I have a problem trying to get Kerberos authentication and delegation to work with my MOSS 2007 installation on a Windows Server 2008 VM. I use Virtual Server 2005 R2 SP1 to host the VM on Vista Ultimate 64-bit. This is a development environment. My domain controller is WindowsSmall Business Server 2003 Premium R2.So, I never had a problem with this until some recent Patch Tuesday update that enabled the Server 2008 firewall by default. I always apply the latest patches to all three machines, including the VM. When I disable the Server 2008 firewall, Kerberos authentication works just fine. I logon to the MOSS 2007 Central Admin website from the Vista PC, and my credentials flow from the Vista PC to the Server 2008 VM, which delegates my credentials toSBS where I host theSQL 2005 instance for MOSS 2007.I tried building inbound and outbound rules forthe standard Kerberos TCP ports on the Server2008 VM, allowing connections, but it did not help. So, what I've done now is, I've disabled the Server 2008 firewall forthe Domain Profile. The Server 2008 firewall is enabled forthe Private and Public profiles. This works, Kerberos now functions flawlessly.What I would like to know is, does the Server 2008 firewall properly block inbound connections from the Internet since the firewall is enabled for the Public and Private profiles, or does it treat all traffic routed through SBS - even those originating from the Internet - as from within my domain?What do these Profiles really mean?Thanks.

Hello, Profiles is the location type in the Windows Server 2008 and Windows Vista firewall. Each network is assigned a location that identifies its type. Windows Firewall with Advanced Security can enforce different policies (rules) based on the locations of the networks to which the computer is currently connected. There are three categories of networks in Windows Vista and Windows Server 2008. Domain: The Windows operating system automatically identifies networks on which the computer can authenticate access to a domain controller for the domain to which the computer is joined. No other networks can be placed in this location. restrictive Public: With the exception of domain networks, all networks are initially categorized as public. Networks that represent direct connections to the Internet or are in public places, such as airports and coffee shops, should be left public. most restrictive Private: A network will be categorized as private only if a user or application designated it as private. Only networks located behind a private gateway device should be designated as private networks. Users will likely want to designate home or small business networks as private. more restrictive Only one profile can be active at a time on Windows Vista and Windows Server 2008. If there are two network interfaces live in the system and one of them is on the domain while the other is on a public network, the public firewall profile will be applied to both. Profile order is applied as follows: 1. If all interfaces are authenticated to the domain controller for the domain of which the computer is a member, the domain profile is applied. 2. If all interfaces are either authenticated to the domain controller or are connected to networks that are classified as private network locations, the private profile is applied. 3. Otherwise, the public profile is applied. In this issue, because the Windows Server 2008 is directly connected to the Domain Controller a domain profile is applied. To verify the exact network traffic that is blocked by the Windows Server 2008 firewall, please enable the Windows Firewall Audit Events on the Windows Server 2008 and then reproduce the issue. 1. Restore the default settings in the domain profile. 2. In the command prompt, type the following command. You can copy and paste this command into the Command Prompt window: auditpol.exe /set /SubCategory:"MPSSVC rule-level Policy Change","Filtering Platform policy change","IPsec Main Mode","IPsec Quick Mode","IPsec Extended Mode","IPsec Driver","Other System Events","Filtering Platform Packet Drop","Filtering Platform Connection" /success:enable /failure:enable 3. Restart the Windows Firewall service by typing the following commands, ending each by pressing ENTER: net stop MPSSVC net start MPSSVC 4. On another computer, try to authenticate the user on the Windows Server 2008 and then verify the event log in the Event Log--->Security. 5. What specific traffic is blocked by the Windows Firewall? To get a whole Windows Firewall audit event list, you may refer to: 947226 Description of security events in Windows Vista and in Windows Server 2008 http://support.microsoft.com/kb/947226 ========================= For your reference: Network Location-Aware Host Firewall http://technet2.microsoft.com/windowsserver2008/en/library/e26edbae-8458-4a22-9835-6ec3f1c8f57a1033.mspx Managing the Windows Vista Firewall http://technet.microsoft.com/en-us/magazine/cc510323(TechNet.10).aspx Enable IPsec and Windows Firewall Audit Events http://technet.microsoft.com/en-us/library/cc754714.aspx Hope it helps.

Miles:It'll take me a bit of time to reproduce this issue. I've introduced another complexity into this issue by rebuilding my network - all three machines - and I'm now using SQL Server 2008, instead of SQL Server 2005, which is now causing a different set of problems.I'll be posting back with details.Thanks.