Re: SPS wont use kerberos
From: Al Blake (al_at_blakes.net)
Date: 05/30/04
- Previous message: Ryan Riddell: "Re: IIS Seperate Partition?"
- In reply to: Ken Schaefer: "Re: SPS wont use kerberos"
- Next in thread: Al Blake: "Re: SPS wont use kerberos"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 30 May 2004 11:19:58 +1000
Fantastic Ken,
This is just the sort of info/troubleshooting I was looking for.
I'll check it out and let you know in the next couple of days.
Thanks again.
"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:eVXOU1dREHA.2936@TK2MSFTNGP12.phx.gbl...
> Is the server actually sending back:
>
> WWW-Authenticate: Negotiate
> WWW-Authenticate: NTLM
>
> in the HTTP response headers. You can use WFetch to test this:
>
http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&DisplayLang=en
>
> Is the client then attempting to use Kerberos to authenticate. You will
need
> to use something like Ethereal to test this: www.ethereal.com
>
> Cheers
> Ken
>
>
> "Al Blake" <al@blakes.net> wrote in message
> news:%23gLHDHdREHA.1160@TK2MSFTNGP09.phx.gbl...
> : Sure.
> : But what would you like to know ?
> : Al.
> :
> : "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
> : news:uwgvzEYREHA.1644@TK2MSFTNGP09.phx.gbl...
> : > Hi,
> : >
> : > As mentioned in your other thread, let's please look at what is
actually
> : > happening between server and client before speculating about causes.
> : >
> : > Cheers
> : > Ken
> : >
> : >
> : > "Al Blake" <al@blakes.net> wrote in message
> : > news:%23w3uNdWREHA.2112@TK2MSFTNGP11.phx.gbl...
> : > : We have a windows2003 member server in a native AD domain that runs
> : > SPS2003
> : > : as well as a number of non-SPS IIS6 web sites.
> : > : We have managed to configure all the web sites *except* SPS2003 to
use
> : > : kerberos as their preferred authentication - so we know kerberos is
> : > working
> : > : on the box.
> : > :
> : > : We have followed KB832769 to enable kerberos on the SPS web but
still
> : > : whenever a client browser connects (XP + IE6SP1) the authentication
> : method
> : > : selected is NTLM. Why?
> : > :
> : > : We have:
> : > : a) Set NTAuthenticationProviders to "Negoatiate,NTLM" in the
metabase
> : for
> : > : the SPS site
> : > : b) Set the computer account as trusted for delegation in AD
> : > : c) Set the user account used by the app pool as trusted in AD
> : > : d) Used setspn to add HTTP/DOMAIN\USER SERVER as an additional spn
> : > :
> : > : but still NTLM is used as the authentication mechanism.
> : > :
> : > : As a side issue, when tryng to access the box from another
windows2003
> : > : server (such as our TS server) which is running IE 6.0.3790.0 we get
> : > : repeatedly prompted to login if authentication mechanism is
> : > : "Negotiate,NTLM". Checking in the event log shows a kerberos failure
> for
> : a
> : > : blank username.
> : > :
> : > : Trying from XP+IE6SP1 clients we do not get prompted to login (ie
> : windows
> : > : authentication works) but checking in the event log indicates that
> NTLM
> : > has
> : > : been used ! So XPIE6SP1 is NOT using kerberos to authenticate with
the
> : SPS
> : > : site. Why not?
> : > :
> : > : Al Blake, Canberra, Australia
> : > :
> : > :
> : >
> : >
> :
> :
>
>
- Previous message: Ryan Riddell: "Re: IIS Seperate Partition?"
- In reply to: Ken Schaefer: "Re: SPS wont use kerberos"
- Next in thread: Al Blake: "Re: SPS wont use kerberos"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
