Re: Forcing Kerberos authentication in IIS6?
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 05/30/04
- Next message: Jerry Pisk: "Re: I can rename folder W3SVCn?"
- Previous message: David Wang [Msft]: "Re: I can rename folder W3SVCn?"
- In reply to: Al Blake: "Re: Forcing Kerberos authentication in IIS6?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 29 May 2004 23:25:39 -0700
The default value for NtAuthenticationProviders is unset and is unavailable
through the UI, so someone has to have set them via ADSUTIL or similar
metabase editing tools.
NtAuthenticationProviders is available both globally and per-website, as
you've discovered. The way that configuration works is that global settings
apply unless locally overridden. The UI has functionality which will warn
you when setting parent settings that child settings are overriding them --
but there is no such thing with plain metabase editing tools.
You have two basic choices:
1. Use inheritance, in which case you DELETE the NtAuthenticationProviders
property from the websites. This allows automatic inheritance of the global
setting (which is what you were expecting). The downside is that if anyone
else changes the global NtAuthenticationProviders property to
NTLM,Negotiate, your apps break.
2. Do not use inheritance, in which case you set NtAuthenticationProviders
individually for the websites that need it. The downside is that this does
not have automatic inheritance of the global setting (which is what you were
expecting). The upside is that if anyone else ever changes the global
NtAuthenticationProviders property to NTLM,Negotiate, your apps will still
work.
The two choices are mutually exclusive. You cannot have global, overriding
inheritance AND immunity from such changes being breaking changes.
-- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // "Al Blake" <al@blakes.net> wrote in message news:Oh%23bGUWREHA.2936@TK2MSFTNGP12.phx.gbl... Ok, I worked it out. In case anyone else runs into the same problem I had set the NTAuthentication methods in the metabase for the server but I didnt check what the settings was for *each* web site. seems that at some point in time (I dont know how) authentication for several individual sites had been set to only NTLM. I reset it for each site and now kerberos works perfectly (except for sharepoint but thats another story!) Al Blake, Canberra, Australia
- Next message: Jerry Pisk: "Re: I can rename folder W3SVCn?"
- Previous message: David Wang [Msft]: "Re: I can rename folder W3SVCn?"
- In reply to: Al Blake: "Re: Forcing Kerberos authentication in IIS6?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
