DelegConfig v2 beta (Delegation / Kerberos Configuration Tool) : Download : The Official Microsoft IIS Site


I just love the main screen of this tool! Kerberos can be scary and misunderstood (kinda like referees!)

Introduction

DON’T RUSH!!! You are not so smart that you should skip over reading the following. I like to skip over documentation just as much as the next person. But for your own benefit please read this information (usage tips and features). If you are not aware of everything this tool can do, you will add unnecessary confusion and work to your already frustrating experience of getting Kerberos and Delegation to function properly.

Usage Tips
READ what the report tells you – If I had a penny for every time somebody asked me what the report ALREADY SAYS I would be rich. Okay, maybe not rich, but I’d have a lot of pennies.
Start by using the report locally from the web server – You should still use the same URL that you plan on using remotely. However, certain types of authentication problems will occur only if your connection is using Kerberos and there is something misconfigured. Using this tool from a browser instance local to the server will avoid those types of problems since in most cases local requests use NTLM.
Next, use the report from a remote client – One important check that is performed is whether or not your browser has actually connected to the web service using Kerberos. If you always make your requests from the web server itself, you will likely always see a "Negotiate with NTLM" connection with a red "x" next to it (and red icons usually bother people). A second important piece of information revolves around name resolution of the client. If your requests are always from the server, how can we see what the client thinks?
Lastly, click any "Fix This" buttons locally from the server – There will be "Fix This" buttons that appear that will allow you to make the exact changes that you need to get things working. But just like any other web application, this application is at the mercy of the whole double-hop concept. The most relevant types of changes this tool can make are Trust settings and ServicePrincipalName settings which are both stored in Active Directory. If you try to make changes to these settings (i.e. you click the fixThis buttons) from a remote browser instance it will likely fail because of the failed double-hop from browser-to-WebServer then webServer-to-ActiveDirectory.
Pages
/Set/SPNs.aspx – Allows adding and removing of ServicePrincipalNames
/Set/Delegation.aspx – Allows changing Trust for Delegation settings.
/Set/Providers.aspx – Allows correcting of inadequate NTAuthenticationProviders settings.
/Report.aspx – Gives a picture of what is right and what is wrong.
/Wizard.aspx – A set of wizard steps that supports adding more tiers to /Report.aspx.
/Test.aspx – Allows double-hop tests for webServer-to-Sql or webServer-to-File server or webServer-to-webServer

 

DelegConfig v2 beta (Delegation / Kerberos Configuration Tool) : Download : The Official Microsoft IIS Site

Comments (9)

  1. BobC says:

    Any clue as to the following error for Beta 2 on the Report page?

    Webpage error details

    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; SLCC1; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)

    Timestamp: Wed, 17 Nov 2010 17:50:50 UTC

    Message: Object doesn't support this property or method

    Line: 55

    Char: 5

    Code: 0

    URI: my.site.com/…/WebResource.axd

  2. Chris H says:

    I get the same error, "Object doesn't support this property or method"

    Same Line and Char.  I would love to use this since it seems to be helpful for some people.

  3. Alan H says:

    Got the same issue…

    Any solution to this yet?

    Message: Object doesn't support this property or method

    Line: 55

    Char: 5

    Code: 0

  4. Bean says:

    Make sure the client machines have .NET 2.0 SP2 installed; the servers send some javascript that's running on the client, and that's where the error is coming from.

  5. Trev says:

    My server is running .NET 3.5 (2008 R2) and i'm having the same issue. I've also tried running the appPool in Classic Mode but not joy. Is there any other ideas out there?

  6. Mark says:

    Disable the Execute permission on the virtual directory you created for delegconfig. so in IIS 6 it would be setting it to scripts only instead of scripts and executables. In IIS 7 go into Handler Mappings, click Edit Feature Permissions, then Uncheck Execute. after that you should be groovy

  7. sguitardude says:

    Thanks Mark.  Unchecking Execute worked for me.

  8. kerby says:

    The error message is related to DispHTMLObjectElement which doesn’t support the GetResolved method. Is there any possibility to get the source code of DelegConfig v2 beta ?

  9. Steelsky says:

    Get resolved this by running the Wizard (Wizard.aspx).