Re: Use of Kerberos unreliable, can I force it?
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 17 Jul 2008 10:01:28 -0500
With IIS, you typically have IIS advertise "Negotiate" as the authentication
method for IWA, and that unfortunately means that you can still get NTLM
auth as Negotiate will downgrade to NTLM if the client does not appear to be
capable of Kerberos.
This "feature" bugs me too. :)
One thing that you could try is to change IIS to request "Kerberos"
specifically instead of Negotiate by changing the appropriate metabase
property. The problem with this is that this is very non-standard and runs
a high risk of breaking more stuff.
Another thing you might do is try to determine whether the user was
authenticated via Kerberos or not and fail the request at the website.
You'll probably need to do some p/invokes to discover this based on the
user's token, but I think it is possible.
Another option would be to try to take advantage of protocol transition and
constrained delegation. I assume you NEED Kerberos auth because your
website is implementing Kerberos delegation. Protocol transition enables
the front end auth to be something other than Kerberos and allows the web
server to transition to Kerberos on behalf of the user to access a backend
resource. You need a 2K3 native FFL AD forest to use this feature, but it
does work. You also have to use constrained delegation, but that is
something you should be doing anyway as unconstrained delegation is pretty
risky anyway.
I hope this gives you some ideas. I feel your pain. :)
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb66a3e978cab62a50f97e26@xxxxxxxxxxxxxxxxxxxxxxx
Hello NoelByron@xxxxxxx,
As far as i know the kerberos authentication is done during the logon, so
after that there will be no additional check, the only way is to logon
again in the network.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Hi!
I had to learn that it is easily possible for clients in our network
to work without Kerberos (tickets). Mostly because they boot their
computer without a network connection. Those users have no Kerberos
tickets (of course) but they don't get Kerberos tickets even after
connection to our network (feature or bug?). There are also some other
scenarios in which Windows relinquishes Kerberos. The problem is that
we have some web applications that require a Kerberos ticket.
My question: How can I force a switch to Kerberos as soon as they
connect to the network? Or how can I force Kerberos authentication in
a .NET web application (SharePoint)? Integrated Windows Authentication
means NTLM or Kerberos.
Tips would be highly appreciated. Thanks in advance!
Best regards,
Noel
.
- References:
- Use of Kerberos unreliable, can I force it?
- From: NoelByron
- Re: Use of Kerberos unreliable, can I force it?
- From: Meinolf Weber
- Use of Kerberos unreliable, can I force it?
- Prev by Date: How to Block UltraSurf?
- Next by Date: List of security fixes for 2003
- Previous by thread: Re: Use of Kerberos unreliable, can I force it?
- Next by thread: 922706 Update and certificate for computer
- Index(es):
Relevant Pages
|
