SPS wont use kerberos

From: Al Blake (al_at_blakes.net)
Date: 05/29/04

• Next message: Asif Attari: "IUSR Password"
• Previous message: Al Blake: "Re: Forcing Kerberos authentication in IIS6?"
• Next in thread: Ken Schaefer: "Re: SPS wont use kerberos"
• Reply: Ken Schaefer: "Re: SPS wont use kerberos"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Sat, 29 May 2004 20:25:25 +1000

We have a windows2003 member server in a native AD domain that runs SPS2003
as well as a number of non-SPS IIS6 web sites.
We have managed to configure all the web sites *except* SPS2003 to use
kerberos as their preferred authentication - so we know kerberos is working
on the box.

We have followed KB832769 to enable kerberos on the SPS web but still
whenever a client browser connects (XP + IE6SP1) the authentication method
selected is NTLM. Why?

We have:
a) Set NTAuthenticationProviders to "Negoatiate,NTLM" in the metabase for
the SPS site
b) Set the computer account as trusted for delegation in AD
c) Set the user account used by the app pool as trusted in AD
d) Used setspn to add HTTP/DOMAIN\USER SERVER as an additional spn

but still NTLM is used as the authentication mechanism.

As a side issue, when tryng to access the box from another windows2003
server (such as our TS server) which is running IE 6.0.3790.0 we get
repeatedly prompted to login if authentication mechanism is
"Negotiate,NTLM". Checking in the event log shows a kerberos failure for a
blank username.

Trying from XP+IE6SP1 clients we do not get prompted to login (ie windows
authentication works) but checking in the event log indicates that NTLM has
been used ! So XPIE6SP1 is NOT using kerberos to authenticate with the SPS
site. Why not?

Al Blake, Canberra, Australia

---

• Next message: Asif Attari: "IUSR Password"
• Previous message: Al Blake: "Re: Forcing Kerberos authentication in IIS6?"
• Next in thread: Ken Schaefer: "Re: SPS wont use kerberos"
• Reply: Ken Schaefer: "Re: SPS wont use kerberos"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Kerberos logon to Terminal Server prevents folder redirection ... Pass-through refers to the client browser passing through credentials to the Web Interface server; so you can still use Pass-through without enabling the option "Use Kerberos authentication to connect to servers". ... (microsoft.public.windows.server.security) Re: Integrated Windows Authentication Timeout? ... Is it possible that a different host name is being used for one of the subsequent requests that would break Kerberos auth? ... If you have "Negotiate" authentication set in the metabase, then this can still negotiate down to NTLM if for some reason the protocol thinks that Kerberos is unavailable. ... server. ... (microsoft.public.dotnet.framework.aspnet.security) Re: iis problems with some xp clients - kerberos issue? ... is the browser even attempting Kerberos Authentication? ... the webserver failing to get a service ticket for the SQL Server etc. ... Check that the site is in IE's Intranet zone (IE doesn't attempt to Kerberos ... Both access SQL ... (microsoft.public.inetserver.iis.security) Re: REPOST - IIS6 /WebDAV/NTLM/Kerberos and Remote Storage ... >are using to authentication. ... Kerberos tickets target a service ... >authenticate to IIS from the client browser. ... structure on a Win2K server. ... (microsoft.public.inetserver.iis) Update: Problems authenticating users via AD with Kerberos on Solaris 9 ... However, since MIT does not implement TCP, the request fails. ... We have a Solaris 9 server that we configured to authenticate users via ... Active Directory using Kerberos. ... up but recently for whatever reason, Kerberos authentication does not ... (SunManagers)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)