Re: IIS7 with multiple web sites - Windows Auth only working on localhost
- From: "Brad" <lane@xxxxxxxxxxxxxxxx>
- Date: Wed, 13 Dec 2006 10:08:30 -0800
Thank you for the information. I confirmed that indeed NTLM works but
Kerberos is not working. Keeping in mind that the web sites are all on
same the Vista client that is running the IE7 browser (the Vista client is
running IIS7 with multiple web sites). Here is the result of a trace using
Kerberos
started....
WWWConnect::Connect("inside","80")\n
IP = "192.168.0.21:80"\n
source port: 49946\r\n
ISC_REQ_MUTUAL_AUTH | ISC_REQ_DELEGATE set\n
0x80090303 (The specified target is unknown or unreachable):
Unable to InitializeSecurityContext
WWWConnect::Close("inside","80")\n
closed source port: 49946\r\n
finished.
I ran cscript adsutil.vbs get w3svc/root/NTAuthenticationProviders and
confirmed that Negotiate,NTLM were enabled
I then ran cscript adsutil.vbs set w3svc/root/NTAuthenticationProviders
"NTLM" to force NTLM only. I changed IE back use integrated authentication.
And IE authentication works correctly. I ran cscript adsutil.vbs set
w3svc/root/NTAuthenticationProviders "Negotiate,NTLM"....and confirmed again
that IE authnetication does not work unless I turn off integrated
authentication.
So this seems to indicate Kerberos is not working on Vista (between IIS and
IE both on the same Vista client) when using the non-routable ip addresses.
Any thoughts as to why?
Brad
""WenJun Zhang[msft]"" <wjzhang@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:nmDAgepHHHA.2304@xxxxxxxxxxxxxxxxxxxxxxxxx
Hi Brad,
The findings of you indicates the problem isn't on the IIS server itself.
When disabling 'enable integrated windows authentication' option in IE, it
doesn't mean integrated auth is turned off. The difference here is IE will
use Kerberos protocol to perform integarted auth with IIS with the option
turned on and use NTLM protocol when the option is off. Please refer to:
Internet Explorer does not support Kerberos authentication with proxy
servers
http://support.microsoft.com/kb/321728/
Therefore the symptom indicates somehow Kerberos doesn't work when you
connect to the web sites from the problematic Vista client.
You may use webfetch to trace the rawdata of http request/response to turn
up more details.
HOW TO: Use Wfetch.exe to Troubleshoot HTTP Connections
http://support.microsoft.com/default.aspx?scid=kb;en-us;284285
To use, please input:
Host: (Your servername)
Port: (Your web site's TCP Port)
Path: (The relative path of a sample page. e.g: /index.htm)
Auth: (Select Kerberos and input domain, username and password)
Press Go! to issue a http request to the server and check what response is
returned.
I look forward to your result.
Have a good day.
Sincerely,
WenJun Zhang
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
.
- Follow-Ups:
- Re: IIS7 with multiple web sites - Windows Auth only working on localhost
- From: "WenJun Zhang[msft]"
- Re: IIS7 with multiple web sites - Windows Auth only working on localhost
- References:
- Prev by Date: Re: Could IIS 6 use certificate that create at another computer?
- Next by Date: Re: Dual https on same server not working
- Previous by thread: Re: IIS7 with multiple web sites - Windows Auth only working on localhost
- Next by thread: Re: IIS7 with multiple web sites - Windows Auth only working on localhost
- Index(es):
Relevant Pages
|
