RE: Kerberos & NTLM Auth in IIS6

• Previous message: Depp, Dennis M.: "RE: IE in Kiosk mode"
• Maybe in reply to: Trevor: "Kerberos & NTLM Auth in IIS6"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 17 Jun 2005 14:11:19 +1000
To: <focus-ms@securityfocus.com>

In your IIS metabase, what Authentication Providers do you have set? Both
NTLM and Kerberos (Negotiate)? Or just one or the other?

I'm struggling to think why IWA would stop working just because a client
changes from dynamic to static IP address (or visa versa). If the client is
having problems registering an entry in the DNS, and the DNS is AD-integrated
and only allows secure updates, then I think you have other authentication
issues which are then showing up as failures in, say, Kerberos authentication
to your web app.

But let's start by verifying what authentication mechanisms your server is
set to use. Then we can look at what tools we should be using to diagnose the
issue.

Cheers
Ken

--
IIS Stuff: www.adOpenStatic.com/cs/blogs/ken/ 
: -----Original Message-----
: From: Trevor [mailto:trevor@rottdog.com]
: Sent: Thursday, 16 June 2005 10:35 AM
: To: focus-ms@securityfocus.com
: Subject: RE: Kerberos & NTLM Auth in IIS6
: 
: Thanks, though currently we are not using NTLMv2 authentication for RPC
: applications (LMCompatibilty is set to Send LM & NTLM).  I'm still
: finding this is a hit and miss to get Integrated Auth to work properly
: with clients.  One client changed from DHCP which Integrated Auth worked
: fine, to a static IP and it no longer worked (even after removing DNS
: entries from the domain and forcing a registerdns).  All other settings
: look fine as to what was previously posted.
: 
: The question would be, why does it work for some but not others?  That
: is what I'm not understanding at this point.
: 
: Thanks,
: Trevor
: 
: -----Original Message-----
: From: nobody@nobody.com [mailto:nobody@nobody.com]
: Sent: Wednesday, June 15, 2005 3:53 AM
: To: focus-ms@securityfocus.com
: Subject: Re: Kerberos & NTLM Auth in IIS6
: 
: A little known fact regarding NTLMv2 is that only those applications
: that authenticate using the Local Security Authority (LSA) will be
: affected by the LMCompatibility mode setting. That includes file sharing
: and domain logons. A number of applications use the NTLM Security
: Support Provider Interface (NTLMSSP) to authenticate, and there is a
: separate setting to enable
: NTLMv2 for them. Examples of such applications include SQL Server (when
: using RPC) and many other (secure) RPC-based applications. NTLMv2 for
: NTLMSSP has to be enabled on a given machine, both for the machine's
: functionality as a server and as a client. The registry has to be edited
: to enable NTLMv2 for RPC .
: Edit the registry and set the appropriate keys. These keys do not exist
: by default or are set to 0.
: To set NTLMv2 Security on the server side add the following registry key
: To set NTLMv2 Security on the client (Windows 9x/NT/2000/XP) side add
: the following registry
: key:
: 
: Enable NTLMv2 Authentication for NTLM Security Support Provider
: Interface (NTLMSSP) mandatory Hive HKEY_LOCAL_MACHINE Key
: \System\CurrentControlSet\Control\Lsa\MSV1_0\
: Value
: Name
: NtlmMinServerSec
: Type REG_DWORD
: Value 0x00080000
: Hive HKEY_LOCAL_MACHINE
: Key \System\CurrentControlSet\Control\Lsa\MSV1_0\
: Value
: Name
: NtlmMinClientSec
: Explanation
: Measure
: Implementation
: NOTE:
: Both, the client and server side has to be set to work properly.
: When the
: "HKLM\System\CurrentControlSet\control\LSA\LMCompatibilityLevel" does
: not enable a machine to negotiate NTLMv2 authentication, then this
: setting will make certain remote features fail (e.g. mapping of shares).
: So the LMCompatibilityLevel must be set to allow
: NTLMv2 authentication at the same time.
: We were made aware that in cluster solutions the LMCompatibilityLevel
: must be set to "Send LM and NTLM responses only" (see also:
: <http://support.microsoft.com/default.aspx?scid=kb;ENUS;
: q272129> ) and that the registry settings above must not be made at all!
: You can find more information about s-RPC at:
: <http://support.microsoft.com/default.aspx?scid=kb;EN-US;q239869>
: and
: <http://support.microsoft.com/default.aspx?scid=kb;EN-US;q147706>
: 
: 
: ------------------------------------------------------------------------
: ---
: ------------------------------------------------------------------------
: ---
: 
: 
: --------------------------------------------------------------------------
: -
: --------------------------------------------------------------------------
: -
---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Depp, Dennis M.: "RE: IE in Kiosk mode"
• Maybe in reply to: Trevor: "Kerberos & NTLM Auth in IIS6"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]