Ticket for (my UAG machine account) service (why?) and then issues HTTP GET request with NTLM negotiate message. When I check traffic in NM I see after initial '401' response from backend UAG requesting KDC for service So I assume that I should use "Kerberos Constraint Delegation" for SSO, and I configure UAG for it.īut when I open application in UAG portal I get the same error - "You do not have permissions to view this folder or page". When I open backend URL in IE (from UAG server) I see the same beginning in NM, but after '401' response, UAG issues TGS request to KDCĪnd gets service ticket for SPN of my backend server and then passes this ticket in the next HTTP GET request - then web-server replies and all works fine.
I checked the UAG traffic with Network Monitor and saw there is HTTP GET request from UAG to backendĪnd '401' response from it with WWWauthenticate option = 'Negotiate' - and conversation stops. "You do not have permissions to view this folder or page" error.
When I select "401 request" authentication method for my published app, and try to access app from UAG portal - I get UAG itself and backend server are the domain members. I use local AD forest authentication on UAG both for trunk and for published applications. I have backend authentication problem when publishing WEB-application thru UAG.Īpplication based on Apache Tomcat for Windows, Apache authentication is configured for Kerberos (and not for NTLM).
0 kommentar(er)
