Applications that perform KCD delegation may not finish the S4U process on a computer that is running Windows Server 2008 or Windows Server 2003

Applications that perform KCD delegation may not finish the S4U process on a computer that is running Windows Server 2008 or Windows Server 2003

Article ID : 949015
Last Review : June 18, 2008
Revision : 1.0

SYMPTOMS

Applications that perform Kerberos Constrained Delegation (KCD) may not finish the Service-for-User (S4U) process on a computer that is running Windows Server 2008 or Windows Server 2003. This issue occurs in the following scenario:

• The service domain contains hosts that are permitted to use KCD.
• The user account that is being delegated resides in a trusted forest.
• The service domain and the account domain are not root domains in their respective forests.
• The KERB_S4U_LOGON struct is populated as follows:

MessageType = KerbS4ULogon
ClientUpn = user name
ClientRealm = NB domain name

Back to the top

CAUSE

This issue occurs because the Windows operating system does not have the additional mapping data that is required. By default, the additional mapping data is not populated in Active Directory Domain Services (AD DS). Therefore, the operating system is unable to search the whole forest and the whole trust structure to resolve the mappings between unqualified domains and fully qualified domains.

Back to the top

RESOLUTION

To resolve this issue, follow these steps:

1. Use the Active Directory Service Interfaces Edit tool to edit the ms-DS-SPNSuffixes attribute in the following configuration container in AD DS:

(CN=Partitions, CN=Configuration, DC=DomainNamingContext)

Edit the ms-DS-SPNSuffixes attribute to add NB domain names for all domains in the local domain tree.

2. Repeat step 1 for each root domain in the trusted forest.
3. Edit the Name Suffix Routing list in the trusting forest to enable all the following suffixes for all the trusted domains:

• *.NBDomain suffixes
• *.FQDN suffixes
4. Repeat step 3 for each forest that trusts the forest that is modified in step 1.
5. Repeat steps 1 through 4 as necessary for the remaining forests and trees.

Back to the top


APPLIES TO
• Windows Server 2008 Datacenter
• Windows Server 2008 Enterprise
• Windows Server 2008 Standard
• Windows Web Server 2008
• Windows Server 2008 for Itanium-Based Systems
• Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
• Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
• Microsoft Windows Server 2003, Datacenter x64 Edition
• Microsoft Windows Server 2003, Enterprise x64 Edition
• Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
• Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
• Microsoft Windows Server 2003, Standard x64 Edition
• Microsoft Windows Server 2003, Standard Edition (32-bit x86)

Back to the top

Keywords: 
kbexpertiseadvanced kbtshoot KB949015

Back to the top

 

Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
Microsoft Corporation. All rights reserved. Terms of Use | Trademarks


You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

AddThis Social Bookmark Button

Leave a Reply

*
To prove that you're not a bot, enter this code
Anti-Spam Image