Mixed mode AD domain Kerberos/NTML bump heads?

From: Dave (dgrace_at_portauthority.org)
Date: 07/25/03 

Date: Fri, 25 Jul 2003 14:14:35 -0700

We have a 3 tier configuration. Win 2k web server using
delegation to win 2k sql server. SPN for the sql service
account is correct. Using .net framework. Users(win 2k
clients) can access the web front end and manipulate sql
data via forms. At random during any time period
authentication fails. A user can enter data with no
problems then all of a sudden
 Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON.
Being that they can actually enter data says that
deligation is working. We are running mixed mode and have
NT BDCS on the network.

Quoted from another source"

Watch out for NTLM
At one point during my experimentation I made a remote
authenticated request (which succeeded), and yet I
couldn't find the ticket that had been issued to make this
possible. On all the machines I use on a day-to-day basis
I've enabled auditing of logon and logoff events
(something I urge all developers to do in the lab), and so
when I checked the server's audit log, I discovered that
the client had been authenticated. I scratched my head
until I looked at the detailed information in the audit
record: the NTLM provider—not the Kerberos provider—had
authenticated the client.
I was really surprised at this behavior since the client
was using a domain account in a Windows 2000 domain and
both client and server were running Windows 2000. In fact,
the client was running on the same machine as her KDC. "

Is it possible for kerberos by some quirk to fall back to
NTLM at random? Or NT BDC's in the mix causing strange
problems. The same user has access then all of a sudden
authentication fails at random for no apparent reason.

Any thooughts appreciated..

Relevant Pages

  • Re: WCF security advice (and clarification) needed
    ... You, the client, resolve the foo.mycompany.com hostname within your ... TCP/IP) with that ticket as the security token. ... There are two parties participating in a security scenario, the server ... HTTP supports other authentication ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: Aironet 1200/Radius Help Needed
    ... I just fired up a W2003 Advanced Server so that I can take ... >> IAS servers (do I need a separate certificate for the secondary IAS ... >> of authentication since it involves just installing the certificate on ... >between the AP and the client. ...
    (microsoft.public.internet.radius)
  • Re: DataSet.GetChanges() in RowChanged(DataRowAction.Add)
    ... have you considered SQL Express and use ... > I realize now that I didn't describe well how the client application is ... > Framework installed on the client machine, but not any SQL Server). ... > 20 tables in different relations with eachother in the database, ...
    (microsoft.public.dotnet.framework.adonet)
  • Re: Windows Authentication, Single sign on and Active Directory
    ... service proxy client fails to connect due to authentication failure and then ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... The server is always in the domain. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: Confusion on standard security methodologies.
    ... Application will talk to a back-end SQL ... By "back-end," I assume you mean on a different box from IIS? ... If SQL is on a separate box, you won't be able to use NT authentication ... impersonations (meaning that once passed to the IIS server, ...
    (microsoft.public.inetserver.iis.security)