IIS Server Security - Re: IIS 6 Integrated Authentication and IE 6 - security credentials seem to not get pa

This is Interesting: Free IT Magazines  
Home > Archive > IIS Server Security > April 2005 > Re: IIS 6 Integrated Authentication and IE 6 - security credentials seem to not get pa





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Re: IIS 6 Integrated Authentication and IE 6 - security credentials seem to not get pa
Andy Wright

2005-04-06, 7:53 am

Thanks for the information David. The article that you provided the link to
mentioned includes the following:

----------------
Forcing NTLM
In the following situations, Kerberos fails and you must force IIS to use
NTLM authentication by setting the NTAuthenticationProviders metabase
property to NTLM.

1) When you isolate Web sites on a virtual directory level by configuring
worker process identities as different domain accounts, Kerberos fails.

2) If you are using Integrated Windows authentication, are not using a WINS
or DNS name for the server running IIS, and you want to use a local user
account or the LocalService account as a worker process identity, Kerberos
authentication fails because Active Directory will not "trust" the accounts.
--------------

Because I had configured the application as in 1) above, Kerberos was
failing. When I set the NTAuthenticationProviders metabase property to NTLM
the problem was fixed. This seems to work ok when set at the virtual
directory level and so needn't have an impact on other applications in the
Web site.

Do you know of any references that describe the likely consequences of
setting this metabase property for an application and any workrounds or
configuration options that are available for applications that need to rely
on Kerberos features?

I also tried setting the Application Pool Identity for the entire web site
rather than at the Application/Virtual Directory level and that seems to
work ok even when Kerberos is enabled (NTAuthenticationProviders metabase
property set to Negotiate,NTLM).


"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:e5krHpmOFHA.2748@TK2MSFTNGP09.phx.gbl...
> Right now, your failure pattern it sounds a common misconfiguration where
> you have:
> 1. a customized Application Pool Identity
> 2. Only Integrated authentication is enabled
> 3. the server is in a domain
>
> http://64.233.187.104/search?q=cach...ntity.asp&hl=en
>
>
>
>
> This has login of LOCH_NESS\Administrator, which is not the same as
> "LOCH_NESS\pplustester1" which you said you were testing with. Either you
> chose the wrong log entry or something else is running on the server and
> interfering.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
> "Bernard" <qbernard@hotmail.com.discuss> wrote in message
> news:uvNtTSbOFHA.2136@TK2MSFTNGP14.phx.gbl...
> Mmm..
> 401.2 - Logon failed due to server configuration.
> what authentication method you using ?
> is the NT4 and XP pro machine located in the same subnet and browse using
> the same URL ?
>
>
> what was the previous app pool identity ?
>
> --
> Regards,
> Bernard Cheah
> http://www.tryiis.com/
> http://support.microsoft.com/
> http://www.msmvps.com/bernard/
>
>
> "Andy Wright" <A@bc.com> wrote in message
> news:uKExrnPOFHA.3960@TK2MSFTNGP12.phx.gbl...
>
>
>


Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com