Re: Windows Integrated Authentication and Kerberos

Hi,

a) IE will only attempt Kerberos authentication if the site is in the Intranet security zone. If you are accessing the site as http://www.somesite.tld then this is not in the Intranet security zone by default

b) Ensure that you don't have duplicate SPNs (same SPN registered under multiple accounts in AD). That will cause Kerberos Auth to fail.

Cheers
Ken


"Andrey Nepomnyaschih" <nas@xxxxxxxxx> wrote in message news:uC0O9b7aHHA.2064@xxxxxxxxxxxxxxxxxxxxxxx
Hello,

I'm having problems with setting up the Kerberos Authentication. No matter what I do, the client always tries to use NTLM package.

Well, I have a IIS Server on a member server. The Default Web Site, has only the "Integrated Windows authentication" box checked. The Internet Explorer, has "Enable Integrated Windows Authentication" option enabled, but when I try to access the page on this site the client is being authenticated using NTLM.

Ok, the what I have done so far.
- The computer account for the member server has the "Trust this computer for delegation to any service (Kerberos only)" option enabled in Active Directory.
- It doesn't matter whether application pool runs under NETWORK SERVICE account, or under a correcltly configured domain account.
By correctly configured domain account I mean, an account which has "Trust this computer for delegation to any service (Kerberos only)" option enabled in Active Directory and has an SPN records setup like this:

setspn -A http/host DOMAIN\ACCOUNT
setspn -A http/host.domain.tld DOMAIN\ACCOUNT

- I removed the NTLM from the list by running cscript adsutil.vbs set w3svc/WebSite/root/NTAuthenticationProviders "Negotiate".

But whenever I try to access to page the Security log, shows the following message:

Successful Network Logon:
User Name: nas
Domain: DOMAIN
Logon ID: (0x0,0x2F4638)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: IT-NAS-W571A
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.1.196
Source Port: 1996

Does anyone have a clue why it can happen?

Have a good time
Andrey Nepomnyaschih


.

Relevant Pages

  • Re: Kerberos machine authentication - apparent authentication fail
    ... until a user logon event. ... the Netdiag utility will show the Kerberos error in this scenario ... On these machines I ... me a plausible starting point to solve my Kerberos authentication problem. ...
    (microsoft.public.windows.server.security)
  • Re: Kerberos machine authentication - apparent authentication fail
    ... Subsequent Netdiag attempts after a reboot show the failed Kerberos ... >>> mean that kerberos authentication is not being used. ... >>> computer for logon events and the domain controller for account logon ...
    (microsoft.public.windows.server.security)
  • Re: Integrated Authentication with SQL
    ... On the IIS level there is no trouble authenticating with kerberos. ... problem is in when I try to flow those credentials over to the SQL server. ... Successful Network Logon: ... Authentication Package: Kerberos ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Kerberos machine authentication - apparent authentication fail
    ... Kerberos result when I hardwired a laptop to a switch port. ... to authenticate with K on reboot AND authentication appears to take place ... > denied access until you can authenticate to a domain controller as a user. ... > You should have logging of account logon events enabled in Domain Controller ...
    (microsoft.public.windows.server.security)
  • Re: AD Last User Logon Question
    ... authentication against an Exchange server to read ... > mode you are not replicating the attribute and thus the times on the DCs ... > the times that they were used by the user account to authenticate, ... Last logon is not a replicated attribute, ...
    (microsoft.public.windows.server.active_directory)
Loading