The full guide on how to configure ISA Server Firewalls (same goes for Forefront TMG) to support user certificate authentication using Kerberos Constrained Delegation is available in Tom Shinder's manual Part 1 and Part 2.
This article comes to address the case when a web publishing rule is configured to use Kerberos Constrained Delegation, but the published site can't be accessed due to faulty KCD configuration.
Test Button and KCD
Test Button can be run when creating a new web publishing rule or when troubleshooting an existing one. In both cases it issues a "GET" request towards the published server and then performs some static configuration tests. Assuming that the published server returns "Kerberos" authentication header, there are several KCD related problems that may be revealed during the static tests phase. If all the tests pass the user is expected to see something like:
KCD requirement: Kerberos Constrained Delegation requires both that the Forefront TMG computer and the published server are members of the same domain
First, the Test Button gets the domain controller name for the TMG server. If fails, the following message is shown:
· The Forefront TMG computer is not joined to a domain.
Then the DC name is acquired for the published server. If it fails, the following message is shown:
· Failed to get domain controller name for this published server.
And, finally, these DC names are compared. If they don't match, the following message is shown:
· The Forefront TMG computer and the published server are joined to different domains.
KCD requirement: Kerberos Constrained Delegation requires the Forefront TMG computer to be trusted for delegation for any authentication protocol and the Service Principal Name (SPN) used by Forefront TMG must be added to Active Directory
In case of faulty configuration of TMG computer account on domain controller, we may receive the following message:
· This Forefront TMG computer doesn't have the required trust for Kerberos Constrained Delegation.
This error means that the TMG computer account on the domain controller is not properly trusted for delegation and KCD won't work. Ensure that the radio buttons are chosen as shown in the reference image:
Another possible fault is mismatch of the Service Principle Name defined in the publishing rule on TMG, and then the following message is shown:
· There is no suitable Service Principal Name (SPN) entry found for this Forefront TMG computer in Active Directory.
In this case the user has to ensure that the SPN defined in the publishing rule on TMG is the same as one defined on domain controller:
And, finally, if this message is displayed, then it means that the computer account was probably removed from the domain controller, which can be resolved by re-joining the TMG machine back to the domain:
· The Forefront TMG computer doesn't have a computer account in Active Directory.
Software Development Engineer
Forefront Threat Management Gateway