Question

Kerberos Issues

WebLink Web Client

Updated September 27, 2018

asked on July 29, 2015

I am setting up a two server environment. The two servers would be ServerA(Workflow + Server) and ServerB Web + Forms + Weblink + Audit). Both are 2012R2. I am running into an issue where Kerberos just isn't passing through correctly.

I have given delegate access to the Web server in active directory and attempted this as was recommended by someone else in answers. The white paper I read said this should be the only setup that is needed though it was written for IIS7 and WebAccess8. Both application pools are running as ApplicationPoolIdentity. Anonymous access is disabled in the virtual directories.

I am able to login with Kerberos from the machine with Web Access(ServerB) without issues using both a FQDN as well as just the hostname. When I attempt to login from the Laserfiche server I receive a 9013 error in WebAccess and a plain permission denied from Weblink. I have enabled Kerberos logging, and whenever an account is not allowed login, I get a KDC_ERR_BADOPTION error logged in event viewer shown as attached.

Any help would be appreciated.

KerberosError.PNG (7.86 KB)

| Download

0 0

Answer

SELECTED ANSWER

replied on July 31, 2015

I think you'll want to do: "setspn -A http/ServerA ServerA" and "setspn -A http/ServerAFqdn ServerA", as long as you have enabled kernel-mode authentication. If you haven't read the white paper on configuring kerberos for Web Access you should take a look at it.

1 0

Replies

replied on July 29, 2015

What account is the Laserfiche Server service running as? If it's not "Local System" then can you confirm that you have the LaserficheServer SPNs registered correctly?

0 0

replied on July 29, 2015

Laserfiche Server is running as the Local System account.

0 0

replied on July 30, 2015

How are Server A's HTTP SPNs registered? Is the virtual directory set up to do kernel-mode authentication (Authentication | Windows Authentication | Advanced Settings...)?

0 0

replied on July 31, 2015

There are no HTTP SPNs registered on server A. What should I need to register for when running the server as localhost? I ask because we will need to involve their IT for this and would prefer to have a command in mind ahead of time. I think just SETSPN -R http/hostname would be right, but I would like confirmation ahead of time if possible.

There are HTTP SPNs on server B either if that matters.

Everything is setup for default in kernel mode still.

Thanks again!

KerberosError2.PNG (5.16 KB)

| Download

0 0

View 2 previous replies

SELECTED ANSWER

replied on July 31, 2015

1 0

replied on August 10, 2015

This worked, thank you.

0 0

replied on August 10, 2015

Great!

0 0

replied on September 24, 2018

Hi Brian,

Here the advice has been to use the hostname of the LFServer. PDF on the topic, the advice is use the service name for Laserfiche

https://infrapi.laserfiche.com/api//files/1163/download

and in the current documentation, for WebDAV, hostname or service name is not specified.

https://www.laserfiche.com/support/webhelp/Laserfiche/10/en-US/administration/#../Subsystems/LFAdmin/Content/Configuring_SPN.htm?Highlight=spn

Also, one says to set the SPN for HOST and one doesn't. One says to set the hostname and FQDN, one just says to set the FQDN.

It looks like there's no general rule to this?

This one tends to work for me:

setspn -A HTTP/<FQDN of Laserfiche service server> <host name of server service>
setspn -A LaserficheServer/<FQDN of Laserfiche service server> <host name of server service>
setspn -A HOST/<FQDN of Laserfiche service server> <host name of server service>

What's your opinion on the subject?

-Ben

0 0

replied on September 27, 2018

Yeah, that looks fine to me.

0 0

You are not allowed to follow up in this post.

Question

Question

Kerberos Issues

Answer

Replies

Sign in to reply to this post.