Re: Strange auth denial with IE Integrated Security and IIS; but not Firefox, Netscape

From: Bernard (qbernard_at_hotmail.com.discuss)
Date: 11/24/04

• Next message: Ken Schaefer: "Re: IIS 6 slows down ASP pages"
• Previous message: Kevin C: "Re: Strange auth denial with IE Integrated Security and IIS; but not Firefox, Netscape"
• In reply to: Kevin C: "Re: Strange auth denial with IE Integrated Security and IIS; but not Firefox, Netscape"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 24 Nov 2004 14:32:01 +0800

Thanks :)

And yes - default there's no entry for
 "NTAuthenticationProviders".

it should be 'Negotiate,NTLM' if it's default.

-- 
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/
"Kevin C" <kc@noneya.com> wrote in message
news:eG4UMXe0EHA.2016@TK2MSFTNGP15.phx.gbl...
> You were pretty close on the money with you post about:
>  "What I suspect is Kerberos auth failed, when the "Enable Windows
> Integrated Authentication" is on. IE will force kerberos auth, without it,
> it will pick NTLM if kerberos failed."
>
> Excuse me if I go off in a dream world - I Just took a ambian to help me
> sleep ;)
>
> We are on AD.  By default when a machine is added to the AD the machine's
> LOCAL and NETWORK service accounts are registered with AD. These are
> obviously the accounts that are tarted to run asp.net web apps by default.
> By being registetred with AD those two accounts can be authenticated by AD
> from that machine.  Since I am using a custom account, AD does not have an
> SPN registerd for that useraccount so auth fails.
>
> I dont have domain admin right so I took anther route and forced NTLM
> security checks - did this by modifying the metabase.  This of course
> happens between the two machines and not AD.  Nevertheless, the parties in
> place can determine authoriaztion.
>
> But had I asked a Domain Admin to run the spnreg utility for the domain
> accout I was trying to use I am confident it would have also worked.   The
> devil was in the details of this article.
>
>
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/ca_cfgwrkridentity.asp
>
> But here was another wierd thing.  When I open up the web site's metabase
> there was not an entry for "NTAuthenticationProviders".  I believe that
> falls back to Kerberos only in II6 (but dont quote me).   So, in order to
> force NTLM (like I mentioned above) I just added
"NTAuthenticationProviders
> : "NTLM"
>
> Does this make sense?
>
> Kevin Cunningham [SARK]
>
>
> ... I just read the article a day too late :^<
>
>

---

• Next message: Ken Schaefer: "Re: IIS 6 slows down ASP pages"
• Previous message: Kevin C: "Re: Strange auth denial with IE Integrated Security and IIS; but not Firefox, Netscape"
• In reply to: Kevin C: "Re: Strange auth denial with IE Integrated Security and IIS; but not Firefox, Netscape"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.inetserver.iis.security  > 2004-11