Re: Kerberos

From: "CK" <c_kettenbach@xxxxxxxxxxx>
Date: Mon, 14 Apr 2008 21:38:18 GMT

No I was not able to get them. I installed WireShark but I am not sure how
to use or moreso how to interpret the data.
I ended up using impersonation and was able to get that to work. We still
would really like to get Kerberos working. Any suggestions? I really
appreciate your help. I don't want to abandon this as we have put a great
deal of work into trying to make it happen.

Cheers,
ck

"Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:A4E4FA4A-6B5B-45B6-9FEF-3780E5B16EAF@xxxxxxxxxxxxxxxx

Well, I woudl suggest that you didn't "try everything", but your scenario
should work. Something isn't correct if it's not working :-)

As asked before, did you get the packet captures?

Cheers
Ken

"CK" <c_kettenbach@xxxxxxxxxxx> wrote in message
news:vT3Lj.1044$%41.985@xxxxxxxxxxxxxxxxxxxxxxx

Well we tried everything. We were never able to get Kerberos to work. Wow
that was certainly fun. Oh well what a complete waste of time. Thanks for
trying to help.

~ck

"Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:ulxOUDOlIHA.3888@xxxxxxxxxxxxxxxxxxxxxxx

Can you get a packet capture between your browser and the webserver?

Cheers
Ken

--
My IIS blog: http://adopenstatic.com/blog

"CK" <c_kettenbach@xxxxxxxxxxx> wrote in message
news:i%MIj.11612$qS5.2465@xxxxxxxxxxxxxxxxxxxxxxx

I did all the steps you mentioned and I still get
Logon Process: NtLmSsp

Authentication Package: NTLM

Any ideas? I enable Kerberos logging but I don't see any new entries in
the Event Log. What am I missing here? I also want to mention that this
webserver is on a VM. Not sure if that makes a difference.

Thanks,

~ck

"Tiago Halm" <thalm@xxxxxxxxxxxxxxxxxx> wrote in message
news:OOeG25ElIHA.3400@xxxxxxxxxxxxxxxxxxxxxxx

You probably followed much of these steps (Ken must have pointed
them). Make it work in IIS to get a sense on how it works

1. make sure NTAuthenticationProviders is not overridden so we start
with the default "Negotiate, NTLM".
type

cscript adsutil.vbs delete w3svc/NTAuthenticationProviders
cscript adsutil.vbs delete w3svc/1/NTAuthenticationProviders
cscript adsutil.vbs delete w3svc/1/ROOT/NTAuthenticationProviders

See more steps on:
http://support.microsoft.com/kb/215383
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/ea7cd846-33da-49c9-927f-d4e76d6309ac.mspx?mfr=true

2. Create an FQDN (xxx.yyy.zzz) in DNS pointing to IIS ip address
3. Select a WebSite, make sure all VDirs use the same AppPool as the
WebSite and define the Host Header on port 80 with that FQDN
(xxx.yyy.zzz). Specify the port address if needed.
4. create the SPN, by using the account setup on the hostheader

setspn.exe http/xxx.yyy.zzz domain\apppoolaccount

5. Setup IIS with Integrated Windows Authentication. Force inheritance
if needed.

Open IE, make sure xxx.yyy.zzz is a local intranet site, browse a
page, look into the security log. Filter by 540 event (not sure about
this one) and your windows account.

Final t-shoot stage is to enable kerberos logging:
http://support.microsoft.com/kb/262177

let us know the steps you took until now ...

Tiago Halm

"CK" <c_kettenbach@xxxxxxxxxxx> wrote in message
news:1pxIj.378$ch4.135@xxxxxxxxxxxxxxxxxxxxxxx

I can not get Kerberos to work on my web server. I have done all of
Ken Schaefers troubleshooting techniques still to no avail. I created
a test.htm page and when i hit it, I check the security event log and
it is still using NTLM. Any ideas why Kerberos is not running? I am
ultimately trying to set up constrianed delegation to an Exchange 2007
web service. I have been working on this for weeks and I am absolutely
stumped. Does anyone have any suggestions at this point?

Cheers,
CK

Follow-Ups:
- Re: Kerberos
  - From: Ken Schaefer
- Re: Kerberos
  - From: tiago . halm

References:
- Kerberos
  - From: CK
- Re: Kerberos
  - From: Tiago Halm
- Re: Kerberos
  - From: CK
- Re: Kerberos
  - From: Ken Schaefer
- Re: Kerberos
  - From: CK
- Re: Kerberos
  - From: Ken Schaefer

Prev by Date: HTTP 401.2 - No permissions: login failed because of server configuration
Next by Date: Kerberos and ASP NET application
Previous by thread: Re: Kerberos
Next by thread: Re: Kerberos
Index(es):
- Date
- Thread

Relevant Pages

Re: Kerberos
... Just select the interface you wish to monitor and then click the "Capture" button. ... I enable Kerberos logging but I don't see any new entries in the Event Log. ... Make it work in IIS to get a sense on how it works ... I created a test.htm page and when i hit it, I check the security event log and it is still using NTLM. ...
(microsoft.public.inetserver.iis.security)
Re: Kerberos
... Authentication Package: NTLM ... I enable Kerberos logging but I don't see any new entries in the ... Create an FQDN in DNS pointing to IIS ip address ...
(microsoft.public.inetserver.iis.security)
Re: Kerberos
... Authentication Package: NTLM ... I enable Kerberos logging but I don't see any new entries in the Event Log. ... Make it work in IIS to get a sense on how it works ... I created a test.htm page and when i hit it, I check the security event log and it is still using NTLM. ...
(microsoft.public.inetserver.iis.security)
Re: Kerberos
... Authentication Package: NTLM ... Make it work in IIS to get a sense on how it works ... Final t-shoot stage is to enable kerberos logging: ... test.htm page and when i hit it, I check the security event log and it ...
(microsoft.public.inetserver.iis.security)
Re: Kerberos
... We were never able to get Kerberos to work. ... Authentication Package: NTLM ... Make it work in IIS to get a sense on how it works ... test.htm page and when i hit it, I check the security event log and it ...
(microsoft.public.inetserver.iis.security)