Undoing IAG SP1 Kerberos constrained delegation settings before configuring Kerberos in IAG SP2

  • Article

Applies To: Intelligent Application Gateway (IAG)

Whale Communications Intelligent Application Gateway (IAG) 2007 SP1 uses Microsoft Internet Security and Acceleration (ISA) Server in order to perform Kerberos constrained delegation. This involves using an ISA Server Web listener in order to publish the IAG portal. ISA Server Web listeners receive user requests on an external IP address and forwarded them to IAG via a localhost interface.

Unlike IAG SP1, IAG SP2 does not use ISA Server in order to perform Kerberos constrained delegation. Kerberos constrained delegation configured in IAG SP1 is not supported on IAG SP2.

If you have configured Kerberos constrained delegation on IAG SP1, then before you install SP2, you must undo the configuration of Kerberos constrained delegation and revert to the previous configuration. You can do this either automatically or manually.

To automatically undo configuration of Kerberos constrained delegation

  1. On the IAG computer, at a command prompt, type the following, and then press ENTER:

    …\Whale-Com\e-Gap\utils\KCD\IAG_KCD_tool.exe Clear

  2. On the IAG Password dialog box, type your IAG Configuration passphrase, and then click OK.

  3. On the IAG KCD Support Tool dialog box, click Reset.

    The IAG Configuration console opens. All the configured trunk information is updated (for example, the original external IP addresses are restored to the configured trunks).

    Note

    If this procedure fails, perform the manual procedure below.

    It is recommended to use the manual procedure as a checklist in order to make sure that the configuration has been reverted properly.

To manually undo configuration of Kerberos constrained delegation

  1. On the ISA Server Management console, remove all of the ISA Server Web publishing rules that have the following prefix in the Name field:

    IAG::

    Important

    If you have created any custom rules after running the tool, you must delete them manually. You must also delete any relevant Web listeners in ISA Server.

  2. On the IAG computer, do the following:

    1. At a command prompt, type the following, and then press ENTER:

      httpcfg query iplisten

      If any entries are displayed, delete them. The following is an example of deleting a record from the iplisten store:

      httpcfg delete iplisten -i 10.0.0.1:80

    2. Delete the following registry key:

      HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\UrlFilter\FullAuthPassthru

    3. Delete the following file:

      …\Whale-Com\e-Gap\common\conf\kcd_setup.xml

    4. Delete the files from the following directory:

      …\Whale-Com\e-Gap\von\InternalSite\auth

    5. From the following directory, delete all files that have the suffix Login.inc or Validate.inc and belong to a trunk that is configured for Kerberos constrained delegation:

      …\Whale-Com\e-Gap\von\InternalSite\inc\CustomUpdate

    6. In the following file, make sure that sharePointKCD = false:

      …\Whale-Com\e-Gap\von\PortalHomePage\inc\CustomUpdate\CustomDefault.inc

  3. On the IAG Configuration console, do the following:

    1. Back up the current configuration.

    2. Restore the original IP address for the Kerberos constrained delegation trunk.

      For all the relevant applications that were configured to use Kerberos constrained delegation, in the Applications area, double-click the application. On the Application Properties dialog box, click the Web Settings tab, and then select the Automatically Reply to Application-Specific Authentication Requests check box.

    3. For all SharePoint applications that were configured to use Kerberos constrained delegation, in the Applications area, double-click the application. On the Application Properties dialog box, click the Portal Link tab, and then select the Startup Page check box.

    4. On the toolbar of the Configuration console, click the Activate Configuration icon. On the Activate Configuration dialog box, click Activate.

      When the configuration is activated, the message "IAG configuration activated successfully" appears.

  4. On the IAG computer, do the following:

    1. To stop the HTTP service, at a command prompt, type the following, and then press ENTER:

      net stop iisadmin /y

      Click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

    2. In Internet Information Services (IIS) Manager, in the left navigation tree, below Web Sites, expand Default Web Site, expand InternalSite, right-click auth, and then click Properties.

    3. On the Auth Properties dialog box, click the Directory Security tab. In the Authentication and access control area, click Edit.

    4. On the Authentication Methods dialog box, select the Enable anonymous access check box, and then clear the Integrated Windows authentication check box.

    5. To start the iisadmin service, at a command prompt, type the following, and then press ENTER:

      net start w3svc