Error message when a user visits Web site that is published by using Microsoft ISA Server together with client certificate authentication: "Error Code: 403 Forbidden"

Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows XP and Windows Vista


Consider the following scenario:
  • You have Kerberos constrained delegation configured to use client certificate authentication on a Web site.
  • This Web site is published by using Microsoft ISA Server together with client certificate authentication.
In this scenario, when a user visits the Web site, the user may receive the following error message:
Error Code: 403 Forbidden.
The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)
Additionally, the following entry is logged in the ISA Server Application log:
Type: Error
Date: 10/29/2007
Time: 22:59:16
Event ID: 21315
Source: Microsoft ISA Server Web Proxy
User: N/A
Computer: ISA2K6
ISA Server failed to delegate credentials using Kerberos constrained delegation to the Web site published by the rule YourPublishingRule . Check that the SPN: http/dc-fqdn configured in ISA Server matches the SPN in Active Directory.


This problem occurs because the computer object of ISA Server does not have sufficient permissions to read the attributes of the user account in the Active Directory directory service.


To resolve this problem, use one of the following methods:

Method 1

Add the computer account of the ISA Server to the Windows Authorization Access group. To do this, follow these steps:
  1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In Active Directory Users and Computers, click Builtin, and then double-click Windows Authorization Access Group.
  3. Click the Members tab, and then add the ISA Server computer account to the Members list.

Method 2

Make sure that the following access requirements match the Service-for-User (S4U) caller.

Note In this case, the S4U caller is the ISA Server computer object.
  • The user object or the computer object.
  • The Remote Access information property.
  • The Remote Access Information property.

    Note The GUID of this property is 037088f8-0ae1-11d2-b422-00a0c968f939. This property includes the following attributes:
    • msNPAllowDialin
    • msNPCallingStationID
    • msRADIUSCallbackNumber
    • msRADIUSFramedIPAddress
    • msRADIUSFramedRoute
    • msRADIUSServiceType
    • TokenGroups
  • The token-groups-global-and-universal (TGGAU) property.

    Note Microsoft Knowledge Base article 331951 describes how to enable applications to read the TGGAU attribute. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

    331951 Some applications and APIs require access to authorization information on account objects

Specifically, you can try to add the security principal that is used by ISA Server to the Windows Authorization Access group. You can also add the Everyone group to the Pre-Windows 2000 Compatible Access group.

More Information

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

To make sure that you encounter this problem, you can collect network traces from the ISA Server-based computer and from a Kerberos debug log on the Key Distribution Center (KDC).

To enable Kerberos logging on the KDC, follow these steps:
  1. Install the checked build of Kerberos modules (Kerberos.dll and Kdcsvc.dll). To do this, follow these steps:
    1. Restart the domain controller in safe mode.
    2. Back up the Kerberos .dll files.
    3. Copy the checked build of Kerberos modules.
  2. Add the following registry entries:
    • Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc
      Value: KdcDebugLevel
      Value Type: REG_DWORD
      Value Data:0xffffffff
    • Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro\Lsa\Kerberos\Parameters
      Value: LogToFile
      Value Type: REG_DWORD
      Value Data: 1 (enabled)
    • Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc
      Value: KdcExtraLogLevel
      Value Type: REG8DWORD
      Value Data:0x4
  3. Restart the KDC server.
The log file Lsass.log is created in the %Systemroot%\System32 folder.

If you encounter this problem, entries that resemble the following may be logged in the Lsass.log file:
392.1728> KDC-Error: GroupExpansion AuthZAC failed 5, lvl 
0392.1728> KDC-Error: Failed Authz check

392.1728> KDC-(null): Entering FreeTicketInfo
392.1728> KDC-(null): Exiting FreeTicketInfo
392.1728> KDC-Error: KdcGetS4UTicketINfo failed - 6
392.1728> KDC-(null): Entering FreeTicketInfo
392.1728> KDC-(null): Exiting FreeTicketInfo
392.1728> KDC-(null): Entering KdcFreeInternalTicket
392.1728> KDC-(null): Exiting KdcFreeInternalTicket
392.1728> KDC-PAPI: I_GetTGSTicket returning 0x6
In the network traces, you can see entries that resemble the following: KerberosV5  KerberosV5:AS Request Cname:  username @ domain .fqdn Realm: kcd. domain .fqdn Sname: krbtgt/kcd. domain .fqdn KerberosV5 KerberosV5:KRB_ERROR - KDC_ERR_PREAUTH_REQUIRED (25) KerberosV5 KerberosV5:TGS Request Realm: domain .fqdn KerberosV5 KerberosV5:KRB_ERROR - KDC_ERR_C_PRINCIPAL_UNKNOWN (6)

Article ID: 947124 - Last Review: Dec 31, 2008 - Revision: 1