You are viewing limited content. For full access, please sign in.

Discussion

Discussion

Kerberos- Resource-Based Constrained Delegation

Web Client Forms Directory Server Version 10
Updated March 11, 2020
posted on February 28, 2020

Hello,

We have a customer who is looking to setup Resource-Based Constrained Delegation using the process: If both front-end and back-end services run under domain user accounts.

Now the thing is both the Web Applications (Forms and Web Client) reside on the same server as LFDS.

They think they still need this option and they think SQL comes into play, which they consider the backend server.

They already have LFDSSTS setup and are using this for Windows Auth to Forms.  I think this would be best route given all LF Web Products are on the same machine as LFDS.

Appreciate any feedback,

Jeff Curtis

0 0
replied on February 28, 2020 Show version history

It's unclear to me why the customer thinks they need they need to set up Kerberos constrained delegation in any form here.

WIth LFDS/STS on the same machine there's no need for impersonation. A user makes a single Windows Auth call to LFDSSTS, which then issues the user an STS auth token stored as a browser cookie.

Other SSO-enabled Laserfiche web applications check for and consume the STS token. It doesn't matter what server the other web apps are on.

1 0
View 1 previous reply
replied on February 28, 2020

The misunderstanding might be that they think the user's identity is delegated all the way to the SQL server, but that's not how Laserfiche products work.

1 0
replied on March 3, 2020

Hello Samuel and Brian,

Reason customer was looking at the Kerberos route is they found the following error on 1-2 workstation's in their Environment:

Microsoft-Windows-Security-Kerbero
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server (Customer's LF SQL Service Account Name). The target name used was (Name of Customer LF Server). This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (CUSTOMERSNAME.LOCAL) is different from the client domain (CUSTOMERSNAME.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

 

The thing is, the do not have:

1. Any SPN's configured

2. Kerberos Key Distribution Center configured

 

Any pointers greatly appreciated,

Jeff Curtis

0 0
replied on March 3, 2020

Hi Jeff,

Whether the customer realizes it or not, they have tons of SPNs configured (just not manually) as well as KDC, as those are foundational components of an Active Directory domain. Domain Controllers serve as Kerberos KDCs. Laserfiche applications automatically set SPNs during installation.

I would first check what identity your Laserfiche Server instance is running under. I suspect it may be running as the "LF SQL Service Account", because Laserfiche client applications should, to my knowledge, never directly connect to SQL.

Cheers,

1 0
replied on March 11, 2020

Thanks for the information.  I will follow up with the Customer.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...