Re: IIS Auth Error - Kerberos/NTLM not accepting credentials

From: Ken Schaefer (kenREMOVE_at_THISadopenstatic.com)
Date: 01/16/05 

Date: Sun, 16 Jan 2005 20:53:18 +1100

Have you got the relevant IIS logfile entries? Can you post those to
complete the picture? Thanks

Cheers
Ken

"Colin Bowern" <colinbowern@nospam.indimensions.com> wrote in message
news:e8NGrGP%23EHA.2600@TK2MSFTNGP09.phx.gbl...
> I've got a Windows Server 2003 / IIS 6 machine running Windows SharePoint
> Services that users are having problems authenticating against. When
> someone tries to connect they are prompted for credentials.
>
> -- The Windows XP SP2 client computers have the domain added to the local
> intranet zone ("*.mydomain.com").
>
> -- The IIS 6 virtual server is set to use host header names (dev,
> dev.mydomain.com) which is different from the machine name (frink,
> frink.mydomain.com).
>
> -- IIS has been configured to use both Kerberos and NTLM (as per
> http://support.microsoft.com/?id=832769)
>
> -- The application pool identity is a domain user account which belongs to
> IIS_WPG, STS_WPG. SPNs have been set up as follows (to cover all the
> bases):
> setspn -A HTTP/frink MYDOMAIN\sharepoint
> setspn -A HTTP/dev MYDOMAIN\sharepoint
> setspn -A HTTP/dev.mydomain.com MYDOMAIN\sharepoint
>
> -- The application pool identity domain user account has been set to
> "Trust
> this user for delegation to any service (Kerberos only)".
>
> There is one particular computer which seems to be causing the most
> problems. This user is setup like every other user in terms of
> permissions, group access, etc. On their Windows XP SP2 laptop they
> attempt to login and get prompted for credentials. If they enter it
> correctly they get through. Another sharepoint instance is installed on a
> domain controller and the user is able to access that one without being
> prompted for credentials.
>
> Looking at the headers being passed by ieHTTPHeaders the negotiate header
> is getting sent along with the credential blob. On the server end it's
> showing:
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 529
> Date: 1/12/2005
> Time: 4:47:12 PM
> User: NT AUTHORITY\SYSTEM
> Computer: FRINK
> Description:
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: problem.user
> Domain: dev.mydomain.com
> Logon Type: 3
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Workstation Name: USER-LAPTOP
> Caller User Name: -
> Caller Domain: -
> Caller Logon ID: -
> Caller Process ID: -
> Transited Services: -
> Source Network Address: 192.168.1.111
> Source Port: 1446
>
> The interesting bits here is that the domain is not the domain of the
> network but the name of the machine. Also, even though the browser is IE
> 6, the machine has logged on successfully to the network, and the headers
> show negotiate the audit log entry is showing NTLM as the auth package.
>
> Any thoughts on what to do next would be great!
> Thanks!
> Colin
>
> PS - I've been over the following resources already with no luck:
> http://www.choam.org/tbp/weblog/2003/08/02/000072
> http://groups-beta.google.com/group/microsoft.public.inetserver.iis/browse_thread/thread/f7250b172eaf948f#14d0295f8e76c514
>

Relevant Pages

  • Re: XP Pro - Logging on to Domain issues
    ... > The only thing I could find that closely resembles that is under Logon not ... > Group Policy and it is "Always wait for the network at computer startup ... >>> XP Pro machines that are joined on the domain and rebooted cannot ... >>> dialog box pops up asking you to log on with DIFFERENT credentials ...
    (microsoft.public.windowsxp.network_web)
  • Re: Cant use WM6 to access network shares
    ... unfortunately nothing in any of the event logs. ... the logon prompt. ... So for whatever reason it's just not passing my credentials ... Can get to about any other share on the network. ...
    (microsoft.public.pocketpc.wireless)
  • Re: Domain not available on PEAP clients at first logon
    ... credentials)>>> No, I'd like a transparent access to the network. ... It is a switched, enterprise network and I'd like to implement access control ... network first, THEN get them on your secured 802.1x>>> I solved enabling PEAP with 'computer' logon in addition to 'user'>>> logon; in such a way, if a PC belongs to domain, it enters in the>>> network already before prompt and a user can>>> login even if this is his first logon or his>>> password expired. ... During next 802.1x re-authentications, I will see a user login in IAS log and>>> this is OK for me. ...
    (microsoft.public.internet.radius)
  • Re: Domain not available on PEAP clients at first logon
    ... >>> What I would suggest to you here is to go to the PEAP configuration and>> allow the user to specify the credentials > No, I'd like a transparent access to the network. ... It is a switched, enterprise network and I'd like to implement access control ... >>> The other option you have is to provision the machines on the regular>> network first, THEN get them on your secured 802.1x> I solved enabling PEAP with 'computer' logon in addition to 'user' logon;> in such a way, if a PC belongs to domain, it enters in the network already before prompt and a user can login even if this> is his first logon or his password expired. ... > During next 802.1x re-authentications, I will see> a user login in IAS log and this is OK for me. ...
    (microsoft.public.internet.radius)
  • Re: cached login credentials
    ... , it takes longer to investigate an attack and clean up after it than it does simply to nuke-and-pave, flatten-and-rebuild, whatever. ... then over time through precision monitoring of network ... Anything that does an interactive logon will store cached credentials, ... > domain admin account credentials), is a credential cached anywhere for> the ...
    (microsoft.public.windowsxp.security_admin)