You are viewing limited content. For full access, please sign in.

Question

Question

Getting Kerberos constrained Delegation to work in LF/WA 9.2

Web Client WebLink Version 9
Updated February 13, 2019
asked on February 5, 2019

Hi all,

Our current environment (Laserfiche/Web Access 9.2) is using Kerberos unconstrained delegation, which is working fine.  We've been asked to switch to constrained delegation.

I've taken a look at some existing threads, such as this one:

https://answers.laserfiche.com/questions/119954/Kerberos-Services

I've also gone through the LF White Papers on Kerberos, both for WA8 and LF10 with details on setting up unconstrained delegation, but I haven't been able to get it working.

Our setup is as follows:
Laserfiche Application Server
    - Win 2016 Server
    - LF services are running off a domain service account
Laserfiche Web (Access) Server
    - Win 2016 Server
    - Web Access and Web Link application pools in IIS are running off the same domain service account
    - useAppPoolCredentials flag set to TRUE
    - Windows Authentication enabled

Both servers are on the same domain (as is the service account) and same VLAN.
    
SPNs were set up for the service account:
    HTTP/<application_server>
    HTTP/<application_server><domain>
    HTTP/<web_server>
    HTTP/<web_server><domain>
    LaserficheServer/<application_server>
    LaserficheServer/<application_server><domain>
    HTTP/<various_A_records_for_web_server>

Within ADUC, delegation is set to "Trust this user for delegation to any service (Kerberos only)" for the domain service account, while delegation is not enabled for the LF web server.

Within various browsers (Firefox primarily), the web server hostname is added into trusted sites.

With this setup, users are able to log into Web Access (single sign-on via Windows Authentication) without any problems.

If we switch the delegation setting for the service account to "Trust this user for delegation to specified services only" and add all the HTTP and LaserficheServer entries setup via SPNs, users would encounter a permission denied error when attempting to load Web Access.

Could anyone provide some insight as to what is preventing unconstrained delegation from working?  Happy to provide additional details about our environment to help troubleshoot this.

0 0

Replies

replied on February 13, 2019

You seem to be on the right track - once unconstrained delegation is working, it should just be a matter of constraining it to the necessary services.  And "HTTP/<lfs hostname>" is the relevant SPN for the connection from the web client to LFS.  You might try using Wireshark to see what's going on, but Kerberos packets can be hard to interpret.

Another option is to use LFDS for SSO.  It uses a different model than Kerberos and should be easier to configure.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...