Forcing Kerberos authentication in IIS6?

From: Al Blake (al_at_blakes.net)
Date: 05/28/04


Date: 27 May 2004 23:15:25 -0700

I have two windows 2003 servers running IIS6. One is the production
server, one is the test server.
I have developed an asp.net app on the test server that requires
kerberos authentication and *works perfectly*. I have transferred it
to the production server and it doesnt work - on closer investigation
I discover that the login to the production server is using
NTLM....which makes my kerberos based app fall over.
Now I thought Kerberos was the default for IIS6 and NTLM the fallback?
I am using the same workstation and browser (XP/IE6) to connect to
both servers, yet I get a different result when I check in the system
event log.
Test server - shows login success with Kerberos
Prod server - shows login success with NTLM

There ARE successful kerberos logins on the production server - but
these ONLY seem to be for connections between the Prod server and the
DCs. *All* the user (browser) logins are being passed off the NTLM.
Why?

Is the problem in IIS?
I have run netdiag and there are no errors in the kerberos subsystem.
I have also run
cscript adsutil.vbs set w3svc/NTAuthenticationProviders
"Negotiate,NTLM"
and
setspn -A HTTP/servername.domain NETBIOSNAME

None of this makes any difference - the production server still
insists on authenticating with Kerberos.

Why?
Anyone got any tips as I have been fighting this for a week!

Al Blake, Canberra, Australia



Relevant Pages

  • Re: No username prompt SSHD
    ... $ ssh -l login serveur ... (if omitted login is client side login) ... I have sshd set up on my server, and all I want is just username/password ... # Kerberos options ...
    (SSH)
  • Re: test environment windows 2003
    ... an authorative restore after the demote and system state restore. ... This document was prepared for the building of a copy of the production ... Remove the physical cable for the new pc and build the member server ... Master Operation roles (FSMO and the File Replication service). ...
    (microsoft.public.windows.server.active_directory)
  • Re: Homegrown synchronization
    ... copying the zip file sitting there on the server to ... It is a filecopy of the zipped backend file from the server to the ... with the server whose SyncApp zips ups the production backend file ...
    (microsoft.public.access.replication)
  • RE: how analyze malfunctioning asp.net application?
    ... a product server, correct? ... unhealthy and teh worker process will be recycled. ... production debugging in your environment. ...
    (microsoft.public.dotnet.framework.performance)
  • Re: ISA/VPN difficulty
    ... W2K/ISA/VPN server and replacing it. ... The current one (production) works fine in terms of ISA and VPN ... The new machine does everything fine EXCEPT allow clients to do ...
    (microsoft.public.isa.vpn)