 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Windows Server Forum / IIS / IIS Security / March 2007Windows Integrated Authentication and Kerberos
Hello, I'm having problems with setting up the Kerberos Authentication. No matter what I do, the client always tries to use NTLM package. Well, I have a IIS Server on a member server. The Default Web Site, has only the "Integrated Windows authentication" box checked. The Internet Explorer, has "Enable Integrated Windows Authentication" option enabled, but when I try to access the page on this site the client is being authenticated using NTLM. Ok, the what I have done so far. - The computer account for the member server has the "Trust this computer for delegation to any service (Kerberos only)" option enabled in Active Directory. - It doesn't matter whether application pool runs under NETWORK SERVICE account, or under a correcltly configured domain account. By correctly configured domain account I mean, an account which has "Trust this computer for delegation to any service (Kerberos only)" option enabled in Active Directory and has an SPN records setup like this: setspn -A http/host DOMAIN\ACCOUNT setspn -A http/host.domain.tld DOMAIN\ACCOUNT - I removed the NTLM from the list by running cscript adsutil.vbs set w3svc/WebSite/root/NTAuthenticationProviders "Negotiate". But whenever I try to access to page the Security log, shows the following message: Successful Network Logon: User Name: nas Domain: DOMAIN Logon ID: (0x0,0x2F4638) Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: IT-NAS-W571A Logon GUID: - Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 192.168.1.196 Source Port: 1996 Does anyone have a clue why it can happen? Have a good time Andrey Nepomnyaschih Hi, a) IE will only attempt Kerberos authentication if the site is in the Intranet security zone. If you are accessing the site as http://www.somesite.tld then this is not in the Intranet security zone by default b) Ensure that you don't have duplicate SPNs (same SPN registered under multiple accounts in AD). That will cause Kerberos Auth to fail. Cheers Ken > Hello, > [quoted text clipped - 47 lines] > Have a good time > Andrey Nepomnyaschih Hi, Ken. Thanks for your answer. But I just forgot to mention that. Yes the server is listed in "Intranet Zone", and Intranet Zone has the option to automatically send username and password to sites in the zone. Well, I tried to capture packets using Ethereal. And the findings are that the client doesn't even consider using Kerberos. It uses NEGOTIATE, falls back to NTLM. And during that it does not contact KDC for service ticket. Does anyone know how address that? Best Regards, Andrey Nepomnyaschih > Hi, > [quoted text clipped - 61 lines] >> Have a good time >> Andrey Nepomnyaschih Hi, a) in Internet Explorer -> Tools -> Options -> Advanced verify that "Enable Integrated Windows Authentication (requires a restart)" is enabled. This is required to be checked for Kerberos to be used (NTLM works without that being checked) b) check for duplicate SPNs - that will cause Kerberos to fail. You can not have the same SPN registered under multiple machine/user accounts in AD. Cheers Ken > Hi, Ken. > [quoted text clipped - 75 lines] >>> Have a good time >>> Andrey Nepomnyaschih |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2010 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.