Share via

Getting error 12202 intermittently (Authentication Failure) while accessing published resources (Sharepoint / Exchange etc ) through TMG 2010

  • Article

I was working on a case where we were seeing intermittent failure with authentication for the websites (Exchange / Sharepoint ) that were published on TMG Server.

Environment:

TMG 2010 , Domain Joined (2003 and 2008 Domain Controllers)

Kerberos Constraint Delegation (KCD) enabled on Rules.

Exchange / Sharepoint Publishing.

Data Collection :

We collected Network trace on Internal Network of the TMG Server and saw this :

KerberosV5:KRB_ERROR - KDC_ERR_ETYPE_NOSUPP (14) , which indicates encryption type negotiation mismatch occurred.
**
**After narrowing down the things we saw that this issue used to happen when TMG Server had secure channel setup with 2003 Domain Controller.

To check the Secure Channel we need to run NLTEST command :

nltest /sc_verify:domainname

So the issue was when TMG Server (Windows server 2008) communicates with 2003 Domain Controller it tries to use AES encryption and 2003 supports DES and it was failing and with 2008 DC Encryption was accepted.

To fix the issue , we had three options :

**1. **Upgrade all DC's to 2008

2. Create a new AD Site and have TMG's and 2008 R2 DC's in that site.

3. Enable encryption types on the TMG Server which is a 2008 R2 machine which are accepted by 2003 DC's

Procedure to enable encryption type on Windows Server 2008 R2:
1.  Start > Gpedit- which opens local policy, locate the following location:
Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ Security Options
2. Click to select the Network security: Configure encryption types allowed for Kerberos option.
3. Click to select Define these policy settings and  choose check boxes for the encryption types.
4. Click OK. Close the Gpedit.
5. Reboot the server.

Note The policy sets the SupportedEncryptionTypes registry entry to a value of 0x7FFFFFFF. The SupportedEncryptionTypes registry entry is at the following location:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\parameters\

Ref: http://support.microsoft.com/kb/977321

**Junaid Ahmad Jan - Forefront Edge Team
**