Re: Problem with Kerberos Delegation

---

• From: "Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx>
• Date: Sun, 15 Jul 2007 17:06:58 +1000

---

Hi,

Here are some links to check:

IIS and Kerberos Part 1 - What is Kerberos and how does it work?
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/19/512.aspx

IIS and Kerberos Part 2 - What are Service Principal Names?
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/11/19/606.aspx

IIS and Kerberos. Part 3 - A simple scenario
http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/16/1054.aspx

IIS and Kerberos Part 4 - A simple delegation scenario
http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/27/1282.aspx

Probably worth reading #3 first.

If client is authenticating using NTLM, and not Kerberos, and then most common errors are:
a) "Use Integrated Windows Authentication" is not selected in IE (if that is not selected, then NTLM only is used)
b) Web server is not sending: WWW-Authenticate: Negotiate HTTP header. It is only sending WWW-Authenticate: NTLM header. Verify using telnet or packet capture tool that IIS is sending the correct header
c) IE does not see website in "intranet" security zone. Kerberos Auth is not attempted for sites in 'internet" security zone. Look at the little icon in the bottom of IE status bar to verify the security zone
d) You may have duplicate SPNs. Ensure that HTTP/servername and HTTP/servername.domain.local are not registered under any other accounts.
c) the web application pool that is hosting your SQL Server reporting services web site - what account is that running under? If it is Localsystem, Local Service or Network Service, then the relevant SPNs need to be registered under the machine account in AD. If it's running as a custom user identity then you need to move the SPNs to that custom user account in AD. You can not use a custom local account.

Cheers
Ken


"Alex Krugor" <AlexKrugor@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:51DF2BF4-BC8F-4DA1-A8B0-847A98FB63C6@xxxxxxxxxxxxxxxx

Many thanks!
Realy, client authenticating to web box using NTLM (event 540). But don`t
have any error.
Why in the nativ w2k3 domain between two servers w2k3 can`t be established
Kerberos? If to open simply removed folder, that I see Kerberos. Any trouble
with HTTP SPN?

"Ken Schaefer" wrote:

Hi,

a) enable security audit logging for logon successes on your web box. Ensure
that the clients are actually authenticating using Kerberos to your web box.
If they are not, then no delegation is possible.

b) http://support.microsoft.com/?id=262177 to enable Kerberos event logging
on your servers,in case there is an underlying issue with Kerberos

c) Ensure that "Use Windows Integrated Authentication (requires a restart)"
is enabled on your clients, and that the client can contact a KDC.

Cheers
Ken

"Alex Krugor" <AlexKrugor@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:AFCF3AD2-3233-4DD2-BA29-9C31D95A05EF@xxxxxxxxxxxxxxxx
>I have:
> 1. W2K3 Native Domain
> 2. Client W2K3 SP2
> 3. Server A - W2K3 SP2, IIS, SQL Server Reporting Services under Local
> System
> 4. For Server A - HTTP/SERVERA.DOMAIN; HTTP/SERVERA; HOST/SERVERA;
> HOST/SERVERA.DOMAIN
> 5. Server B - W2K3 SP2, IIS, SQL 2K5 under DOMAIN\SQL
> 6. For Server B - HTTP/SERVERB.DOMAIN; HTTP/SERVERB; HOST/SERVERB;
> HOST/SERVERB.DOMAIN
> 7. For DOMAIN\SQL - MSSQLSvc/SERVERB:1433 and > MSSQLSvc/SERVERB.DOMAIN:1433
> 8. For Server A - unconstrained delegation; in web.config - <identity
> impersonate="true" />
> 9. I have simple report with windows integrated security
>
> If I try open http://ServerA/ReportServer/SimpleReport from Server A - > all
> work fine, kerbtray show all necessary tickets
> If I try open http://ServerA/ReportServer/SimpleReport from Client - > Logon
> failed for NT AUTHORITY\ANONYMOUS
>
> I understand, that a mistake in delegation on middle tier, > authentication
> to
> Server B falls back to NTLM. But, alas, I can`t understand in what
> particularly mistake...
>
> Pls, help

.

---

• References:
  • Re: Problem with Kerberos Delegation
    • From: Ken Schaefer

• Prev by Date: Re: Problem with Kerberos Delegation
• Next by Date: Re: Problem with Kerberos Delegation
• Previous by thread: Re: Problem with Kerberos Delegation
• Next by thread: Re: Problem with Kerberos Delegation
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: kerberos for iis ? ... Troubleshoot Kerberos-Related Issues in IIS ... > Is there a simple howto on getting a Win2K client, ... get a file from IIS server ... > login from the above AD domain, and also made sure that Kerberos was ... (microsoft.public.inetserver.iis.security) DCOM connection to service ... On the *client* machine, using DCOMCNFG to change the Authentication ... to the IIS on the server, IIS reports the exact same error and IIS fails to ... It almost seems like Kerberos is configured incorrectly. ... (microsoft.public.win2000.security) Re: Cannot resolve KDC error 11 ... > Services (IIS) is not enabled for both Kerberos and NTLM authentication. ... > Regarding how to configure IIS to support both Kerberos and NTLM ... (microsoft.public.windows.server.sbs) Re: IIS6/Kerberos/Application Pools/Integrated Security... ... Since you don't know which server the request will end up with, you need to use a domain user account to run the web app pool, not a machine specific account ... IIS and Kerberos Part 1 - What is Kerberos and how does it work? ... (microsoft.public.inetserver.iis.security) Re: Serializing credentials and reauthenticating. How? ... if your calling process is trusted for delegation with any protocol in AD ... In IIS, to get Kerberos you need to enable IWA auth and ensure the metabase ... We may go SSL/Basic from client to ALSB. ... (microsoft.public.dotnet.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)