|
Home > Archive > IIS Server Security > May 2004 > Forcing Kerberos authentication in IIS6?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Forcing Kerberos authentication in IIS6?
|
|
| Al Blake 2004-05-30, 11:52 am |
| I have two windows 2003 servers running IIS6. One is the production
server, one is the test server.
I have developed an asp.net app on the test server that requires
kerberos authentication and *works perfectly*. I have transferred it
to the production server and it doesnt work - on closer investigation
I discover that the login to the production server is using
NTLM....which makes my kerberos based app fall over.
Now I thought Kerberos was the default for IIS6 and NTLM the fallback?
I am using the same workstation and browser (XP/IE6) to connect to
both servers, yet I get a different result when I check in the system
event log.
Test server - shows login success with Kerberos
Prod server - shows login success with NTLM
There ARE successful kerberos logins on the production server - but
these ONLY seem to be for connections between the Prod server and the
DCs. *All* the user (browser) logins are being passed off the NTLM.
Why?
Is the problem in IIS?
I have run netdiag and there are no errors in the kerberos subsystem.
I have also run
cscript adsutil.vbs set w3svc/NTAuthenticationProviders
"Negotiate,NTLM"
and
setspn -A HTTP/servername.domain NETBIOSNAME
None of this makes any difference - the production server still
insists on authenticating with Kerberos.
Why?
Anyone got any tips as I have been fighting this for a week!
Al Blake, Canberra, Australia
| |
| Ken Schaefer 2004-05-30, 11:52 am |
| A couple of quick tests:
a) If you do a HTTP reqest manually, do you see the server sending back
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
You can use WFetch to test this:
http://www.microsoft.com/downloads/...&DisplayLang=en
b) If you put a trace on the network, is IE attempting Kerberos
Authentication?
www.ethereal.com
I have a bunch of links about Kerberos which is probably the next step, but
let's check to eee that the server and browser are sending the right headers
first.
Cheers
Ken
"Al Blake" <al@blakes.net> wrote in message
news:14116a86.0405272215.2fa3878f@posting.google.com...
: I have two windows 2003 servers running IIS6. One is the production
: server, one is the test server.
: I have developed an asp.net app on the test server that requires
: kerberos authentication and *works perfectly*. I have transferred it
: to the production server and it doesnt work - on closer investigation
: I discover that the login to the production server is using
: NTLM....which makes my kerberos based app fall over.
: Now I thought Kerberos was the default for IIS6 and NTLM the fallback?
: I am using the same workstation and browser (XP/IE6) to connect to
: both servers, yet I get a different result when I check in the system
: event log.
: Test server - shows login success with Kerberos
: Prod server - shows login success with NTLM
:
: There ARE successful kerberos logins on the production server - but
: these ONLY seem to be for connections between the Prod server and the
: DCs. *All* the user (browser) logins are being passed off the NTLM.
: Why?
:
: Is the problem in IIS?
: I have run netdiag and there are no errors in the kerberos subsystem.
: I have also run
: cscript adsutil.vbs set w3svc/NTAuthenticationProviders
: "Negotiate,NTLM"
: and
: setspn -A HTTP/servername.domain NETBIOSNAME
:
: None of this makes any difference - the production server still
: insists on authenticating with Kerberos.
:
: Why?
: Anyone got any tips as I have been fighting this for a week!
:
: Al Blake, Canberra, Australia
| |
| Keith W. McCammon 2004-05-30, 11:52 am |
| Stupid question, but your production server is on the same LAN segment as
the client? No firewall or added network security mechanisms that
differentiate the architecture from the testing system?
| |
| Al Blake 2004-05-30, 11:52 am |
| Ok,
I worked it out. In case anyone else runs into the same problem I had set
the NTAuthentication methods in the metabase for the server but I didnt
check what the settings was for *each* web site.
seems that at some point in time (I dont know how) authentication for
several individual sites had been set to only NTLM.
I reset it for each site and now kerberos works perfectly (except for
sharepoint but thats another story!)
Al Blake, Canberra, Australia
| |
| David Wang [Msft] 2004-05-30, 11:52 am |
| The default value for NtAuthenticationProviders is unset and is unavailable
through the UI, so someone has to have set them via ADSUTIL or similar
metabase editing tools.
NtAuthenticationProviders is available both globally and per-website, as
you've discovered. The way that configuration works is that global settings
apply unless locally overridden. The UI has functionality which will warn
you when setting parent settings that child settings are overriding them --
but there is no such thing with plain metabase editing tools.
You have two basic choices:
1. Use inheritance, in which case you DELETE the NtAuthenticationProviders
property from the websites. This allows automatic inheritance of the global
setting (which is what you were expecting). The downside is that if anyone
else changes the global NtAuthenticationProviders property to
NTLM,Negotiate, your apps break.
2. Do not use inheritance, in which case you set NtAuthenticationProviders
individually for the websites that need it. The downside is that this does
not have automatic inheritance of the global setting (which is what you were
expecting). The upside is that if anyone else ever changes the global
NtAuthenticationProviders property to NTLM,Negotiate, your apps will still
work.
The two choices are mutually exclusive. You cannot have global, overriding
inheritance AND immunity from such changes being breaking changes.
--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Al Blake" <al@blakes.net> wrote in message
news:Oh%23bGUWREHA.2936@TK2MSFTNGP12.phx.gbl...
Ok,
I worked it out. In case anyone else runs into the same problem I had set
the NTAuthentication methods in the metabase for the server but I didnt
check what the settings was for *each* web site.
seems that at some point in time (I dont know how) authentication for
several individual sites had been set to only NTLM.
I reset it for each site and now kerberos works perfectly (except for
sharepoint but thats another story!)
Al Blake, Canberra, Australia
|
|
|
|
|