Re: iis problems with some xp clients - kerberos issue?

I think we need to verify exactly where the process is failing.

For example: is the browser even attempting Kerberos Authentication? Or is
the webserver failing to get a service ticket for the SQL Server etc.

Check that the site is in IE's Intranet zone (IE doesn't attempt to Kerberos
AuthN to sites in the internet zone - it will use NTLM instead).

Then I would get packet captures (using of traffic from
client -> webserver and webserver -> domain controller and webserver -> SQL

Additionally, you can enable Kerberos logging on the webserver to see if
there are any Kerberos related issues (the events get logged to the Windows
event log)


<mahalie@xxxxxxxxx> wrote in message
I'm the web dev for a 200 person company, everything herein is in our
corporate domain.

We use Kerberos authentication - the domain controler is a win2k

In short I have an Intranet server (win2k) hosting a .net 2 application
and a test server (win2k) hosting a classic asp page. Both access SQL
data on different server.

Delegation is enabled for all domain users. I have "impersonate=true"
on my .net app and directories on both servers are set to use only
Windows Integrated Authentication.

Internet Explorer settings on the client are set to recognize all the
involved servers and use propper settings, windows auth is enabled,
auto logon, etc.

And both apps work for about 80% of our users. But the authentication
isn't being bassed from IE to the server to SQL as expected for the
rest, resulting in SQL errors. Our clients are all on XP. At first we
thought it was their profiles. But it's the client. The apps don't
work for anyone logged on those clients that aren't passing
authentication. And for those staff who have no problems, anyone can
log on and will have no problems / vice versa.

Then we thought it might be a hotfix/security update. Our sysadmin
ghosted an old image and the apps worked (authentication was passed to
sql), then he applied all of the updates and set up he normally would
for a new user still worked.

We're not sure where to look...AD/profiles don't seem to be the
culprit, IE settings have been mimicked on working machines and
therefore seem ok, IIS/SQL is behaving normally and it works for all
users, just not all machines.

Does anyone have any idea what could be going on? Also, I was not sure
what group to post this's security/networking/sql/iis or is
there a group for general MS mysteries?

I could post IIS logs, asp errors, sql errors, etc. Please let me know
what information would help in diagnosing this.


Relevant Pages

  • Re: Kerberos logon to Terminal Server prevents folder redirection
    ... Pass-through refers to the client browser passing through credentials to the Web Interface server; so you can still use Pass-through without enabling the option "Use Kerberos authentication to connect to servers". ...
  • RE: Confusion on standard security methodologies.
    ... Application will talk to a back-end SQL ... By "back-end," I assume you mean on a different box from IIS? ... If SQL is on a separate box, you won't be able to use NT authentication ... impersonations (meaning that once passed to the IIS server, ...
  • Re: IIS6 Authentication Problem with SQL Server 2000
    ... They're not accessing SQL directly right? ... > a) if you are using a Windows 2000 Domain, ... > backend SQL Server. ... You need to use Kerberos authentication for this (not ...
  • Re: Integrated Windows Authentication Timeout?
    ... Is it possible that a different host name is being used for one of the subsequent requests that would break Kerberos auth? ... If you have "Negotiate" authentication set in the metabase, then this can still negotiate down to NTLM if for some reason the protocol thinks that Kerberos is unavailable. ... server. ...
  • Re: Security Update for SQL Server 2000 Service Pack 4 (KB948110)
    ... log into SQL Server. ... Authentication) The other is SQL Authentication where, ... the 948110 hotfix will not work on a database server ...