Re: NTLM and Kerberos
- From: "Joe" <joe@xxxxxxx>
- Date: Mon, 20 Feb 2006 19:31:16 -0600
Thanks for your quick response!
I would have to open port 88 to my Domain Controller?
How would IE know which server is the Domain Controller (my home computer is
not on the domain) - I get the msadc DNS lookup, I going to
server.domain.com where my domain is NTDomain.local - my domain controller
does not know anything about domain.com.
"Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:OXyC5NoNGHA.3936@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
a) Kerberos requires the user to obtain a Kerberos Service Ticket for the
remote service (namely IIS). This is obtained from the KDC (Key
Distribution
Centre). The KDC is hosted on Windows Domain Controllers. So, you'd need
to
be able to contact a DC
b) IIRC, you'd need to open port 88. Additionally, your client at home
would
need to locate the DC in the first place via the msadc forward lookup zone
hosted on your internal network's DNS servers
c) Because of the restrictions required to get Kerberos working, IE
doesn't
even attempt Kerberos authentication for sites in the Internet zone.
d) A much more secure way of doing this (if you really want to use
Kerberos)
would be to VPN into your network network from home, and then access the
server the same way you do at the office
Cheers
Ken
"Joe" <joe@xxxxxxx> wrote in message
news:%23weXsHoNGHA.2124@xxxxxxxxxxxxxxxxxxxxxxx
: As a follow up...
:
: I downloaded the Wfetch utility. When I ran this and forced the
Kerberos
: Authentication I got an error:
: 0x80090311 (No authority could be contacted for authentication.): Unable
to
: InitializeSecurityContext
:
: Leads me to believe that Kerberos needs to talk to the AD controller to
get
: the ticket???
: What would I have to open up to make this happen and where would I tell
IE
: to be able to find my domain controller?
:
:
:
: "Joe" <joe@xxxxxxx> wrote in message
: news:%23uu$QCoNGHA.456@xxxxxxxxxxxxxxxxxxxxxxx
: >I have a website using Windows Authentication and Delegation to access
a
: >backend SQL Server.
: >
: > Everything works when I am on the LAN. When I try to access the
website
: > from home I get the Login failed for User NULL...
: >
: > I am using the same name to access when I am on the LAN as when I am
at
: > home and it resolves to the same IP address.
: > http://server.domain.com
: > I have put this into my trusted sites in IE (I have also tried Local
: > Intranet).
: > I can see in the event log on the web server that when I am at home it
is
: > using NTLM authentication wheras when I am on the network it is using
: > Kerberos.
: > I added the SPN for the FQDN with this:
: > setspn -A http/sever.domain.com NtDomain\ServerName
: > (not sure if that is required)
: > IIS is running under the local system account
: > I have delegation set to Trust this computer for delegation to any
service
: > (Kerberos only)
: > The server is Windows 2003
: > IIS Security is set up for Integrated Windows Authention
: >
: >
: > The only differences that I can think of are (1) my computer at home
is
: > not a memeber of the domain and (2) I only have port 80 open when I am
at
: > home.
: >
: > Anyone know how to get this to work?
: >
: >
: >
: >
: >
:
:
.
- Follow-Ups:
- Re: NTLM and Kerberos
- From: Ken Schaefer
- Re: NTLM and Kerberos
- References:
- NTLM and Kerberos
- From: Joe
- Re: NTLM and Kerberos
- From: Joe
- Re: NTLM and Kerberos
- From: Ken Schaefer
- NTLM and Kerberos
- Prev by Date: Re: NTLM and Kerberos
- Next by Date: Re: NTLM and Kerberos
- Previous by thread: Re: NTLM and Kerberos
- Next by thread: Re: NTLM and Kerberos
- Index(es):
Relevant Pages
|
Loading
