Re: Integrated Authentication (Kerberos) Problem

From: Mark Parter (MarkParter_at_discussions.microsoft.com)
Date: 07/27/04

  • Next message: PaulT: "Trimming down App. Mappings in IIS 6.0"
    Date: Tue, 27 Jul 2004 09:49:37 -0700
    
    

    The IIS server is called dv2anai
    The SQL Server is called sql-server

    Imaginative titles or what :)

    I access the site using http://dv2anai
    IE shows this as being part of the "Intranet Zone"

    "Ken Schaefer" wrote:

    > What is the servername that you are accessing the IIS server with?
    >
    > If it is a fully qualified domain name (FQDN), then IE will think that this
    > machine is the "Internet" security zone by default, and will not attempt
    > Kerberos Authentication (I think this is mentioned in the Troubleshooting
    > Kerberos doc you have). You need to add the site to the Intranet zone -or-
    > access the site by NetBIOS name.
    >
    > Also, if you are accessing by FQDN, ensure that the relevant SPN is
    > registered:
    > http://support.microsoft.com/default.aspx?scid=kb;EN-US;294382
    >
    > Cheers
    > Ken
    >
    >
    > "Mark Parter" <MarkParter@discussions.microsoft.com> wrote in message
    > news:2DCED5E2-3BEE-4B3F-BEB5-0C9C57BB6FB8@microsoft.com...
    > > Hello All,
    > >
    > > I have the following 3 machines involved in this process;
    > >
    > > 1. A Windows XP SP1 with IE6 client machine
    > > 2. A Windows 2003 server with IIS 6
    > > 3. A Windows 200 Server with SQL Server 2000
    > >
    > > I'm trying to get a report I've created in Reporting Services (which is
    > server from machine 2) to access data from a SQL database on machine 3.
    > >
    > > I cannot get Kerberos to work, IE6 on machine 1 seems to indicate that
    > NTLM is being used instead. I am testing with an ASP script from a Microsoft
    > article. The script always returns the Authentication Type as NTLM. Here's
    > what I've done so far;
    > >
    > > 1. Configured IIS 6 ot use ONLY Integrated Windows Authentication
    > > 2. Given machine 2 delegation privileges in AD
    > > 3. Given the domain account under which the IIS application runs,
    > delegation privileges in AD.
    > > 4. Set SPN's for this domain account (not sure if I've done this OK so a
    > pointer on this may be helpful)
    > > 5. Verified that IE has the "Enable Integrated Windows Authentication"
    > option checked.
    > > 6. Changed the NTAuthenticationProviders attribute in the metabase.xml
    > file from NTAuthenticationProviders="NTLM" to
    > NTAuthenticationProviders="Negotiate,NTLM"
    > > 7. Gone throught the MS article at
    > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerbdel.mspx but still no further forward.
    > > 8. Confirmed that authentications only fails from machine 1. If accessing
    > the same site on machine 2, everything works fine.
    > >
    > > Here's an extract form the IIS log;
    > >
    > > 2004-07-16 13:58:33 10.20.16.27 GET /tests/kerberos.asp
    > |17|80004005|Login_failed_for_user_'(null)'._Reason:_Not_associated_with_a_t
    > rusted_SQL_Server_connection. 80 STAFF\M-Parter 10.20.20.55
    > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 500 0
    > 0
    > > 2004-07-16 13:58:40 10.20.16.27 GET /tests/kerberos.asp - 80 - 10.20.20.55
    > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 2
    > 2148074254
    > > 2004-07-16 13:58:40 10.20.16.27 GET /tests/kerberos.asp - 80 - 10.20.20.55
    > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 1
    > 0
    > > 2004-07-16 13:58:40 10.20.16.27 GET /tests/kerberos.asp
    > |17|80004005|Login_failed_for_user_'(null)'._Reason:_Not_associated_with_a_t
    > rusted_SQL_Server_connection. 80 STAFF\M-Parter 10.20.20.55
    > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 500 0
    > 0
    > >
    > >
    > > When I performed step 6, I then get prompted for a username and password
    > in IE on machine 1. No matter what I enter for a username and password, I
    > don't get access. If I then undo the changes in Step 6, I can gain access to
    > the site again.
    >
    >
    >


  • Next message: PaulT: "Trimming down App. Mappings in IIS 6.0"