constrained delegation problem with windows and ow...

maxime_simard_ · ‎01-27-2010

I've make it work in the lab perfectly but at one client i've got the following error :

Constrained Delegation TGS fetch error: KDC

can't fulfill requested option

Constrained Delegation TGS fetch error: KDC can't fulfill requested option

here is a summary of the option from the log:

authtime: Tue Jan 19 13:40:09 2010,

startime: Tue Jan 19 13:40:09 2010, endtime: Tue Jan 19 23:40:08 2010, endtime sec:

1263962408, current sec: 1263926409, Flags reserved: 0, forwardable: 1, forwarded: 0,

proxiable: 0, proxy: 0, may_postdate: 0, postdated: 0, invalid: 0, renewable: 0,

initial: 0, pre_authent: 1, hw_authent: 0, transited_policy_checked: 0, ok_as_delegate:

0, anonymous: 0

so the ticket is fowardable. there is not much help on the web for this, as the only explanation i have found is this :

KDC policy rejects request

KDC can't fulfill requested option

á Requesting a forwardable ticket for a /root or /admin instance

á Trying to forward an unforwardable ticket, or renew an unrenewable one

I dont know how to correct the problem. What does /root or /admin means in a windows environement ? JTAC support is not helping very much.

thanks.

filbert_ · ‎02-02-2010

Be sure to check that you set the SPN correctly. Is your delegation account, OWA, and user account all in the same domain?

SVK_ · ‎09-05-2012

How is the sahrepoint resource configured on the backend?

Is the sharepoint server Hostname and the Resource url have the same name?

constrained delegation problem with windows and owa