Re: iis problems with some xp clients - kerberos issue?



I think we need to verify exactly where the process is failing.

For example: is the browser even attempting Kerberos Authentication? Or is
the webserver failing to get a service ticket for the SQL Server etc.

Check that the site is in IE's Intranet zone (IE doesn't attempt to Kerberos
AuthN to sites in the internet zone - it will use NTLM instead).

Then I would get packet captures (using www.ethereal.com) of traffic from
client -> webserver and webserver -> domain controller and webserver -> SQL
server.

Additionally, you can enable Kerberos logging on the webserver to see if
there are any Kerberos related issues (the events get logged to the Windows
event log)

Cheers
Ken


<mahalie@xxxxxxxxx> wrote in message
news:1153526771.259662.173920@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I'm the web dev for a 200 person company, everything herein is in our
corporate domain.

We use Kerberos authentication - the domain controler is a win2k
server.

In short I have an Intranet server (win2k) hosting a .net 2 application
and a test server (win2k) hosting a classic asp page. Both access SQL
data on different server.

Delegation is enabled for all domain users. I have "impersonate=true"
on my .net app and directories on both servers are set to use only
Windows Integrated Authentication.

Internet Explorer settings on the client are set to recognize all the
involved servers and use propper settings, windows auth is enabled,
auto logon, etc.

And both apps work for about 80% of our users. But the authentication
isn't being bassed from IE to the server to SQL as expected for the
rest, resulting in SQL errors. Our clients are all on XP. At first we
thought it was their profiles. But it's the client. The apps don't
work for anyone logged on those clients that aren't passing
authentication. And for those staff who have no problems, anyone can
log on and will have no problems / vice versa.

Then we thought it might be a hotfix/security update. Our sysadmin
ghosted an old image and the apps worked (authentication was passed to
sql), then he applied all of the updates and set up he normally would
for a new user and...it still worked.

We're not sure where to look...AD/profiles don't seem to be the
culprit, IE settings have been mimicked on working machines and
therefore seem ok, IIS/SQL is behaving normally and it works for all
users, just not all machines.

Does anyone have any idea what could be going on? Also, I was not sure
what group to post this on...it's security/networking/sql/iis or is
there a group for general MS mysteries?

I could post IIS logs, asp errors, sql errors, etc. Please let me know
what information would help in diagnosing this.



.