Re: Kerberos
- From: "Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 2 Apr 2008 13:02:51 -0700
I think you'll find this tool a bit easier to use than the old Net Mon: www.wireshark.org
Just select the interface you wish to monitor and then click the "Capture" button. Then go and hit the page you want, and afterwards, stop the capture. Save the .cap file.
Cheers
Ken
"CK" <c_kettenbach@xxxxxxxxxxx> wrote in message news:rYOIj.23285$0o7.11481@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I would love to. Please tell me how to do that. I have installed Network Monitor but I do not know how to porperly use it. Should it be installed on the client or on the web server? I currently have it installed on the client. I appreciate your help Ken. You seem to be the authoritative source. Great blog by the way sir.
~ck
"Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx> wrote in message news:ulxOUDOlIHA.3888@xxxxxxxxxxxxxxxxxxxxxxxCan you get a packet capture between your browser and the webserver?
Cheers
Ken
--
My IIS blog: http://adopenstatic.com/blog
"CK" <c_kettenbach@xxxxxxxxxxx> wrote in message news:i%MIj.11612$qS5.2465@xxxxxxxxxxxxxxxxxxxxxxxI did all the steps you mentioned and I still get
Logon Process: NtLmSsp
Authentication Package: NTLM
Any ideas? I enable Kerberos logging but I don't see any new entries in the Event Log. What am I missing here? I also want to mention that this webserver is on a VM. Not sure if that makes a difference.
Thanks,
~ck
"Tiago Halm" <thalm@xxxxxxxxxxxxxxxxxx> wrote in message news:OOeG25ElIHA.3400@xxxxxxxxxxxxxxxxxxxxxxxYou probably followed much of these steps (Ken must have pointed them). Make it work in IIS to get a sense on how it works
1. make sure NTAuthenticationProviders is not overridden so we start with the default "Negotiate, NTLM".
typecscript adsutil.vbs delete w3svc/NTAuthenticationProviders
cscript adsutil.vbs delete w3svc/1/NTAuthenticationProviders
cscript adsutil.vbs delete w3svc/1/ROOT/NTAuthenticationProviders
See more steps on:
http://support.microsoft.com/kb/215383
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/ea7cd846-33da-49c9-927f-d4e76d6309ac.mspx?mfr=true
2. Create an FQDN (xxx.yyy.zzz) in DNS pointing to IIS ip address
3. Select a WebSite, make sure all VDirs use the same AppPool as the WebSite and define the Host Header on port 80 with that FQDN (xxx.yyy.zzz). Specify the port address if needed.
4. create the SPN, by using the account setup on the hostheadersetspn.exe http/xxx.yyy.zzz domain\apppoolaccount5. Setup IIS with Integrated Windows Authentication. Force inheritance if needed.
Open IE, make sure xxx.yyy.zzz is a local intranet site, browse a page, look into the security log. Filter by 540 event (not sure about this one) and your windows account.
Final t-shoot stage is to enable kerberos logging:
http://support.microsoft.com/kb/262177
let us know the steps you took until now ...
Tiago Halm
"CK" <c_kettenbach@xxxxxxxxxxx> wrote in message news:1pxIj.378$ch4.135@xxxxxxxxxxxxxxxxxxxxxxxI can not get Kerberos to work on my web server. I have done all of Ken Schaefers troubleshooting techniques still to no avail. I created a test.htm page and when i hit it, I check the security event log and it is still using NTLM. Any ideas why Kerberos is not running? I am ultimately trying to set up constrianed delegation to an Exchange 2007 web service. I have been working on this for weeks and I am absolutely stumped. Does anyone have any suggestions at this point?
Cheers,
CK
.
- References:
- Kerberos
- From: CK
- Re: Kerberos
- From: Tiago Halm
- Re: Kerberos
- From: CK
- Re: Kerberos
- From: Ken Schaefer
- Re: Kerberos
- From: CK
- Kerberos
- Prev by Date: Re: Kerberos
- Next by Date: SSL - multiple sites only one has SSL however typing https on the others brings up SSL site
- Previous by thread: Re: Kerberos
- Next by thread: Re: Kerberos
- Index(es):
Relevant Pages
|
