Forcing Kerberos authentication in IIS6?

From: Al Blake (al_at_blakes.net)
Date: 05/28/04 

Date: 27 May 2004 23:15:25 -0700

I have two windows 2003 servers running IIS6. One is the production
server, one is the test server.
I have developed an asp.net app on the test server that requires
kerberos authentication and *works perfectly*. I have transferred it
to the production server and it doesnt work - on closer investigation
I discover that the login to the production server is using
NTLM....which makes my kerberos based app fall over.
Now I thought Kerberos was the default for IIS6 and NTLM the fallback?
I am using the same workstation and browser (XP/IE6) to connect to
both servers, yet I get a different result when I check in the system
event log.
Test server - shows login success with Kerberos
Prod server - shows login success with NTLM

There ARE successful kerberos logins on the production server - but
these ONLY seem to be for connections between the Prod server and the
DCs. *All* the user (browser) logins are being passed off the NTLM.
Why?

Is the problem in IIS?
I have run netdiag and there are no errors in the kerberos subsystem.
I have also run
cscript adsutil.vbs set w3svc/NTAuthenticationProviders
"Negotiate,NTLM"
and
setspn -A HTTP/servername.domain NETBIOSNAME

None of this makes any difference - the production server still
insists on authenticating with Kerberos.

Why?
Anyone got any tips as I have been fighting this for a week!

Al Blake, Canberra, Australia

Relevant Pages

  • Re: Problem with kerberos telnet option
    ... I am trying to setup a test kdc server and workstation. ... After I did the setup I can login as user5 using the kerberos ... from ssh from station6 to station5 it request another login. ...
    (comp.protocols.kerberos)
  • Problem with kerberos telnet option
    ... I am trying to setup a test kdc server and workstation. ... After I did the setup I can login as user5 using the kerberos ... When I login to either station5 or station6 using the user5 kerberos ...
    (comp.protocols.kerberos)
  • Re: No username prompt SSHD
    ... $ ssh -l login serveur ... (if omitted login is client side login) ... I have sshd set up on my server, and all I want is just username/password ... # Kerberos options ...
    (SSH)
  • Re: test environment windows 2003
    ... an authorative restore after the demote and system state restore. ... This document was prepared for the building of a copy of the production ... Remove the physical cable for the new pc and build the member server ... Master Operation roles (FSMO and the File Replication service). ...
    (microsoft.public.windows.server.active_directory)
  • Re: Homegrown synchronization
    ... copying the zip file sitting there on the server to ... It is a filecopy of the zipped backend file from the server to the ... with the server whose SyncApp zips ups the production backend file ...
    (microsoft.public.access.replication)