Re: iis problems with some xp clients - kerberos issue?
- From: "David Wang [Msft]" <someone@xxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 21 Jul 2006 18:25:22 -0700
Just giving a non-obvious food for thought...
For some users/machines, they unfortunately end up with LARGE Kerberos
tickets -- this is totally normal and is a function of many things,
including how many groups they are in as well as number of domains.
The difference in Kerberos ticket size has been known to cause some
users/machines to fail with Kerberos while everything is perfectly
configured. One reason is because IIS has a limit on request header size,
which is where the Kerberos tickets are passed - and I don't know what your
server is configured to. It is 128KB by default on IIS5/W2K, but security
lockdown can shrink it to 16KB, at which point Kerberos Tickets can start
getting rejected.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
<mahalie@xxxxxxxxx> wrote in message
news:1153526771.259662.173920@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I'm the web dev for a 200 person company, everything herein is in our
corporate domain.
We use Kerberos authentication - the domain controler is a win2k
server.
In short I have an Intranet server (win2k) hosting a .net 2 application
and a test server (win2k) hosting a classic asp page. Both access SQL
data on different server.
Delegation is enabled for all domain users. I have "impersonate=true"
on my .net app and directories on both servers are set to use only
Windows Integrated Authentication.
Internet Explorer settings on the client are set to recognize all the
involved servers and use propper settings, windows auth is enabled,
auto logon, etc.
And both apps work for about 80% of our users. But the authentication
isn't being bassed from IE to the server to SQL as expected for the
rest, resulting in SQL errors. Our clients are all on XP. At first we
thought it was their profiles. But it's the client. The apps don't
work for anyone logged on those clients that aren't passing
authentication. And for those staff who have no problems, anyone can
log on and will have no problems / vice versa.
Then we thought it might be a hotfix/security update. Our sysadmin
ghosted an old image and the apps worked (authentication was passed to
sql), then he applied all of the updates and set up he normally would
for a new user and...it still worked.
We're not sure where to look...AD/profiles don't seem to be the
culprit, IE settings have been mimicked on working machines and
therefore seem ok, IIS/SQL is behaving normally and it works for all
users, just not all machines.
Does anyone have any idea what could be going on? Also, I was not sure
what group to post this on...it's security/networking/sql/iis or is
there a group for general MS mysteries?
I could post IIS logs, asp errors, sql errors, etc. Please let me know
what information would help in diagnosing this.
.
- References:
- iis problems with some xp clients - kerberos issue?
- From: mahalie
- iis problems with some xp clients - kerberos issue?
- Prev by Date: iis problems with some xp clients - kerberos issue?
- Next by Date: Re: iis problems with some xp clients - kerberos issue?
- Previous by thread: iis problems with some xp clients - kerberos issue?
- Next by thread: Re: iis problems with some xp clients - kerberos issue?
- Index(es):
Relevant Pages
|
