Re: PROBLEMS with AuthenticationType being NTLM and Negotiate

From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: 08/25/05 

Date: Thu, 25 Aug 2005 05:21:08 -0700

Hello tepe.hughes@gmail.com,

to access remote Active Directory using impersonated credentials, delegation
has to be enabled for both web server. this is done in Active Directoy Users
and Computers. Select the "Trust this Computer for Delegation" check box.

Another important part is, that the authentication between browser and web
server has to be done via Kerberos. Have a look in the security event log
on your servers, you should see logon events for the client running the browser.
The authentication package has to be Kerberos. If you see NTLM, this can
have various reasons.

also check out keiths new article in msdnmag:
http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/default.aspx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> I have two webservers running the same aspx pages. (The webpage allows
> Active Directory Editing).
>
> These pages run fine on the 1st server but not on the second server
> (it errors with Logon failure: unknown user name or bad password).
>
> The web.config file (on both servers) have these options set
>
> authentication mode="Windows"
> deny users="?"
> identity impersonate="true"
> After some looking around the only difference I can see between the
> two
> server is that the 1st server reports that
> Page.User.Identity.AuthenticationType is "NTLM" while the 2nd
> server reports "Negotiate".
> Both servers are in the same domain, as far as I can tell both iis
> setting are the same.
>
> Can only one help me out?
>

Relevant Pages

  • Re: No DC in Active Directory
    ... I still show no computers or DCs in AD Computers and Users on Srvr1 and they ... The primary DC points to itself as the DNS. ... The second server ... the first server now shows no DCs in the Active Directory ...
    (microsoft.public.windows.server.active_directory)
  • Re: Remove Ghost DC from AD
    ... > This worked just fine but now the problem is that in the ACtive Directory ... > Users and Computers, in the Domain Controllers container, there's still ... > We've tried to delete the server from the list and it gives the following ... > We even changed the GPSO to allow: "Enable computer and user accounts to ...
    (microsoft.public.windows.server.active_directory)
  • Re: 2003 Migration
    ... Best Practice Active Directory Design for Managing Windows Networks ... Windows Server 2003 Tools ... ensure that you have designed a DNS and Active ...
    (microsoft.public.windows.server.active_directory)
  • Re: i got 6 server in company which contains NT4 , windows 2000 , windowser 2003
    ... Best Practice Active Directory Design for Managing Windows Networks ... Windows Server 2003 Tools ... ensure that you have designed a DNS and Active ...
    (microsoft.public.windows.server.active_directory)
  • Re: Urgent Advise - [WildPacket]
    ... Best Practice Active Directory Design for Managing Windows Networks ... Windows Server 2003 Tools ... ensure that you have designed a DNS and Active ...
    (microsoft.public.windows.server.active_directory)