Another Behavior of the TEST RULE Button in Threat Management Gateway 2010

Another Behavior of the TEST RULE Button in Threat Management Gateway 2010

  • Comments 2
  • Likes

 

Introduction:

Recently, I worked on a case where we were publishing Exchange CAS (Client Access Servers) servers on TMG. We were seeing some unexpected behavior while using KCD (Kerberos Constrained Delegation) as the Authentication Delegation Method and using a Web Farm in the Publishing Rule.

The Scenario was like this.

We were publishing the target CAS servers as a Web Farm and using KCD as the Delegation method. Therefore, the SPN specified on Authentication Delegation was “http/*”.

But when we were using TEST RULE Button to Test this, we were getting the Following Error:

Category: KCD error


Error details: There is no suitable Service Principal Name (SPN) entry found for this Forefront TMG computer in Active Directory.
Action: Kerberos Constrained Delegation requires the Forefront TMG computer to be trusted for delegation for any authentication protocol and the Service Principal Name (SPN) used by Forefront TMG must be added to Active Directory

However, when we tried to Access Exchange Services like OWA, Active Sync etc. externally, everything worked just fine.

So, that made us believe that there is something wrong with the TEST RULE Button here in this case.

Further Troubleshooting:

Then we tried to put the SPN with the name of one of the CAS servers in the Authentication Delegation Tab. And now when we ran the TEST RULE again it was Successful.

While researching the issue further, we discovered that this behavior is a known issue that is currently under investigation.

CONCLUSION:

If you are publishing a Web Farm using KCD as the Delegation method, and find that using the “Test Rule” button gives the above error, try testing connectivity/authentication from an external client.
As the “Test Rule” button may not be a reliable test with this publishing scenario, you should test using an external client.

Author

Nitin Singh

Security Support Escalation Engineer

Microsoft CSS Forefront Security Edge Team

Technical Reviewer

Richard Barker

Sr. Security Support Escalation Engineer

Microsoft CSS Forefront Security Edge Team

Comments
  • Hello TMG-Support-Team,

    i recently recognized this behavior while troubleshooting a setup of a colleagues Testlab-Setup. Could it be that if FF-TMG-FW-Svc runs as a Domain-Account (>=SP2) and the KCD is configured ONLY for the domain account and not for the TMG-Computer-Account (or maybe even the User-Account because that´s the context the MMC runs in ?!) would be an explenation ?

    wbr

    Robert aka AgentSmith73

  • This is exactly what i'm seing in my tmg Environment - version 7.0.9193.515.

    Good to know, thanks !

    Jan

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment