An update is available for ISA Server 2006 to control the domain name and user name format in Kerberos Constrained Delegation scenarios

INTRODUCTION

In Microsoft Internet Security and Acceleration (ISA) Server 2006, you publish a Web site by using Kerberos Constrained Delegation. Depending on the Web site, you may want to change how ISA Server requests the Kerberos ticket of an authenticated user.

By default, ISA Server 2006 uses the "Domain NETBIOS name\User" format when it requests the Kerberos ticket. Therefore, the domain name and the user name in the Kerberos ticket will resemble the following:
User: FirstName.LastName
Realm: MyCompany
However, some Web sites require the fully qualified domain name (FQDN) in the Kerberos ticket. In this scenario, the domain name and the user name in the Kerberos ticket should resemble the following:
User: FirstName.LastName
Realm: MyCompany.EMEA.INTRA

More Information

An update is now available that lets you control the domain name and user name format in Kerberos Constrained Delegation scenarios. To apply this update, follow these steps:
  1. Download the hotfix rollup package that is mentioned in Microsoft Knowledge Base article 960148.

    960148 Description of the ISA Server 2006 hotfix package: November 19, 2008

  2. Install the hotfix rollup package on all ISA Server computers.
  3. Start Notepad.
  4. Paste the following script into the Notepad file.
    Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
    Const SE_VPS_NAME = "UseFQDNinKerberosTicket"
    Const SE_VPS_VALUE = 2

    Sub SetValue()

    ' Create the root obect.
    Dim root ' The FPCLib.FPC root object
    Set root = CreateObject("FPC.Root")

    'Declare the other objects needed.
    Dim array ' An FPCArray object
    Dim VendorSets ' An FPCVendorParametersSets collection
    Dim VendorSet ' An FPCVendorParametersSet object

    ' Get references to the array object
    ' and the network rules collection.
    Set array = root.GetContainingArray
    Set VendorSets = array.VendorParametersSets

    On Error Resume Next
    Set VendorSet = VendorSets.Item( SE_VPS_GUID )

    If Err.Number <> 0 Then
    Err.Clear

    ' Add the item
    Set VendorSet = VendorSets.Add( SE_VPS_GUID )
    CheckError
    WScript.Echo "New VendorSet added... " & VendorSet.Name

    Else
    WScript.Echo "Existing VendorSet found... value- " & VendorSet.Value(SE_VPS_NAME)
    End If

    if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then

    Err.Clear
    VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE

    If Err.Number <> 0 Then
    CheckError
    Else
    VendorSets.Save false, true
    CheckError

    If Err.Number = 0 Then
    WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
    End If
    End If
    Else
    WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
    End If

    End Sub

    Sub CheckError()

    If Err.Number <> 0 Then
    WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
    Err.Clear
    End If

    End Sub

    SetValue
  5. Save this file to one of the ISA Server 2006 computers. Use the .vbs file name extension. For example, name the file ISA2006UseFQDNInKerberosTicket.vbs.
  6. Double-click the .vbs file to run the script.
Note The script in this procedure uses the default value for the Const SE_VPS_VALUE property (Const SE_VPS_VALUE = 2). You can change this value according to the following list:
  • If you set Const SE_VPS_VALUE = 0, the domain NETBIOS name is used for the domain name.
    Sample:
    User: FirstName.LastName
    Realm: MyCompany
  • If you set Const SE_VPS_VALUE = 1, the user principal name (UPN) is used for the user name, and the FQDN is used for the domain name.
    Sample:
    User: FirstName.LastName@MyCompany.EMEA.INTRA
    Realm: MyCompany.EMEA.INTRA
  • If you set Const SE_VPS_VALUE = 2, the FQDN is used for the domain name.
    Sample:
    User: FirstName.LastName
    Realm: MyCompany.EMEA.INTRA
Properties

Article ID: 960146 - Last Review: Jan 21, 2009 - Revision: 1

Feedback