WCF and WIF, Delegation and Kerberos Failure
(Last updated on August 2, 2018)
I recently ran into an issue where a client of ours was trying to implement Version 5.1 of Specops Password Reset. The implementation was “Multi-Tiered” in that the Web Component was on a separate server from the Password Reset Component.
As Specops Password Reset relies on kerberos to identify and authenticate the user during enrollment, we needed to make sure that delegation was working correctly. What ever we tried we could not get this ti work. Normally it is just a case of adding an SPN to the web server account for the URL that the user will be using to access the site, and trusting the web server for delegation (In this particular case we we’re also adding it to an IIS 7.0 web farm, but more on that later). But no matter what we tried the page kept reporting that it could not identify the user, the exact error was “The request for the security token could not be satisfied because authentication failed”, and when we looked at the security logs on the servers we could see the authentication attempts coming in as Anonymous and using NTLM and not kerberos.
After trawling through a tonne of logs and traces, finally our WCF/WIF guru Janne analysed a Wireshark trace for me and noted that the SPR Server (not the web server) could not locate the UPN of the service account it was running under. We checked this out, but the account matched. We did notice however that this particular UPN name was 33 characters in length, and AD had obviously truncated this down to the 20 character, Pre Win 2000 length in the account properties. We decided to swap the full length name for the truncated one in the sites web.config file, did an IIS reset and VOILA! kerberos sprang from the gates of hell and into life.
Janne is going to mention it to the WCF/WIF team and see if they know about it, hopefully it’ll get fixed at some point in the future.
So the lesson here is, if you work in a organisation who’s naming convention may force you to generate long user names, don’t expect them to always work especially with kerberos delegation. NT4 lives on!!!