Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows XP and Windows Vista
Consider the following scenario:
You have Kerberos constrained delegation configured to use client certificate authentication on a Web site.
This Web site is published by using Microsoft ISA Server together with client certificate authentication.
In this scenario, when a user visits the Web site, the user may receive the following error message:
Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)
Additionally, the following entry is logged in the ISA Server Application log:
Type: ErrorDate: 10/29/2007Time: 22:59:16Event ID: 21315Source: Microsoft ISA Server Web ProxyUser: N/AComputer: ISA2K6Details: ISA Server failed to delegate credentials using Kerberos constrained delegation to the Web site published by the rule YourPublishingRule. Check that the SPN: http/dc-fqdn configured in ISA Server matches the SPN in Active Directory.
This problem occurs because the computer object of ISA Server does not have sufficient permissions to read the attributes of the user account in the Active Directory directory service.
To resolve this problem, use one of the following methods:
Add the computer account of the ISA Server to the Windows Authorization Access group. To do this, follow these steps:
Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
In Active Directory Users and Computers, click Builtin, and then double-click Windows Authorization Access Group.
Click the Members tab, and then add the ISA Server computer account to the Members list.
Make sure that the following access requirements match the Service-for-User (S4U) caller.
Note In this case, the S4U caller is the ISA Server computer object.
The user object or the computer object.
The Remote Access information property.
The Remote Access Information property.
Note The GUID of this property is 037088f8-0ae1-11d2-b422-00a0c968f939. This property includes the following attributes:
The token-groups-global-and-universal (TGGAU) property.
Note Microsoft Knowledge Base article 331951 describes how to enable applications to read the TGGAU attribute. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
331951 Some applications and APIs require access to authorization information on account objects
Specifically, you can try to add the security principal that is used by ISA Server to the Windows Authorization Access group. You can also add the Everyone group to the Pre-Windows 2000 Compatible Access group.
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
To make sure that you encounter this problem, you can collect network traces from the ISA Server-based computer and from a Kerberos debug log on the Key Distribution Center (KDC).
To enable Kerberos logging on the KDC, follow these steps:
Install the checked build of Kerberos modules (Kerberos.dll and Kdcsvc.dll). To do this, follow these steps:
Microsoft Internet Security and Acceleration Server 2004 Standard Edition, Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition, Microsoft Internet Security and Acceleration Server 2006 Standard Edition, Microsoft Internet Security and Acceleration Server 2000 Standard Edition, Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition