Re: Delegation / IIS6 / share located on another computer

On Jun 7, 6:27 am, "J Talbot" <talbotj...@xxxxxxxxx> wrote:
Hmm no it's attempted login using NTLM - any idea on what would make it
fall back to NTLM ?

Thanks

John

"Ken Schaefer" <kenREM...@xxxxxxxxxxxxxxxxxxxx> wrote in message

news:OIGd7VPqHHA.1220@xxxxxxxxxxxxxxxxxxxxxxx



Hi,

Can you look in the Security Event log of the webserver, and verify that
the client is actually authenticating using Kerberos (and not NTLM)?

http://www.adopenstatic.com/cs/blogs/ken/archive/2006/08/02/194.aspxhas
screenshots of what you are looking for.

Cheers
Ken

"J Talbot" <talbotj...@xxxxxxxxx> wrote in message
news:4667cf7a$0$5362$9a6e19ea@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thanks Ken for your interesting articles which certainly make the process
much clearer. However, after reading through :

1) The IE client has "Enable IWA" turned on. SERVER B is in the Local
Intranet zone and I have "Automatic logon only in Intranet Zone" enabled.
2) from reading your articles I was under the impression that SPN for
IIS is correctly set if the application group is running as Network
Service - which it already is.

I have also turned Kerberos logging on for both servers but no errors are
showing in Event Viewer | System

Thanks

JT

"Ken Schaefer" <kenREM...@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:eJi0btLqHHA.4132@xxxxxxxxxxxxxxxxxxxxxxx
IIS and Kerberos Part 1 - What is Kerberos and how does it work?
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/19/512.aspx

IIS and Kerberos Part 2 - What are Service Principal Names?
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/11/19/606.aspx

IIS and Kerberos. Part 3 - A simple scenario
http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/16/1054.aspx

IIS and Kerberos Part 4 - A simple delegation scenario
http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/27/1282.aspx

You need to verify that IE is configured correctly
You need to ensure that an SPN for CIFS is correctly set
You need to ensure that the client is using Kerberos to authenticate to
IIS (because you choose the "trust this computer to delegate to any
service" - this procludes Protocol Transition)

Cheers
Ken

"J Talbot" <talbotj...@xxxxxxxxx> wrote in message
news:4666c503$0$10210$9a6e19ea@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi

I have read a lot of articles on how to configure delegation correctly
to enable me to use IWA to gain access to an IIS site which is based on
a shared folder located on another computer in the domain but it
doesn't let me in and was wondering if someone knew why. This is a pure
2003 domain.

I have setup the following :

SERVER A (the domain controller) - has the shared folder
SERVER B has the virtual folder setup in IIS that is pointing to the
share located on another computer (i..e. \\SERVERA\share\ - For the
directory security I have anonymous access off and IWA turned on. I
also have "Read" and "Directory browsing" turned on. The folder itself
has Everyone full permissions.

In Active Directory I have set Delegation for SERVER B to "Trust this
computer to delegation for any service".

However, when I go to site on SERVER B (logged in as domain admin) I am
asked for manual login - attempting to login as Domain Admin I just get
asked repeatedly until I get a 401.3 - Access denied error.

Are there any other steps I need to take for this to work ?

Thanks

JT- Hide quoted text -

- Show quoted text -

The only reason that the client should fall back to NTLM in this
scenario is if the KDC can not find a host account that would match
the URL.

What is the URL that is used in IE?
What is the name of the IIS server?

Dave

.

Relevant Pages

  • Re: xml in plain text file on heavy load.
    ... "Read by ASP page on server side, manipulated, and response sent to client". ... So I was wondering if IIS ... The real question is: physical reading the xml-file. ...
    (microsoft.public.inetserver.iis)
  • Re: Analysis Services 2005 Remote acces
    ... on the AS server himself or another server? ... do you use basic authentication or NTLM? ... search for IIS Kerberos on the MS web site and you'll have the procedure. ... Now i want to connect to this database from a other client pc. ...
    (microsoft.public.sqlserver.olap)
  • IIS 5.0 IN A DOMAIN?
    ... > I am contacting this list, because of the focus on security more than ... > Here are the client goals: ... > HAVE THE IIS AND SQL BOXES JOIN A SPECIAL DOMAIN DESIGNED JUST FOR THESE ... > WIN2KDOMAIN2 DOMAIN CONTROLLERNEEDED TO SUPPORT THIS? ...
    (Focus-Microsoft)
  • Re: Problem with connect computer wizard
    ... You mentioned that you're using Anonymous access with Administrator ... Open ConnectComputer properties in IIS. ... And there is only the DNS server be configured on client ...
    (microsoft.public.windows.server.sbs)
  • RE: 401.2 Errors
    ... the server name as their proxy server, ... really understand the point in deploying the Firewall Client to all clients. ... I had a look at the log file but it only seems to be ... recording access that the IIS Server itself goes through. ...
    (microsoft.public.windows.server.sbs)