Re: Windows Integrated Authentication and Kerberos
- From: "Andrey Nepomnyaschih" <nas@xxxxxxxxx>
- Date: Thu, 22 Mar 2007 17:12:40 +0300
Hi, Ken.
Thanks for your answer. But I just forgot to mention that. Yes the server is
listed in "Intranet Zone", and Intranet Zone has the option to automatically
send username and password to sites in the zone.
Well, I tried to capture packets using Ethereal. And the findings are that
the client doesn't even consider using Kerberos. It uses NEGOTIATE, falls
back to NTLM. And during that it does not contact KDC for service ticket.
Does anyone know how address that?
Best Regards,
Andrey Nepomnyaschih
"Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:ezPUjiBbHHA.4000@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
a) IE will only attempt Kerberos authentication if the site is in the
Intranet security zone. If you are accessing the site as
http://www.somesite.tld then this is not in the Intranet security zone by
default
b) Ensure that you don't have duplicate SPNs (same SPN registered under
multiple accounts in AD). That will cause Kerberos Auth to fail.
Cheers
Ken
"Andrey Nepomnyaschih" <nas@xxxxxxxxx> wrote in message
news:uC0O9b7aHHA.2064@xxxxxxxxxxxxxxxxxxxxxxx
Hello,
I'm having problems with setting up the Kerberos Authentication. No
matter what I do, the client always tries to use NTLM package.
Well, I have a IIS Server on a member server. The Default Web Site, has
only the "Integrated Windows authentication" box checked. The Internet
Explorer, has "Enable Integrated Windows Authentication" option enabled,
but when I try to access the page on this site the client is being
authenticated using NTLM.
Ok, the what I have done so far.
- The computer account for the member server has the "Trust this computer
for delegation to any service (Kerberos only)" option enabled in Active
Directory.
- It doesn't matter whether application pool runs under NETWORK SERVICE
account, or under a correcltly configured domain account.
By correctly configured domain account I mean, an account which has
"Trust this computer for delegation to any service (Kerberos only)"
option enabled in Active Directory and has an SPN records setup like
this:
setspn -A http/host DOMAIN\ACCOUNT
setspn -A http/host.domain.tld DOMAIN\ACCOUNT
- I removed the NTLM from the list by running cscript adsutil.vbs set
w3svc/WebSite/root/NTAuthenticationProviders "Negotiate".
But whenever I try to access to page the Security log, shows the
following message:
Successful Network Logon:
User Name: nas
Domain: DOMAIN
Logon ID: (0x0,0x2F4638)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: IT-NAS-W571A
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.1.196
Source Port: 1996
Does anyone have a clue why it can happen?
Have a good time
Andrey Nepomnyaschih
.
- Follow-Ups:
- Re: Windows Integrated Authentication and Kerberos
- From: Ken Schaefer
- Re: Windows Integrated Authentication and Kerberos
- References:
- Windows Integrated Authentication and Kerberos
- From: Andrey Nepomnyaschih
- Re: Windows Integrated Authentication and Kerberos
- From: Ken Schaefer
- Windows Integrated Authentication and Kerberos
- Prev by Date: Re: Windows Integrated Authentication and Kerberos
- Next by Date: Re: HTTPS Required
- Previous by thread: Re: Windows Integrated Authentication and Kerberos
- Next by thread: Re: Windows Integrated Authentication and Kerberos
- Index(es):
Relevant Pages
|
Loading
