I apologize if this is available but there is so much on getting delegation 
getting to work we aren't coming up with anything.

First off we are using constrained delegation to run a dual server 
environment for ASP.NET 2.0 application under IIS 6.0 and SQL Server 2005. 
All Windows Server 2k3.  Our Active Directory is balanced two different 
servers.

A subset of our users are receiving delegation errors at what seems like 
random, inconsistent times of the day.  Most of the time the majority of the 
users are working fine.

Basically the Kerberos ticket appears to either expire or be overridden by 
an NTLM ticket causing a double hop failure.

We have determined that the problem can temporarily be solved by doing the 
following:
Close IE -> Control-Alt-Delete -> Lock -> UnLock

However, one the original problem happens this only seems to fix it for a 
short while until the same error is experienced again.

Any direction or ideas at all would be greatly appreciated.

- Marc Castrechini

Some additional info we have found:
If the problem occurs:
1) The Lock Computer solution typically lasts about 20 minutes

2) Logging out complete typically lasts about 24 hours.

TIA,
- Marc


"Marc Castrechini" <castro_9@newsgroup.nospam> wrote in message 
news:eQUxBad3HHA.1900@TK2MSFTNGP02.phx.gbl...

>I apologize if this is available but there is so much on getting delegation 
>getting to work we aren't coming up with anything.
>
> First off we are using constrained delegation to run a dual server 
> environment for ASP.NET 2.0 application under IIS 6.0 and SQL Server 2005. 
> All Windows Server 2k3.  Our Active Directory is balanced two different 
> servers.
>
> A subset of our users are receiving delegation errors at what seems like 
> random, inconsistent times of the day.  Most of the time the majority of 
> the users are working fine.
>
> Basically the Kerberos ticket appears to either expire or be overridden by 
> an NTLM ticket causing a double hop failure.
>
> We have determined that the problem can temporarily be solved by doing the 
> following:
> Close IE -> Control-Alt-Delete -> Lock -> UnLock
>
> However, one the original problem happens this only seems to fix it for a 
> short while until the same error is experienced again.
>
> Any direction or ideas at all would be greatly appreciated.
>
> - Marc Castrechini
> 

Hi Marc,

From your description, I understand you're using constrained delegation 
among two windows 2k3 server for your ASP.NET application which connect to 
a remote SQL Server2k5 db. However, you found the kerberos delegation will 
occur error randomly, correct?

Based on my experience, for such kerberos delegation problem, most of them 
are likely caused by environment configuration settings or some network 
related issues. And normally, it will require troubleshooting over all the 
boxes from front clients to the backend servers and also the domain 
controller box, network tracing is also necessary for get detailed error 
infomraiton. Therefore, it may not be easy to completely resolve such 
problem through the newsgroup support interface, but we'll try best to help 
you track down on this issue.

According to the symptom you mentioned, it seems the kerberos ticket will 
always get timeout after a certain period and lock/unlock or logout/login 
seems be able to overcome it temporarily. Have you checked the KDC to see 
whether the timeout or any expire related setting is as expected? Also, it 
is helpful to use some network trace utility to capture the http message 
and lookup what's the error message when the kerberos delegation failed, 
you need to capture the message between both IE client<--->web application 
server   and   web application server  <--> backend db server.

Here are some existing document and reference on kerberos delegation issue 
which can provide some systematic troubleshooting ideas:

#Kerberos authentication and troubleshooting delegation issues
http://support.microsoft.com/kb/907272

#Troubleshooting Kerberos Delegation
http://www.microsoft.com/downloads/details.aspx?FamilyID=99B0F94F-E28A-4726-
BFFE-2F64AE2F59A2&displaylang=en

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

 

==================================================

Get notification to my posts through email? Please refer to 
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

 

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues 
where an initial response from the community or a Microsoft Support 
Engineer within 1 business day is acceptable. Please note that each follow 
up response may take approximately 2 business days as the support 
professional working with you may need further investigation to reach the 
most efficient resolution. The offering is not appropriate for situations 
that require urgent, real-time or phone-based interactions or complex 
project analysis and dump analysis issues. Issues of this nature are best 
handled working with a dedicated Microsoft Support Engineer by contacting 
Microsoft Customer Support Services (CSS) at 
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================
 	

This posting is provided "AS IS" with no warranties, and confers no rights.