ProClarity and Kerberos Delegation

Here's another small update to the ProClarity and Kerberos Delegation document.

  • Kerberos delegation will work with a disjointed domain namespace where the NETBIOS short name does not match the Fully Qualified Domain Name (FQDN). For example, if your FQDN is northamerica.contoso.com and your NETBIOS name is NA.
  • When using a service account for the application pool in Server 2008 and later, you will need to set useAppPoolCredentials to True on the PAS virtual directory. If useKernelMode is set to True and useAppPoolCredentials is set to False, then Kerberos service ticket decryption fails and you will be prompted for credentials and unable to authenticate. Alternatively, you can disable kernel mode authentication, but this is not recommended.
  • Use Network Monitor to capture a client’s failed attempt to authenticate to PAS and see data. Filter the traffic by, “HTTP or KerberosV5” and you should see HTTP:Request, HTTP:Response for GET /pas. Find the KerberosV5:TGS Request and Response and you should see the Sname being requested. This is the exact SPN that needs registered on the PAS IIS application pool service account. For example, Sname: HTTP/ProClarityServer.northamerica.contoso.com.

-Joey

ProClarity and Kerberos Delegation.docx