WCF and WIF, Delegation and Kerberos Failure

I recently ran into an issue where a client of ours was trying to implement Version 5.1 of Specops Password Reset. The implementation was “Multi-Tiered” in that the Web Component was on a separate server from the Password Reset Component.

As Specops Password Reset relies on kerberos to identify and authenticate the user during enrollment, we needed to make sure that delegation was working correctly. What ever we tried we could not get this ti work. Normally it is just a case of adding an SPN to the web server account for the URL that the user will be using to access the site, and trusting the web server for delegation (In this particular case we we’re also adding it to an IIS 7.0 web farm, but more on that later). But no matter what we tried the page kept reporting that it could not identify the user, the exact error was “The request for the security token could not be satisfied because authentication failed”, and when we looked at the security logs on the servers we could see the authentication attempts coming in as Anonymous and using NTLM and not kerberos.

After trawling through a tonne of logs and traces, finally our WCF/WIF guru Janne analysed a Wireshark trace for me and noted that the SPR Server (not the web server) could not locate the UPN of the service account it was running under. We checked this out, but the account matched. We did notice however that this particular UPN name was 33 characters in length, and AD had obviously truncated this down to the 20 character, Pre Win 2000 length in the account properties. We decided to swap the full length name for the truncated one in the sites web.config file, did an IIS reset and VOILA! kerberos sprang from the gates of hell and into life.

Janne is going to mention it to the WCF/WIF team and see if they know about it, hopefully it’ll get fixed at some point in the future.

So the lesson here is, if you work in a organisation who’s naming convention may force you to generate long user names, don’t expect them to always work especially with kerberos delegation. NT4 lives on!!!

(Last updated on October 8, 2024)

Back to Blog

Related Articles

  • Corporate account takeover attacks and prevention

    Corporate account takeover is a form of identity theft, wherein an unauthorized entity steals and assumes an employee’s digital identity, to perform actions on behalf of that user, while remaining undetected. The popularity of corporate account takeover attacks lies in their afforded safeguards for bad actors. The stolen identity of a trusted entity makes compromise extremely difficult to detect, which delays response…

    Read More
  • How to make three random words secure

    When the National Cyber Security Centre (NCSC) started promoting three random words as passwords, the general public had practical advice that was easy to follow. While it is extremely valuable to provide sound advice for choosing passwords, the perceived level of security provided by three random words has been hotly debated. As is often the…

    Read More
  • How to unlock active directory account lockouts

    There is no question that one of the most common tasks that helpdesk and IT admins carry out on a daily basis is user account management.  Specifically, triaging user account issues like unlocking active directory accounts in an Active Directory domain environment takes a tremendous amount of time in across most environments.  Now that a…

    Read More