISA Server 2006 to control the domain name and user name format in Kerberos Constrained Delegation scenarios

Article translations Article translations
Article ID: 960146 - View products that this article applies to.
Expand all | Collapse all

INTRODUCTION

In Microsoft Internet Security and Acceleration (ISA) Server 2006, you publish a Web site by using Kerberos Constrained Delegation. Depending on the Web site, you may want to change how ISA Server requests the Kerberos ticket of an authenticated user.

By default, ISA Server 2006 uses the "Domain NETBIOS name\User" format when it requests the Kerberos ticket. Therefore, the domain name and the user name in the Kerberos ticket will resemble the following:
User: FirstName.LastName
Realm: MyCompany
However, some Web sites require the fully qualified domain name (FQDN) in the Kerberos ticket. In this scenario, the domain name and the user name in the Kerberos ticket should resemble the following:
User: FirstName.LastName
Realm: MyCompany.EMEA.INTRA

MORE INFORMATION

An update is now available that lets you control the domain name and user name format in Kerberos Constrained Delegation scenarios. To apply this update, follow these steps:
  1. Download the hotfix rollup package that is mentioned in Microsoft Knowledge Base article 960148.

    960148 Description of the ISA Server 2006 hotfix package: November 19, 2008
  2. Install the hotfix rollup package on all ISA Server computers.
  3. Start Notepad.
  4. Paste the following script into the Notepad file.
    Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
    Const SE_VPS_NAME = "UseFQDNinKerberosTicket"
    Const SE_VPS_VALUE = 2
    
    Sub SetValue()
    
        ' Create the root obect.
        Dim root  ' The FPCLib.FPC root object
        Set root = CreateObject("FPC.Root")
    
        'Declare the other objects needed.
        Dim array       ' An FPCArray object
        Dim VendorSets  ' An FPCVendorParametersSets collection
        Dim VendorSet   ' An FPCVendorParametersSet object
    
        ' Get references to the array object
        ' and the network rules collection.
        Set array = root.GetContainingArray
        Set VendorSets = array.VendorParametersSets
    
        On Error Resume Next
        Set VendorSet = VendorSets.Item( SE_VPS_GUID )
    
        If Err.Number <> 0 Then
            Err.Clear
    
            ' Add the item
            Set VendorSet = VendorSets.Add( SE_VPS_GUID )
            CheckError
            WScript.Echo "New VendorSet added... " & VendorSet.Name
    
        Else
            WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)
        End If
    
        if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then
    
            Err.Clear
            VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE
    
            If Err.Number <> 0 Then
                CheckError
            Else
                VendorSets.Save false, true
                CheckError
    
                If Err.Number = 0 Then
                    WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
                End If
            End If
        Else
            WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
        End If
    
    End Sub
    
    Sub CheckError()
    
        If Err.Number <> 0 Then
            WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
            Err.Clear
        End If
    
    End Sub
    
    SetValue
    
  5. Save this file to one of the ISA Server 2006 computers. Use the .vbs file name extension. For example, name the file ISA2006UseFQDNInKerberosTicket.vbs.
  6. Double-click the .vbs file to run the script.
Note The script in this procedure uses the default value for the Const SE_VPS_VALUE property (Const SE_VPS_VALUE = 2). You can change this value according to the following list:
  • If you set Const SE_VPS_VALUE = 0, the domain NETBIOS name is used for the domain name.
    Sample:
    User: FirstName.LastName
    Realm: MyCompany
  • If you set Const SE_VPS_VALUE = 1, the user principal name (UPN) is used for the user name, and the FQDN is used for the domain name.
    Sample:
    User: FirstName.LastName@MyCompany.EMEA.INTRA
    Realm: MyCompany.EMEA.INTRA
  • If you set Const SE_VPS_VALUE = 2, the FQDN is used for the domain name.
    Sample:
    User: FirstName.LastName
    Realm: MyCompany.EMEA.INTRA

Properties

Article ID: 960146 - Last Review: January 21, 2009 - Revision: 1.0
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2006 Service Pack 1, when used with:
    • Microsoft Internet Security and Acceleration Server 2006 Standard Edition
    • Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
Keywords: 
kbexpertiseinter kbsurveynew kbinfo KB960146

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com