Re: NTLM and Kerberos



You would need to open that port on your firewall.

And you would need to put your home computer to a DNS server that knows
about your work domain (i.e. your work DNS servers that contain the msadc
forward lookup zone for yourWorkDomain.local).

As you can see, there are a few difficulties doing this over the internet.
Hence my suggestion of using a VPN to connect into the work network, and
your VPN connection would pick up the necessary settings. Windows Server has
RRAS (Routing and Remote Access Server) which can act as a VPN endpoint if
you don't have a physical device that supports VPN.

Cheers
Ken

"Joe" <joe@xxxxxxx> wrote in message
news:OnrbDaoNGHA.2624@xxxxxxxxxxxxxxxxxxxxxxx
: Thanks for your quick response!
:
: I would have to open port 88 to my Domain Controller?
: How would IE know which server is the Domain Controller (my home computer
is
: not on the domain) - I get the msadc DNS lookup, I going to
: server.domain.com where my domain is NTDomain.local - my domain controller
: does not know anything about domain.com.
:
:
:
:
: "Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx> wrote in message
: news:OXyC5NoNGHA.3936@xxxxxxxxxxxxxxxxxxxxxxx
: > Hi,
: >
: > a) Kerberos requires the user to obtain a Kerberos Service Ticket for
the
: > remote service (namely IIS). This is obtained from the KDC (Key
: > Distribution
: > Centre). The KDC is hosted on Windows Domain Controllers. So, you'd need
: > to
: > be able to contact a DC
: >
: > b) IIRC, you'd need to open port 88. Additionally, your client at home
: > would
: > need to locate the DC in the first place via the msadc forward lookup
zone
: > hosted on your internal network's DNS servers
: >
: > c) Because of the restrictions required to get Kerberos working, IE
: > doesn't
: > even attempt Kerberos authentication for sites in the Internet zone.
: >
: > d) A much more secure way of doing this (if you really want to use
: > Kerberos)
: > would be to VPN into your network network from home, and then access the
: > server the same way you do at the office
: >
: > Cheers
: > Ken
: >
: >
: >
: > "Joe" <joe@xxxxxxx> wrote in message
: > news:%23weXsHoNGHA.2124@xxxxxxxxxxxxxxxxxxxxxxx
: > : As a follow up...
: > :
: > : I downloaded the Wfetch utility. When I ran this and forced the
: > Kerberos
: > : Authentication I got an error:
: > : 0x80090311 (No authority could be contacted for authentication.):
Unable
: > to
: > : InitializeSecurityContext
: > :
: > : Leads me to believe that Kerberos needs to talk to the AD controller
to
: > get
: > : the ticket???
: > : What would I have to open up to make this happen and where would I
tell
: > IE
: > : to be able to find my domain controller?
: > :
: > :
: > :
: > : "Joe" <joe@xxxxxxx> wrote in message
: > : news:%23uu$QCoNGHA.456@xxxxxxxxxxxxxxxxxxxxxxx
: > : >I have a website using Windows Authentication and Delegation to
access
: > a
: > : >backend SQL Server.
: > : >
: > : > Everything works when I am on the LAN. When I try to access the
: > website
: > : > from home I get the Login failed for User NULL...
: > : >
: > : > I am using the same name to access when I am on the LAN as when I am
: > at
: > : > home and it resolves to the same IP address.
: > : > http://server.domain.com
: > : > I have put this into my trusted sites in IE (I have also tried Local
: > : > Intranet).
: > : > I can see in the event log on the web server that when I am at home
it
: > is
: > : > using NTLM authentication wheras when I am on the network it is
using
: > : > Kerberos.
: > : > I added the SPN for the FQDN with this:
: > : > setspn -A http/sever.domain.com NtDomain\ServerName
: > : > (not sure if that is required)
: > : > IIS is running under the local system account
: > : > I have delegation set to Trust this computer for delegation to any
: > service
: > : > (Kerberos only)
: > : > The server is Windows 2003
: > : > IIS Security is set up for Integrated Windows Authention
: > : >
: > : >
: > : > The only differences that I can think of are (1) my computer at home
: > is
: > : > not a memeber of the domain and (2) I only have port 80 open when I
am
: > at
: > : > home.
: > : >
: > : > Anyone know how to get this to work?
: > : >
: > : >
: > : >
: > : >
: > : >
: > :
: > :
: >
: >
:
:


.



Relevant Pages

  • Re: Login Authentication
    ... Each client has 2 dns servers defined - one for their Home Site and ... one in a remote site - which is also the Domain Controller in that site. ... Do you have a second AD dns server available? ... client won't be able to find the services to request from a dc ...
    (microsoft.public.windows.server.active_directory)
  • Question on DNS resolution
    ... They may be down or simply are not DNS servers any more. ... Server is configured on an MS ADS domain ... ADS domain appears to have more then one domain controller and the ... appears to fail at times and no response is received. ...
    (microsoft.public.win2000.networking)
  • Re: Problem Sharing Files on Domain
    ... I recently set up a Server for an office running Win 2k3 Server ... Standard and we set it up as a domain controller. ... for DNS - no public DNS servers. ...
    (microsoft.public.windowsxp.security_admin)
  • Unable to send 1 way to another routing group.
    ... exchange servers are on the public dns servers and at this ... point there is only a primary dns server (due to a unknown problem that I am ... sending mail to both remote domains and Site B. Site B on the other can send ... Now SERVERsiteA is not a domain controller and I am thinking that this ...
    (microsoft.public.exchange.admin)
  • Re: Client performance problem windows 2003 server...
    ... >Subject: Re: Client performance problem windows 2003 server... ... >Deploying Active Directory for Branch Office Environments ... >results from not having a domain controller in a particular site. ... incorrectly applied site coverage will be bad for clients ...
    (microsoft.public.windows.server.networking)