INTRODUCTION
In Microsoft Internet Security and Acceleration (ISA) Server 2006, you publish a Web site by using Kerberos Constrained Delegation. Depending on the Web site, you may want to change how ISA Server requests the Kerberos ticket of an authenticated user.
By default, ISA Server 2006 uses the "Domain NETBIOS name\User" format when it requests the Kerberos ticket. Therefore, the domain name and the user name in the Kerberos ticket will resemble the following:
User: FirstName.LastName
Realm: MyCompany However, some Web sites require the fully qualified domain name (FQDN) in the Kerberos ticket. In this scenario, the domain name and the user name in the Kerberos ticket should resemble the following:
User: FirstName.LastName
Realm: MyCompany.EMEA.INTRA
More Information
An update is now available that lets you control the domain name and user name format in Kerberos Constrained Delegation scenarios. To apply this update, follow these steps:
-
Download the hotfix rollup package that is mentioned in Microsoft Knowledge Base article 960148.
960148 Description of the ISA Server 2006 hotfix package: November 19, 2008
-
Install the hotfix rollup package on all ISA Server computers.
-
Start Notepad.
-
Paste the following script into the Notepad file.
Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
Const SE_VPS_NAME = "UseFQDNinKerberosTicket"
Const SE_VPS_VALUE = 2
Sub SetValue()
' Create the root obect.
Dim root ' The FPCLib.FPC root object
Set root = CreateObject("FPC.Root")
'Declare the other objects needed.
Dim array ' An FPCArray object
Dim VendorSets ' An FPCVendorParametersSets collection
Dim VendorSet ' An FPCVendorParametersSet object
' Get references to the array object
' and the network rules collection.
Set array = root.GetContainingArray
Set VendorSets = array.VendorParametersSets
On Error Resume Next
Set VendorSet = VendorSets.Item( SE_VPS_GUID )
If Err.Number <> 0 Then
Err.Clear
' Add the item
Set VendorSet = VendorSets.Add( SE_VPS_GUID )
CheckError
WScript.Echo "New VendorSet added... " & VendorSet.Name
Else
WScript.Echo "Existing VendorSet found... value- " & VendorSet.Value(SE_VPS_NAME)
End If
if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then
Err.Clear
VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE
If Err.Number <> 0 Then
CheckError
Else
VendorSets.Save false, true
CheckError
If Err.Number = 0 Then
WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
End If
End If
Else
WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
End If
End Sub
Sub CheckError()
If Err.Number <> 0 Then
WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
Err.Clear
End If
End Sub
SetValue -
Save this file to one of the ISA Server 2006 computers. Use the .vbs file name extension. For example, name the file ISA2006UseFQDNInKerberosTicket.vbs.
-
Double-click the .vbs file to run the script.
Note The script in this procedure uses the default value for the Const SE_VPS_VALUE property (Const SE_VPS_VALUE = 2). You can change this value according to the following list:
-
If you set Const SE_VPS_VALUE = 0, the domain NETBIOS name is used for the domain name.
Sample:
User: FirstName.LastName
Realm: MyCompany -
If you set Const SE_VPS_VALUE = 1, the user principal name (UPN) is used for the user name, and the FQDN is used for the domain name.
Sample:
User: FirstName.LastName@MyCompany.EMEA.INTRA
Realm: MyCompany.EMEA.INTRA -
If you set Const SE_VPS_VALUE = 2, the FQDN is used for the domain name.
Sample:
User: FirstName.LastName
Realm: MyCompany.EMEA.INTRA