Article ID: 2360265 - View products that this article applies to.
In a scenario where you are trying to perform Kerberos delegation from a middle-tier server to a back-end server, in an environment where Read-Only Domain Controllers (RODCs) exist with Windows Server 2003 Domain Controllers, delegation may fail.
Consider the following scenario:
In this scenario Kerberos delegation may fail with error KRB_AP_ERR_BAD_INTEGRITY.
In the above scenario, if the client receives a ticket for the middle-tier server from the RODC, the ticket will be protected with a krbtgt account that is specific to the branch the RODC is a member of. The branch specific krbtgt account was introduced in Windows Server 2008 for the use of RODCs. The client will provide that ticket to the middle-tier server for authentication. When the middle-tier server decides it needs to impersonate the client to access the back-end server, it will make a ticket request for the back-end server supplying the forwarded ticket the client provided. If the middle-tier server requests the ticket from a Windows Server 2003 Kerberos Key Distribution Center (KDC), the Windows Server 2003 KDC will fail to decrypt the ticket. This is because the Windows Server 2003 KDC tries to use the standard krbtgt account to decrypt the ticket though the ticket was protected using the branch specific krbtgt account. Since Windows Server 2003 has no knowledge of the use of the branch specific krbtgt account it will fail the request.
Windows Server 2008 or later DCs support detecting which krbtgt account was used and will decrypt the ticket using the appropriate keys.
To resolve this issue, choose one of the following options:
For more information about RODCs, see the Read-Only Domain Controller (RODC) Planning and Deployment Guide (http://go.microsoft.com/fwlink/?LinkID=135993
(http://go.microsoft.com/fwlink/?LinkId=151500)for other considerations.
Article ID: 2360265 - Last Review: August 23, 2010 - Revision: 2.0