Symptoms
Consider the following scenario:
-
You publish a web server and authenticate all requests in a Microsoft Forefront Threat Management Gateway (TMG) 2010 environment.
-
You set Authentication delegation to Kerberos constrained delegation (KCD).
-
You use the 960146 update to change the user name and domain name format that is used in the Kerberos ticket for KCD.
-
You set the Const SE_VPS_VALUE setting to 2 to obtain the fully qualified domain name (FQDN). For example, you use use the following setting:
User: FirstName.LastName Realm: MyCompany.EMEA.INTRA
In this scenario, the KCD fails if the domain part of the user principal name (UPN) does not match a real domain. For example if the user is User: FirstName.LastName from the EMEA domain but the user UPN is FirstName.LastName@MyCompany, and if the MyCompany domain does not exist, the KCD delegation fails. This is because TMG tries to contact the MyCompany domain.
Cause
This problem occurs because of the manner in which the TMG delegation module handles the domain and user name information that is retrieved during authentication to create the delegation request.
Resolution
To resolve this problem, install Rollup 5 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2.
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
More Information
This update adds a new option (Const SE_VPS_VALUE =3) to update 960146.
To apply this update, follow these steps:
-
Download the Rollup 5 package that is mentioned in "Resolution" section.
-
Install the hotfix rollup package on all TMG Server computers.
-
Start Windows Notepad.
-
Copy the script from the 960146 update, and then paste the script into Notepad.
-
In line 3 (Const SE_VPS_VALUE =2), change the value from 2 to 3.
-
Save the file to one of the TMG 2010 servers by using the .vbs file name extension. For example, name the file as follows:
TMG2010UseFQDNInKerberosTicket.vbs
-
To run the script, double-click the .vbs file that you saved.
Notes
-
The script in this procedure uses the default value of 2 for the Const SE_VPS_VALUE property. You can change this value according to the following options:
-
If you set Const SE_VPS_VALUE = 0, the domain NETBIOS name is used for the domain name. For example:
User: FirstName.LastName
Realm: MyCompany -
If you set Const SE_VPS_VALUE = 1, the user principal name (UPN) is used for the user name, and the FQDN is used for the domain name. For example:
User: FirstName.LastName@MyCompany.EMEA.INTRA
Realm: MyCompany.EMEA.INTRA -
If you set Const SE_VPS_VALUE = 2, the FQDN is used for the domain name. For example:
User: FirstName.LastName
Realm: MyCompany.EMEA.INTRA -
If you set Const SE_VPS_VALUE = 3, the FQDN is used for the domain name. For example:
User: FirstName.LastName
Realm: MyCompany.EMEA.INTRA
-
-
This new option that is added by this update produces the same output as that of the second list option, but uses "DS_CANONICAL_NAME" instead of the user UPN format to retrieve the domain information.
References
Learn about the terminology that Microsoft uses to describe software updates.