Forcing Kerberos authentication in IIS6?
From: Al Blake (al_at_blakes.net)
Date: 27 May 2004 23:15:25 -0700
I have two windows 2003 servers running IIS6. One is the production
server, one is the test server.
I have developed an asp.net app on the test server that requires
kerberos authentication and *works perfectly*. I have transferred it
to the production server and it doesnt work - on closer investigation
I discover that the login to the production server is using
NTLM....which makes my kerberos based app fall over.
Now I thought Kerberos was the default for IIS6 and NTLM the fallback?
I am using the same workstation and browser (XP/IE6) to connect to
both servers, yet I get a different result when I check in the system
Test server - shows login success with Kerberos
Prod server - shows login success with NTLM
There ARE successful kerberos logins on the production server - but
these ONLY seem to be for connections between the Prod server and the
DCs. *All* the user (browser) logins are being passed off the NTLM.
Is the problem in IIS?
I have run netdiag and there are no errors in the kerberos subsystem.
I have also run
cscript adsutil.vbs set w3svc/NTAuthenticationProviders
setspn -A HTTP/servername.domain NETBIOSNAME
None of this makes any difference - the production server still
insists on authenticating with Kerberos.
Anyone got any tips as I have been fighting this for a week!
Al Blake, Canberra, Australia