Sign in with Microsoft
Sign in or create an account.
Hello,
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

Symptoms

Consider the following scenario:

  • You publish a web server and authenticate all requests in a Microsoft Forefront Threat Management Gateway (TMG) 2010 environment.

  • You set Authentication delegation to Kerberos constrained delegation (KCD).

  • You use the 960146 update to change the user name and domain name format that is used in the Kerberos ticket for KCD.

  • You set the Const SE_VPS_VALUE setting to 2 to obtain the fully qualified domain name (FQDN). For example, you use use the following setting:

    User: FirstName.LastName Realm: MyCompany.EMEA.INTRA

In this scenario, the KCD fails if the domain part of the user principal name (UPN) does not match a real domain. For example if the user is User: FirstName.LastName from the EMEA domain but the user UPN is FirstName.LastName@MyCompany, and if the MyCompany domain does not exist, the KCD delegation fails. This is because TMG tries to contact the MyCompany domain.

Cause

This problem occurs because of the manner in which the TMG delegation module handles the domain and user name information that is retrieved during authentication to create the delegation request.

Resolution

To resolve this problem, install Rollup 5 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

This update adds a new option (Const SE_VPS_VALUE =3) to update 960146.

To apply this update, follow these steps:

  1. Download the Rollup 5 package that is mentioned in "Resolution" section.

  2. Install the hotfix rollup package on all TMG Server computers.

  3. Start Windows Notepad.

  4. Copy the script from the 960146 update, and then paste the script into Notepad.

  5. In line 3 (Const SE_VPS_VALUE =2), change the value from 2 to 3.

  6. Save the file to one of the TMG 2010 servers by using the .vbs file name extension. For example, name the file as follows:

    TMG2010UseFQDNInKerberosTicket.vbs

  7. To run the script, double-click the .vbs file that you saved.


Notes

  • The script in this procedure uses the default value of 2 for the Const SE_VPS_VALUE property. You can change this value according to the following options:

    • If you set Const SE_VPS_VALUE = 0, the domain NETBIOS name is used for the domain name. For example:

      User: FirstName.LastName
      Realm: MyCompany

    • If you set Const SE_VPS_VALUE = 1, the user principal name (UPN) is used for the user name, and the FQDN is used for the domain name. For example:

      User: FirstName.LastName@MyCompany.EMEA.INTRA
      Realm: MyCompany.EMEA.INTRA

    • If you set Const SE_VPS_VALUE = 2, the FQDN is used for the domain name. For example:

      User: FirstName.LastName
      Realm: MyCompany.EMEA.INTRA

    • If you set Const SE_VPS_VALUE = 3, the FQDN is used for the domain name. For example:

      User: FirstName.LastName
      Realm: MyCompany.EMEA.INTRA

  • This new option that is added by this update produces the same output as that of the second list option, but uses "DS_CANONICAL_NAME" instead of the user UPN format to retrieve the domain information.

References

Learn about the terminology that Microsoft uses to describe software updates.

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!

×