Compartilhar via

Some tips on setting up the DelegConfig Tool

  • Artigo

 

Introduction

 

Brian Murphy-Booth wrote a great tool that has helped thousands of people troubleshoot their way through some tough Kerberos authentication problem. The home page for the tools and instructions is here: https://blogs.iis.net/brian-murphy-booth/archive/2007/03/09/delegconfig-delegation-configuration-reporting-tool.aspx. I've used Delegconfig a few times and been impressed with its potential. However, it tends to be a bit easier to set it up in a straight IIS website than it is to set up in a SharePoint Web Application however. Sometimes web.config files can interfere with its functionality, for example. The net effect is that sometimes DelegConfig version 1 works and version 2 Beta doesn't. And other times it is the other way around. So I tend to like to "install" both versions.

Here are the steps I use.

 

Download and Unzip

 
 

Download DelegConfig2 Beta from  https://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1887 to the web server and save it under C:\inetpub\wwwroot\DelegConfig2\.

Unzip it to C:\inetpub\wwwroot\DelegConfig2.    

(You can save it anywhere you like, but permissions tend to be set up well in wwwroot.  You may have to adjust NTFS permissions there too.  Wherever you save it to, try not to save it in or under a folder that has a web.config in it.)

Download DelegConfig 1 from https://www.iis.net/community/default.aspx?tabid=34&g=6&i=1434 to the web server and save it under C:\inetpub\wwwroot\DelegConfig1.  

Unzip it to C:\inetpub\wwwroot\DelegConfig1.

Open the IIS manager and drill down into the website you're troubleshooting your Kerberos problem on.  (If you're just testing the tool out, just make sure the site you choose has Windows Authentication set.)

 
 

Create two applications in IIS

 
 

Right click on the web site and select Add Application.  (Steps are almost identical for both IIS 6.0 and IIS 7.x.)

 
 

 
 

Make the first application for DelegConfig2 and give it the path of C:\inetpub\wwwroot\DelegConfig2\kerberos.

Also ensure that this application is assigned to the same application pool as the other application you're troubleshooting.

 
 

You should see Default.aspx in this virtual directory.  (In IIS 7.x you'll have to click on "Content View" to see it, however.)

 
 

 
 

 
 

Add another application to the same website for DelegConfig1 and path it to C:\inetpub\wwwroot\DelegConfig1\Kerberos.  

 
 

 
 

Adjust NTFS Permissions?

 
 

From Windows Explorer, adjust NTFS permissions on the delegconfig1 and delegconfig2 folders if needed.   The users who will browse to the page need to have Read and Execute permissions.

 
 

Local Browsing Tests

 
 

Try browsing locally to the default.aspx page of DelegConfig2 and DelegConfig1 as well just to see if one or both pages serve at all.   Hopefully DelegConfig 2 Beta works.  If not, settle for DelegConfig 1.

 
 

 
 

DelegConfig's Default.aspx should look like this:

Remote Workstation Browsing/Testing

 
 

To really begin to test out the delegation, browse to the same pages from a remote client. 

Browse to default.aspx page and click REPORT.

 
 

Don't forget to add a backend server to test out delegation.  Start by clicking the "Add Back-End Server" button.

 
 

Comments

  • Anonymous
    June 24, 2014
    Hi,my Problem is: When i try to browse through the DelegConfig2-Application I get "That assembly does not allow partially trusted callers"?!What can i do?
  • Anonymous
    June 25, 2014
    Andreas, it sounds like this might be a full-trust versus partial-trust issue.  See, for example, 954274 SecurityException when using Microsoft Enterprise Librariessupport.microsoft.com/.../EN-US.   One thing that might help is creating a new IIS web site and pathing it to delegconfig, temporarily stopping the site you're focusing on, give the new test site the iis bindings of the main site, and browse to the new site as if it were the main site.  Did that make sense?   The main advantage here is that you can avoid complications that web.config files sometimes cause.   Make sure it is using the same application pool (or at least the same appPool account).  Also make sure that you're using the 2.0 framework for the AppPool, not 4.0 or higher.  
  • Anonymous
    July 11, 2014
    Hi Christopher,I´m trying DelegConfig2 to check my Kerberos-Config on my SharePoint 2013 (on Windows 2012 R2 Server).So I Need .Net 4.5 for the AppPool.Mmmh....
  • Anonymous
    July 11, 2014
    In the Moment the Appliction work. What have i done?I added this to the web.config-File:<system.webServer><modules >       <remove name="UrlRoutingModule-4.0" />       <add name="UrlRoutingModule-4.0" type="System.Web.Routing.UrlRoutingModule" preCondition="" />       <remove name="Session"/>       <add name="Session" type="System.Web.SessionState.SessionStateModule" preCondition=""/>     </modules>    </system.webServer>Most of the DelegConfig-App works now, except the Report.ASPX...:`(
  • Anonymous
    July 11, 2014
    Andreas, did you set the application pool to use the 2.0 framework?
  • Anonymous
    October 26, 2015
    Is it an open source tool? If yes, where can I download the code? Thanks.