|
Home > Archive > IIS Server Security > November 2004 > IIS Kerberos auth for non-domain client
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IIS Kerberos auth for non-domain client
|
|
|
| I setup an env as below:
A w2k3 server sps.xxx.edu is running IIS(SharePoint Server
installed), it's in domain xxx.edu, not controller.
A unix kdc for realm: REALM.xxx.edu, necessary princs
created using enctype:des-cbc-crc.
A domain controller ad.xxx.edu, w2k3, 2-way trust with
unix realm kdc, trust delegate to sps.xxx.edu, user abc is
mapped to a princ on unix kdc, setspn setup as told in
technet articles.
A client pc, TESTER, running winxp sp2.
all windows machines above have run ksetup /addkdc ...
Now my problem is:
when TESTER, the winxp client, is in domain xxx.edu, it
can access SPS using Kerberos very well.
but when I remove TESTER from any domain and specify some
workgroup, the kerberos auth failed.
btw, i visited the iis/sps server via FQDN, which has been
added with setspn.
So how can i use Kerb auth on a non-domain client to a
domain-member IIS?
| |
| Matthew Silverman 2004-11-16, 5:49 pm |
| Did you ever have any luck resolving this issue? I'm running into the same
issue with our w2k3/kerberos deployment.
Thanks,
Matt
"FreX" wrote:
> I setup an env as below:
> A w2k3 server sps.xxx.edu is running IIS(SharePoint Server
> installed), it's in domain xxx.edu, not controller.
> A unix kdc for realm: REALM.xxx.edu, necessary princs
> created using enctype:des-cbc-crc.
> A domain controller ad.xxx.edu, w2k3, 2-way trust with
> unix realm kdc, trust delegate to sps.xxx.edu, user abc is
> mapped to a princ on unix kdc, setspn setup as told in
> technet articles.
> A client pc, TESTER, running winxp sp2.
>
> all windows machines above have run ksetup /addkdc ...
>
> Now my problem is:
> when TESTER, the winxp client, is in domain xxx.edu, it
> can access SPS using Kerberos very well.
> but when I remove TESTER from any domain and specify some
> workgroup, the kerberos auth failed.
>
> btw, i visited the iis/sps server via FQDN, which has been
> added with setspn.
>
> So how can i use Kerb auth on a non-domain client to a
> domain-member IIS?
>
>
|
|
|
|
|