Re: SPS wont use kerberos

From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 05/29/04 

Date: Sat, 29 May 2004 23:31:34 +1000

Hi,

As mentioned in your other thread, let's please look at what is actually
happening between server and client before speculating about causes.

Cheers
Ken

"Al Blake" <al@blakes.net> wrote in message
news:%23w3uNdWREHA.2112@TK2MSFTNGP11.phx.gbl...
: We have a windows2003 member server in a native AD domain that runs
SPS2003
: as well as a number of non-SPS IIS6 web sites.
: We have managed to configure all the web sites *except* SPS2003 to use
: kerberos as their preferred authentication - so we know kerberos is
working
: on the box.
:
: We have followed KB832769 to enable kerberos on the SPS web but still
: whenever a client browser connects (XP + IE6SP1) the authentication method
: selected is NTLM. Why?
:
: We have:
: a) Set NTAuthenticationProviders to "Negoatiate,NTLM" in the metabase for
: the SPS site
: b) Set the computer account as trusted for delegation in AD
: c) Set the user account used by the app pool as trusted in AD
: d) Used setspn to add HTTP/DOMAIN\USER SERVER as an additional spn
:
: but still NTLM is used as the authentication mechanism.
:
: As a side issue, when tryng to access the box from another windows2003
: server (such as our TS server) which is running IE 6.0.3790.0 we get
: repeatedly prompted to login if authentication mechanism is
: "Negotiate,NTLM". Checking in the event log shows a kerberos failure for a
: blank username.
:
: Trying from XP+IE6SP1 clients we do not get prompted to login (ie windows
: authentication works) but checking in the event log indicates that NTLM
has
: been used ! So XPIE6SP1 is NOT using kerberos to authenticate with the SPS
: site. Why not?
:
: Al Blake, Canberra, Australia
:
:

Relevant Pages

  • Re: Integrated Windows Authentication Timeout?
    ... Is it possible that a different host name is being used for one of the subsequent requests that would break Kerberos auth? ... If you have "Negotiate" authentication set in the metabase, then this can still negotiate down to NTLM if for some reason the protocol thinks that Kerberos is unavailable. ... server. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: iis problems with some xp clients - kerberos issue?
    ... is the browser even attempting Kerberos Authentication? ... the webserver failing to get a service ticket for the SQL Server etc. ... Check that the site is in IE's Intranet zone (IE doesn't attempt to Kerberos ... Both access SQL ...
    (microsoft.public.inetserver.iis.security)
  • Re: REPOST - IIS6 /WebDAV/NTLM/Kerberos and Remote Storage
    ... >are using to authentication. ... Kerberos tickets target a service ... >authenticate to IIS from the client browser. ... structure on a Win2K server. ...
    (microsoft.public.inetserver.iis)
  • Update: Problems authenticating users via AD with Kerberos on Solaris 9
    ... However, since MIT does not implement TCP, the request fails. ... We have a Solaris 9 server that we configured to authenticate users via ... Active Directory using Kerberos. ... up but recently for whatever reason, Kerberos authentication does not ...
    (SunManagers)
  • Re: CIFS / Kerberos question
    ... Packet sniffing from a connected hub (for server, ... > I am trying to achieve PKI authentication and SMB access to Windows ... > - Filesystem relies on SSPI-KerberosV to provide security services. ... What exactly does Kerberos do in the server? ...
    (microsoft.public.win2000.security)