INTRODUCTION
In Microsoft Internet Security and Acceleration (ISA) Server 2006, you publish a Web site by using Kerberos Constrained Delegation. Depending on the Web site, you may want to change how ISA Server requests the Kerberos ticket of an authenticated user.
By default, ISA Server 2006 uses the "Domain NETBIOS name\User" format when it requests the Kerberos ticket. Therefore, the domain name and the user name in the Kerberos ticket will resemble the following:User: FirstName.LastName
Realm: MyCompany However, some Web sites require the fully qualified domain name (FQDN) in the Kerberos ticket. In this scenario, the domain name and the user name in the Kerberos ticket should resemble the following:User: FirstName.LastName
Realm: MyCompany.EMEA.INTRAMore Information
An update is now available that lets you control the domain name and user name format in Kerberos Constrained Delegation scenarios. To apply this update, follow these steps:
-
Download the hotfix rollup package that is mentioned in Microsoft Knowledge Base article 960148.
960148 Description of the ISA Server 2006 hotfix package: November 19, 2008
-
Install the hotfix rollup package on all ISA Server computers.
-
Start Notepad.
-
Paste the following script into the Notepad file.
Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
Const SE_VPS_NAME = "UseFQDNinKerberosTicket" Const SE_VPS_VALUE = 2 Sub SetValue() ' Create the root obect. Dim root ' The FPCLib.FPC root object Set root = CreateObject("FPC.Root") 'Declare the other objects needed. Dim array ' An FPCArray object Dim VendorSets ' An FPCVendorParametersSets collection Dim VendorSet ' An FPCVendorParametersSet object ' Get references to the array object ' and the network rules collection. Set array = root.GetContainingArray Set VendorSets = array.VendorParametersSets On Error Resume Next Set VendorSet = VendorSets.Item( SE_VPS_GUID ) If Err.Number <> 0 Then Err.Clear ' Add the item Set VendorSet = VendorSets.Add( SE_VPS_GUID ) CheckError WScript.Echo "New VendorSet added... " & VendorSet.Name Else WScript.Echo "Existing VendorSet found... value- " & VendorSet.Value(SE_VPS_NAME) End If if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then Err.Clear VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE If Err.Number <> 0 Then CheckError Else VendorSets.Save false, true CheckError If Err.Number = 0 Then WScript.Echo "Done with " & SE_VPS_NAME & ", saved!" End If End If Else WScript.Echo "Done with " & SE_VPS_NAME & ", no change!" End If End Sub Sub CheckError() If Err.Number <> 0 Then WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description Err.Clear End If End Sub SetValue -
Save this file to one of the ISA Server 2006 computers. Use the .vbs file name extension. For example, name the file ISA2006UseFQDNInKerberosTicket.vbs.
-
Double-click the .vbs file to run the script.
Note The script in this procedure uses the default value for the Const SE_VPS_VALUE property (Const SE_VPS_VALUE = 2). You can change this value according to the following list:
-
If you set Const SE_VPS_VALUE = 0, the domain NETBIOS name is used for the domain name.
Sample: User: FirstName.LastName Realm: MyCompany -
If you set Const SE_VPS_VALUE = 1, the user principal name (UPN) is used for the user name, and the FQDN is used for the domain name.
Sample: User: FirstName.LastName@MyCompany.EMEA.INTRA Realm: MyCompany.EMEA.INTRA -
If you set Const SE_VPS_VALUE = 2, the FQDN is used for the domain name.
Sample: User: FirstName.LastName Realm: MyCompany.EMEA.INTRA