IIS 6 und Kerberos

---

• From: "Tobia" <tobiat@xxxxxx>
• Date: Thu, 17 Jan 2008 16:42:34 +0100

---

Hi!
I've a problem. I don't no it's my problem or a problem of IIS.
The scenario:
We have a member server with IIS in a W2K3 domain. There is only one website on it, one Applpool, only one default.htm (simple HTML, no script).
Authentication isn't allowed anonym and Authentication methode is Window integriert.
If I authenticate with NTLM all is fine, the site is shown.
If I authenticate with Kerberos (Negotiate) a logon windows appears, I try it 3 times, then it appears "HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials ".
The eventlog writes a security event 529 logon/logoff, Unkown username or wrong password, logontyp 3, Auth paket Kerberos. (Sorry I have a german system, here the original Event. the blanc points are so blanc)
Ereignistyp: Fehlerüberw.
Ereignisquelle: Security
Ereigniskategorie: An-/Abmeldung
Ereigniskennung: 529
Datum: 17.01.2008
Zeit: 15:40:40
Benutzer: NT-AUTORITÄT\SYSTEM
Computer: TT-W2003-KERB
Beschreibung:
Fehlgeschlagene Anmeldung:
Grund: Unbekannter Benutzername oder falsches Kennwort
Benutzername:
Domäne:
Anmeldetyp: 3
Anmeldevorgang: Kerberos
Authentifizierungspaket: Kerberos
Name der Arbeitsstation: -
Aufruferbenutzername: -
Aufruferdomäne: -
Aufruferanmeldekennung: -
Aufruferprozesskennung: -
Übertragene Dienste: -
Quellnetzwerkadresse: x.y.z.w
Quellport: 50449


All steps in http://support.microsoft.com/?id=871179 I made. I read many, I tried many - now I'm at a loss.

Originally we configured the MOSS with SQL Server on other server for Kerberos. Because this doesn't work, the scenario above was built.

Is there anywhere anyone being able to help? Please!
Hopeful
Tobia





.

---

• Follow-Ups:
  • Re: IIS 6 und Kerberos
    • From: Ken Schaefer
  • RE: IIS 6 und Kerberos
    • From: Pom

• Prev by Date: RE: Access to Site Via WindowsMobile 2006 - Keeps asking for Passw
• Next by Date: Re: IIS on DMZ
• Previous by thread: IIS 5.0
• Next by thread: RE: IIS 6 und Kerberos
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Kerberos logon to Terminal Server prevents folder redirection ... Pass-through refers to the client browser passing through credentials to the Web Interface server; so you can still use Pass-through without enabling the option "Use Kerberos authentication to connect to servers". ... (microsoft.public.windows.server.security) Re: IIS and FQDN authentication confusion ... Scenario 2 does not work because the site is not in the Intranet zone. ... It sounds like you might not be getting Kerberos authentication to the web ... server when you use the FQDN, and thus delegation is not working. ... (microsoft.public.dotnet.framework.aspnet.security) Re: Integrated Windows Authentication Timeout? ... Is it possible that a different host name is being used for one of the subsequent requests that would break Kerberos auth? ... If you have "Negotiate" authentication set in the metabase, then this can still negotiate down to NTLM if for some reason the protocol thinks that Kerberos is unavailable. ... server. ... (microsoft.public.dotnet.framework.aspnet.security) Re: iis problems with some xp clients - kerberos issue? ... is the browser even attempting Kerberos Authentication? ... the webserver failing to get a service ticket for the SQL Server etc. ... Check that the site is in IE's Intranet zone (IE doesn't attempt to Kerberos ... Both access SQL ... (microsoft.public.inetserver.iis.security) Re: REPOST - IIS6 /WebDAV/NTLM/Kerberos and Remote Storage ... >are using to authentication. ... Kerberos tickets target a service ... >authenticate to IIS from the client browser. ... structure on a Win2K server. ... (microsoft.public.inetserver.iis)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.inetserver.iis.security  > 2008-01