Re: Kerberos



Can you get a packet capture between your browser and the webserver?

Cheers
Ken

--
My IIS blog: http://adopenstatic.com/blog

"CK" <c_kettenbach@xxxxxxxxxxx> wrote in message news:i%MIj.11612$qS5.2465@xxxxxxxxxxxxxxxxxxxxxxx
I did all the steps you mentioned and I still get
Logon Process: NtLmSsp

Authentication Package: NTLM

Any ideas? I enable Kerberos logging but I don't see any new entries in the Event Log. What am I missing here? I also want to mention that this webserver is on a VM. Not sure if that makes a difference.



Thanks,

~ck


"Tiago Halm" <thalm@xxxxxxxxxxxxxxxxxx> wrote in message news:OOeG25ElIHA.3400@xxxxxxxxxxxxxxxxxxxxxxx
You probably followed much of these steps (Ken must have pointed them). Make it work in IIS to get a sense on how it works

1. make sure NTAuthenticationProviders is not overridden so we start with the default "Negotiate, NTLM".
type
cscript adsutil.vbs delete w3svc/NTAuthenticationProviders
cscript adsutil.vbs delete w3svc/1/NTAuthenticationProviders
cscript adsutil.vbs delete w3svc/1/ROOT/NTAuthenticationProviders

See more steps on:
http://support.microsoft.com/kb/215383
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/ea7cd846-33da-49c9-927f-d4e76d6309ac.mspx?mfr=true

2. Create an FQDN (xxx.yyy.zzz) in DNS pointing to IIS ip address
3. Select a WebSite, make sure all VDirs use the same AppPool as the WebSite and define the Host Header on port 80 with that FQDN (xxx.yyy.zzz). Specify the port address if needed.
4. create the SPN, by using the account setup on the hostheader
setspn.exe http/xxx.yyy.zzz domain\apppoolaccount
5. Setup IIS with Integrated Windows Authentication. Force inheritance if needed.

Open IE, make sure xxx.yyy.zzz is a local intranet site, browse a page, look into the security log. Filter by 540 event (not sure about this one) and your windows account.

Final t-shoot stage is to enable kerberos logging:
http://support.microsoft.com/kb/262177

let us know the steps you took until now ...

Tiago Halm

"CK" <c_kettenbach@xxxxxxxxxxx> wrote in message news:1pxIj.378$ch4.135@xxxxxxxxxxxxxxxxxxxxxxx
I can not get Kerberos to work on my web server. I have done all of Ken Schaefers troubleshooting techniques still to no avail. I created a test.htm page and when i hit it, I check the security event log and it is still using NTLM. Any ideas why Kerberos is not running? I am ultimately trying to set up constrianed delegation to an Exchange 2007 web service. I have been working on this for weeks and I am absolutely stumped. Does anyone have any suggestions at this point?

Cheers,
CK






.



Relevant Pages

  • Re: Page Cannot Be Displayed Errors
    ... It sounds like you are quite close to the webserver. ... need to connect directly to IIS) ... If you see requests in the network monitor ... There is a network monitor included in Windows Server 2003 (not sure about ...
    (microsoft.public.inetserver.iis)
  • Re: localhost is all that will work
    ... XML file in IIS 6.0, ... ServerBindings in this file will give you only one result. ... >> What is the ServerBindings configured for this website? ... >>> webserver answers) ...
    (microsoft.public.inetserver.iis)
  • Re: Virtual Directory mit Daten von einem Share auf remote System
    ... > unter einem Benutzer laufen zu lassen, der Netzwerk-Rechte hat. ... der webserver ein virtuelles Verzeichnis auf dem fileserver hat musst Du ... der IIS muss mögen ... weil du mit dem Gast account nicht durchkommst. ...
    (microsoft.public.de.inetserver.iis)
  • Re: cs-host, host header and destination
    ... Host Header information was>www.microsoft.com. ... The webserver does not care ... Header for www.microsoft.com on this server, the>client got back a page! ... and I was wondering where and how that was set in IIS. ...
    (microsoft.public.inetserver.iis)
  • Re: IIS Service service terminated unexpectedly
    ... Use the IISState tool from here: ... I have an IIS 5.0 webserver running und since the last month I get some ... times a day such messages from the IIS. ... The following corrective action will be taken ...
    (microsoft.public.inetserver.iis)