Hi all,
Trying to figure out how to get this working. A webapp (Topdesk) is published under the portal hostname. TopDesk has been setup with Kerberos Authentication. A SPN has been setup in TopDesk like this http/servername.domain
When i do a setspn -q http/servername.domain i get a big list of servers and services that are registered with a service account. That service account is only used for Kerberos auth, and has the option enabled to be delegated for authentication to any service (kerberos only).
I published the application and set it up for Kerberos Auth. When i logon to UAG portal and open the application i get a "You do not have permissions to view this folder or page".
The Webmonitor shows a Unable to reply to a HTTP 401 request.
Fiddler does not give any information.
I started a capture in Network Monitor and see some Kerberos v5 messages.
First one: KerberosV5:TGS Request Realm: DOMAIN Sname: http/servername.domain
Second: KerberosV5:KRB_ERROR - KDC_ERR_BADOPTION (13)
I am a little lost now on what i can do. But could this point to a situation where the Logon FORM of the application doesnt understand what UAG is trying to do with its LoginForm.xml? In other words, could this be that i have to make a custom Form? Or is the issue different, maybe one step before the FORM thingy?
I also checked TMG logging and saw some messages about a Kerberos Ticket being generated and delivered to me. After that the 401 message came in.
Thanks for the help!