Re: NTLM and Kerberos



You would need to open that port on your firewall.

And you would need to put your home computer to a DNS server that knows
about your work domain (i.e. your work DNS servers that contain the msadc
forward lookup zone for yourWorkDomain.local).

As you can see, there are a few difficulties doing this over the internet.
Hence my suggestion of using a VPN to connect into the work network, and
your VPN connection would pick up the necessary settings. Windows Server has
RRAS (Routing and Remote Access Server) which can act as a VPN endpoint if
you don't have a physical device that supports VPN.

Cheers
Ken

"Joe" <joe@xxxxxxx> wrote in message
news:OnrbDaoNGHA.2624@xxxxxxxxxxxxxxxxxxxxxxx
: Thanks for your quick response!
:
: I would have to open port 88 to my Domain Controller?
: How would IE know which server is the Domain Controller (my home computer
is
: not on the domain) - I get the msadc DNS lookup, I going to
: server.domain.com where my domain is NTDomain.local - my domain controller
: does not know anything about domain.com.
:
:
:
:
: "Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx> wrote in message
: news:OXyC5NoNGHA.3936@xxxxxxxxxxxxxxxxxxxxxxx
: > Hi,
: >
: > a) Kerberos requires the user to obtain a Kerberos Service Ticket for
the
: > remote service (namely IIS). This is obtained from the KDC (Key
: > Distribution
: > Centre). The KDC is hosted on Windows Domain Controllers. So, you'd need
: > to
: > be able to contact a DC
: >
: > b) IIRC, you'd need to open port 88. Additionally, your client at home
: > would
: > need to locate the DC in the first place via the msadc forward lookup
zone
: > hosted on your internal network's DNS servers
: >
: > c) Because of the restrictions required to get Kerberos working, IE
: > doesn't
: > even attempt Kerberos authentication for sites in the Internet zone.
: >
: > d) A much more secure way of doing this (if you really want to use
: > Kerberos)
: > would be to VPN into your network network from home, and then access the
: > server the same way you do at the office
: >
: > Cheers
: > Ken
: >
: >
: >
: > "Joe" <joe@xxxxxxx> wrote in message
: > news:%23weXsHoNGHA.2124@xxxxxxxxxxxxxxxxxxxxxxx
: > : As a follow up...
: > :
: > : I downloaded the Wfetch utility. When I ran this and forced the
: > Kerberos
: > : Authentication I got an error:
: > : 0x80090311 (No authority could be contacted for authentication.):
Unable
: > to
: > : InitializeSecurityContext
: > :
: > : Leads me to believe that Kerberos needs to talk to the AD controller
to
: > get
: > : the ticket???
: > : What would I have to open up to make this happen and where would I
tell
: > IE
: > : to be able to find my domain controller?
: > :
: > :
: > :
: > : "Joe" <joe@xxxxxxx> wrote in message
: > : news:%23uu$QCoNGHA.456@xxxxxxxxxxxxxxxxxxxxxxx
: > : >I have a website using Windows Authentication and Delegation to
access
: > a
: > : >backend SQL Server.
: > : >
: > : > Everything works when I am on the LAN. When I try to access the
: > website
: > : > from home I get the Login failed for User NULL...
: > : >
: > : > I am using the same name to access when I am on the LAN as when I am
: > at
: > : > home and it resolves to the same IP address.
: > : > http://server.domain.com
: > : > I have put this into my trusted sites in IE (I have also tried Local
: > : > Intranet).
: > : > I can see in the event log on the web server that when I am at home
it
: > is
: > : > using NTLM authentication wheras when I am on the network it is
using
: > : > Kerberos.
: > : > I added the SPN for the FQDN with this:
: > : > setspn -A http/sever.domain.com NtDomain\ServerName
: > : > (not sure if that is required)
: > : > IIS is running under the local system account
: > : > I have delegation set to Trust this computer for delegation to any
: > service
: > : > (Kerberos only)
: > : > The server is Windows 2003
: > : > IIS Security is set up for Integrated Windows Authention
: > : >
: > : >
: > : > The only differences that I can think of are (1) my computer at home
: > is
: > : > not a memeber of the domain and (2) I only have port 80 open when I
am
: > at
: > : > home.
: > : >
: > : > Anyone know how to get this to work?
: > : >
: > : >
: > : >
: > : >
: > : >
: > :
: > :
: >
: >
:
:


.