IIS Server Security - IIS 6.0 Host Headers and Kerberos

This is Interesting: Free IT Magazines  
Home > Archive > IIS Server Security > January 2006 > IIS 6.0 Host Headers and Kerberos





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author IIS 6.0 Host Headers and Kerberos
Simon Jackson

2006-01-13, 10:26 pm

Hi

I have two IIS Servers that are exhibiting the same behaviour
one is IIS 5.0 (exchange) the other is IIS 6.0 (Sharepoint Services 2.0)

My issues is that if I connect to either of these servers using anything
other than the Netbios server name I get prompted for authentication.

e.g.

If I connect internally on the lan to http://servername/
it goes straight in (no prompt)

If I connect internally on the lan to http://ipaddress/
I get prompted for authentication.

I also get prompted if I go to http://otherhostname/
where otherhostname is a new A record I create in DNS that points to the
same IP.

I've seen the following articles.....
http://support.microsoft.com/default.aspx?kbid=294382
http://support.microsoft.com/kb/215383/

but am unsure what I need to do...

When I use the adsutil get NTAuthenticationProviders command I can see that
......
the IIS 5.0 server is showing...
NTAuthenticationProviders : (STRING) "Negotiate,NTLM"

the IIS 6.0 server is showing...
The parameter "NTAuthenticationProviders" is not set at this node.

I've tried setting the NTAuthenticationProviders value on the IIS 5.0 server
to
NTAuthenticationProviders : (STRING) "NTLM"

but this has not helped.

I also tried the setspn -A command on the IIS 6.0 server and added the FQDN
name of the server as both a HTTP/ and a HOST/ reference but again no effect.

any ideas?

Regards
Simon
Jeff Cochran

2006-01-13, 10:26 pm

On Wed, 11 Jan 2006 10:56:02 -0800, "Simon Jackson" <Simon
Jackson@discussions.microsoft.com> wrote:

>Hi
>
>I have two IIS Servers that are exhibiting the same behaviour
>one is IIS 5.0 (exchange) the other is IIS 6.0 (Sharepoint Services 2.0)
>
>My issues is that if I connect to either of these servers using anything
>other than the Netbios server name I get prompted for authentication.

Add the domain to the intranet zone in Internet Explorer's security
tab.

Jeff


>e.g.
>
>If I connect internally on the lan to http://servername/
>it goes straight in (no prompt)
>
>If I connect internally on the lan to http://ipaddress/
>I get prompted for authentication.
>
>I also get prompted if I go to http://otherhostname/
>where otherhostname is a new A record I create in DNS that points to the
>same IP.
>
>I've seen the following articles.....
>http://support.microsoft.com/default.aspx?kbid=294382
>http://support.microsoft.com/kb/215383/
>
>but am unsure what I need to do...
>
>When I use the adsutil get NTAuthenticationProviders command I can see that
>.....
>the IIS 5.0 server is showing...
>NTAuthenticationProviders : (STRING) "Negotiate,NTLM"
>
>the IIS 6.0 server is showing...
>The parameter "NTAuthenticationProviders" is not set at this node.
>
>I've tried setting the NTAuthenticationProviders value on the IIS 5.0 server
>to
>NTAuthenticationProviders : (STRING) "NTLM"
>
>but this has not helped.
>
>I also tried the setspn -A command on the IIS 6.0 server and added the FQDN
>name of the server as both a HTTP/ and a HOST/ reference but again no effect.
>
>any ideas?
>
>Regards
>Simon

Simon Jackson

2006-01-13, 10:26 pm


Thank You !

:-)

Just out of interest, should I put the various setspn and adsutil settings
back the way they were or did I need to do those as well.

"Jeff Cochran" wrote:
> Add the domain to the intranet zone in Internet Explorer's security
> tab.

Ken Schaefer

2006-01-16, 2:50 am

You merely wish to avoid the prompt from Internet Explorer? To do that you
need to follow the advice in the following article:
http://support.microsoft.com/?id=258063

That is separate to the Kerberos issue. Kerberos is not strictly required to
avoid IE prompt, as NTLM authentication is also sufficient (see the KB
article above). You should return the system back to it's default settings
unless you have a reason not to.

Hope that helps.

Cheers
Ken

"Simon Jackson" <SimonJackson@discussions.microsoft.com> wrote in message
news:58FC83CD-9AE3-48CE-9595-852DCAC05FA2@microsoft.com...
:
: Thank You !
:
::-)
:
: Just out of interest, should I put the various setspn and adsutil settings
: back the way they were or did I need to do those as well.
:
: "Jeff Cochran" wrote:
: > Add the domain to the intranet zone in Internet Explorer's security
: > tab.
:


Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com