Hi,
i have this scenario:
1) SharePoint is in the internal network
2) I have written a simple application, which gives me the state of the authentication protocol (e.g. Kerberos) and the impersonation state (e.g. Impersonation, Delegation). I have configured delegation, SPNs, all works fine: If i access the site, it says:
Kerberos with Delegation
Now we come to the TMG:
1) I have published the SharePoint-Site with TMG2010 using FBA (of course)
2) I have the publishing rule configured to use constrained delegation and i have done the necessary configuration in the ad => enable the TMG's computer account for constrained delegation and configured the SharePoints SPN
If i access the published SharePoint-Site and look for the status with my tiny little app, it says: Kerberos with impersonation. I expected to see Kerberos with delegation.
To make it more clear:
The scenario is like this:
User ---> TMG ---> SharePoint ---> Database
1) user autheneticates to TMG
2) TMG delegates the credentials to SharePoint
3) and NOW: SharePoint needs to delegate the credentials to the database-server
It seems to me, that the ticket, provided by the TMG does not has the ok_as_delegate flag.
But i cannot see the problem.
Eventually, my planned scenario is not possible?
Any ideas?
Uli
Ulrich Boddenberg
