|
Home > Archive > IIS Server Security > June 2006 > Kerberos error KDC_ERR_BADOPTION
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Kerberos error KDC_ERR_BADOPTION
|
|
|
|
| WenJun Zhang[msft] 2006-06-06, 7:22 am |
| Hi Tim,
Please make sure the client connects to the server has 'enable integrated
authentication' selected in IE internet options->advanced. Otherwise the
authentication protocol will be NTLM instead of Kerberos.
Another point is that you should change the site's application pool's
identity to Local System since you've enable the computer to be trusted for
delegation in AD.
Best regards,
WenJun Zhang
Microsoft Online Partner Support
This posting is provided "AS IS" with no warranties, and confers no rights.
| |
|
| Still no luck. The clients were already configured with integrated
authentication and the site was added to the Local Intranet zone but the
client still looks to be authenticating through NTLM. Both IIS on the web
and SQL 2000 are set to run under local system.
From the web server:
Successful Network Logon:
User Name: userName
Domain: domainName
Logon ID: (0x0,0x1B8804)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: workstationName
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.1.1.105
Source Port: 1327
""WenJun Zhang[msft]"" <wjzhang@online.microsoft.com> wrote in message
news:qC$ov5ViGHA.5608@TK2MSFTNGXA01.phx.gbl...
> Hi Tim,
>
> Please make sure the client connects to the server has 'enable integrated
> authentication' selected in IE internet options->advanced. Otherwise the
> authentication protocol will be NTLM instead of Kerberos.
>
> Another point is that you should change the site's application pool's
> identity to Local System since you've enable the computer to be trusted
> for
> delegation in AD.
>
> Best regards,
>
> WenJun Zhang
> Microsoft Online Partner Support
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
>
| |
| WenJun Zhang[msft] 2006-06-08, 1:25 pm |
| Hi Tim,
I suggest you use webfetch to perform a test and trace the rawdata of http
request/response. It will ensure Kerberos token can be properly sent to the
server-side.
HOW TO: Use Wfetch.exe to Troubleshoot HTTP Connections
http://support.microsoft.com/defaul...kb;en-us;284285
To use, please input:
Host: (Your servername)
Path: (The relative path of your page. e.g: /simple.htm)
Auth: (Select Kerberos and input the proper username/password)
Press Go! to issue a http request to the server and check what response is
returned. You can paste the whole log data here for me to take a look.
Best regards,
WenJun Zhang
Microsoft Online Partner Support
This posting is provided "AS IS" with no warranties, and confers no rights.
| |
|
| Here is the output from the log:
started....
WWWConnect::Connect("http://vmdynamics.labtsc.com","80")\n
0x2af9 (No such host is known.): getaddrinfo()
finished.
""WenJun Zhang[msft]"" <wjzhang@online.microsoft.com> wrote in message
news:$VCTLOwiGHA.4500@TK2MSFTNGXA01.phx.gbl...
> Hi Tim,
>
> I suggest you use webfetch to perform a test and trace the rawdata of http
> request/response. It will ensure Kerberos token can be properly sent to
> the
> server-side.
>
> HOW TO: Use Wfetch.exe to Troubleshoot HTTP Connections
> http://support.microsoft.com/defaul...kb;en-us;284285
>
> To use, please input:
>
> Host: (Your servername)
> Path: (The relative path of your page. e.g: /simple.htm)
> Auth: (Select Kerberos and input the proper username/password)
>
> Press Go! to issue a http request to the server and check what response is
> returned. You can paste the whole log data here for me to take a look.
>
> Best regards,
>
> WenJun Zhang
> Microsoft Online Partner Support
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
>
| |
|
| Sorry about that, I didn't run the test correctly. I re-ran it and this was
the output:
started....
Reusing existing connection (source port 4210)\n
ISC_REQ_MUTUAL_AUTH | ISC_REQ_DELEGATE set\n
0x80090303 (The specified target is unknown or unreachable): Unable to
InitializeSecurityContext
finished.
WWWConnect::Close("vmdynamics","80")\n
closed source port: 4210\r\n
""WenJun Zhang[msft]"" <wjzhang@online.microsoft.com> wrote in message
news:$VCTLOwiGHA.4500@TK2MSFTNGXA01.phx.gbl...
> Hi Tim,
>
> I suggest you use webfetch to perform a test and trace the rawdata of http
> request/response. It will ensure Kerberos token can be properly sent to
> the
> server-side.
>
> HOW TO: Use Wfetch.exe to Troubleshoot HTTP Connections
> http://support.microsoft.com/defaul...kb;en-us;284285
>
> To use, please input:
>
> Host: (Your servername)
> Path: (The relative path of your page. e.g: /simple.htm)
> Auth: (Select Kerberos and input the proper username/password)
>
> Press Go! to issue a http request to the server and check what response is
> returned. You can paste the whole log data here for me to take a look.
>
> Best regards,
>
> WenJun Zhang
> Microsoft Online Partner Support
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
>
| |
|
| Ran the same test again using the IP instead of the host name and got this:
started....
Reusing existing connection (source port 4291)\n
ISC_REQ_MUTUAL_AUTH | ISC_REQ_DELEGATE set\n
SEC_I_CONTINUE_NEEDED\n
REQUEST: **************\n
GET /loader.aspx HTTP/1.1\r\n
Host: 10.1.1.201\r\n
Accept: */*\r\n
Connection: Keep-Alive\r\n
Authorization: Kerberos
YIIKcQYJKoZIhvcSAQICAQBuggpgMIIKXKADAgEF
oQMCAQ6iBwMFACAAAACjggSFYYIEgTCCBH2gAwIB
BaEMGwpMQUJUU0MuQ09Noh0wG6ADAgECoRQwEhsE
SFRUUBs
KMTAuMS4xLjIwMaOCBEcwggRDoAMCARehAwIBAqK
CBDUEggQxt6zAFegMXInTTftiqMGwWeBjqX7oCPM
F667YyohsBpV+rcX2sd25wbZ1dRwl6FlMBBSY/w2xinvSeBJIaaRpueEab9BKcNiZTPVZnI
OjUnye3/xSi4MvdWtLWJlplz4r7tJuEvKCB2X/pRbVMsxAZT3ou/ GILSrR3sKiROXfIzFuasL+5gmfnOD5IbsrAC3fjB
nIZ+OOeu4mMgC5s3ikLZ0GeqHlhYWdpcNsd0Pmfr
D+AuRJuJvH0djB1Xpav
49d0HwQvWZFSnXp2bW1hJOljnHgZdAt5V0fpAqyx
CMYyPMAbrk3PmmQTa0GTs+beCk44HrAnG/OheRd72gk/ AwVZkkA0YmChmhYHEUQPakRnPRFLUMrJRwb2BkKZ
kawzuM8eKmmG1eVNPcAYvKgiWFi
jl+YCi0l1VVk/zTJMj/ 03K1KNAPgevIfl32ln72ttoaVE+1XktmF9zLRzka
xpqAIssHqoTNhkkFsffQbrn7E+22pOf8rakty0rJ
8yk3aS3EpXBA5044jN6OQpYfDwDlDkv82V1owUlD
QVZcxp6Snupv
aJ2RCJtpMLYV1F3XFed9M4kT9s220D9RV0JJ6FNz
w1mIn4l1oBUr/ 6wxV4Sku9H1TOnG9AYRylquvGzrsnPJncyvYoguW
2geQe0kJIXuBAU/z4HCAFMAEzXpfeyl0TswnZ7cdzkEeOioMe76/1eBFdV
4T56UvF9Rcd/eR1ljXeJp69QZaVhJyDjJqEisCLtXGqO+7V/XHIEmWkzu7wRHcXl/b6sHWNVDaGdPMs/MGcNR7/ jzL4sBOM0Wp88AzqtqBmQWO6MiwdPeFWmEaSj6A3
oy3ijPz0mJC3vCG4MZN+zKIY
nwiUbgx68qcsllL7sYiEyzZcQmg7npCyt5IvIEzG
LVCDB8PdSjv61ktPF5fAJF4EHQg23DrbIRnUbdGt
B+C/ 9lu9zwxQgPsRrHg5QxjYcyrWoURlvtwdX9NGpq6I
8sWJ7OlBXI8N52pTXJbKEGxUabl
asgcmk/ EfymL9ZidkD1wm8s0ckUK40HEdmkljbA9Ced2ewV
iwNM8mJKhjmJSwPddO+reE5zcYmKV8vCXX4amSgI
LLmwcoruVjBEqYHbCGPjFsommkTafLTU47ZD8wSc
ZJu5niRUCtBUyVzlF58bgBiP
eJQlPUnJyewp6Lay7XQTHPpEZj6SRUHzwfzpQrwi
N9tK3cJrxbIQsnuu94RmJBT18UdQqxjVKVBe+m1a
0dhy34vwMUL75fGnwzK03VPf/ HAHaCI5k7oKu0WdCqbDQGZgaRLAFmPPahQH7A1KZ
DG2gsY
LOARb2r40MjosUOkvAT1+/RnKThA3/ u6zOBJiO2oJSdrCUTwbItmIa785DSFxnUHKvwlJa
7KJEk4OxOJHLRG3af6vfutWmnamaDlYV7VsC1K/ IrsLRbYpbKsOkggW8MIIFuKADAgEXooIFrwSCBat
PL
j5oEXvE1vTTQQw9lxsQDkCIZ6OyXlaK4UrLtQe32
kI6yWrAI4NVqweXThOITBE7gzUQFGTF6og8XW4t8
bwXiOq70+d7LNq6Y6UT00234KcKigg/osZEb/hOtTuBeU8GQByQNCw+FPeLduvQ13+UssdO
VEp+vSVWh/Ao6GkcWkq/QTU4G9xwwSh05wR8sjwjMLwuf/ JDdDQz4bxNCpHZ7qpXCiRmh8dSiqjgtf6STtJFmF
8r+D1RP1wy3Tl2xC0eAQ48IJiC/IOQLRoioQlQjkqXqhaXcgEXrtz/+cqYcpxAD3/
MuXC3oq1Tnz0kB1AxXgEYuWiGRVBNcXBpj0PZz9m
F0nkDiTNLlIVJQoWxox4oiqVK9xAftYUiYdK34NA
F6AsyybZuf2toWwz47lu2Pm4Bm5NhiP/ZR/z8ogdmQFRH0/2mBjtTxvKZ2pQE/5x1p9tVJC
nxEGTLiTF/ Q3Li56tdK0rAhsLzavH3uk3mBbOHgsiUPgCf4Dou
ZMDL3Dr6m9JauJ2Ux2BygrTlW8HvkeHmtOChrxbt
2yosy16v420EeSmJGgI9pdvPJCOEO5Q1r2gO9Y8L
wq1c1EeKropI9jGS1/0rz
WJH6B/ cfu2X+MIkJFV7Pw+hPhEZ8PAIS7IlKN424v3Rl8T
SWtKveC9Pu/ 8wWz6IV1UokUHc3yAzGqIImuaXU6Uvw7Ix0NsIOs
xws8EiDE2fIJ2PvXSPLDsyjmnZ3dth6P9xCMkJj5
vM/d7kchrDKoOq
NkecJiwOgfpnsw57EYZfiykNlm/ gib0aDsYAwD29qjwdAwg5sX84kYzxMFNYe0po5dk
tueWWXpQYbhHJPsp0XNZrq6Q7vgeQeuU5qJ4w9/ ZjLh38V6tqx5JeFT82oZ5ZV185sTHGlPTHk86zDs
UC6Qo
sTj49uEe15i/xnL6kSykeElkuyMsab0xaHai/ZLkfrAREH/ RS7nOxERTdFG5QJJVKcJ7O66zLVtKr6lqYilkuzy
t5zC/ WR1zLTvVOYqLNamjX4rCJ2hTz8dHHQQQxqWqeE7l
fncELLnO5UoSA9gaYV1
eD8Zk8DtpA/iy5TNDiuj5OS5t2y/P/ liJ6R4C6Cm6Kl0+HhS06ActJe2lxHaBHGHJTyEvk
yyhtAzeJqa8cMfvCqJUiRJ60hudevd1ocxISE2Sw
WNU913Kg6Jb3VtSRxiorWpcWFpyzZFq7Dns967Dg
R
ggDUXOXKHBLm1feEDvt+kfEitvR0LVp48YYcDZzi
KCNQhwoaMpFF7KVs5lE58SJTo+5EzdNzBFT5WSPu
TluGVLnlLJeW3D9WPHnbg+C0EvJVMM3an2dKCABr
41MXUecLwgf/Yj+r/xGWfPRKOwqu7rZ
5wNx6Rr2akc0Dv+0gijQJyUwQXCWA/ OSBcdXGQA+W6mzoETCq09GRyr5apwKH6qaklfBa9
vkJSccW1ugovFb4PaNVjAQ34kjrXCwjiMadgTO2L
LM6PQyEnH3gsoAjWQcQvQzHxM8+A+TiSArD0q5XB
w
1m3mPCWYDiaAF6iqbQ51PShc/ PNY+KlPEDuXE2IyJ1Y89gJM2uVuPxgqdtZ+zvmWH
JUD+1/ 9O750RlKBZpMw5ygacQqlWP2+k+l4Ghw6c5U1N6f
uUcB82GRem+GGrpWEZ1ZXOXi0Pzw48PyIpCZT2hN
tx3edc82zap9XjvY82lQQ4oxsUd+frFIC2rVDwHN
c8CnyI0J8BRz4M25SWhyGMVf5OsTL73wSFco5Pht
SBnPYifDSA2TI37Hq+sbWrOtt32/JtQyRUkEsoLv1LW15/8WmupSd0b9G9cL8iY4GvCkYMS
C9InnIVyU33ZXLdymkSWa6cGzsAE+vzI0YhvG+zF
KpE2+CwlQMS/ QBnKXZs9XSV5dIrPqV4TS8E+xfScwgDGJTPb8H48
I3vOrQw5i21fs8brKvf3/tfBf+2hA==\r\n
\r\n
RESPONSE: **************\n
HTTP/1.1 401 Unauthorized\r\n
Content-Length: 1656\r\n
Content-Type: text/html\r\n
Server: Microsoft-IIS/6.0\r\n
WWW-Authenticate: Negotiate\r\n
X-Powered-By: ASP.NET\r\n
Date: Fri, 09 Jun 2006 19:37:58 GMT\r\n
\r\n
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">\r\n
<HTML><HEAD><TITLE>You are not authorized to view this page</TITLE>\r\n
<META HTTP-EQUIV="Content-Type" Content="text/html;
charset=Windows-1252">\r\n
<STYLE type="text/css">\r\n
BODY { font: 8pt/12pt verdana }\r\n
H1 { font: 13pt/15pt verdana }\r\n
H2 { font: 8pt/12pt verdana }\r\n
A:link { color: red }\r\n
A:visited { color: maroon }\r\n
</STYLE>\r\n
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>\r\n
\r\n
<h1>You are not authorized to view this page</h1>\r\n
You do not have permission to view this directory or page using the
credentials that you supplied because your Web browser is sending a
WWW-Authenticat
e header field that the Web server is not configured to accept.\r\n
<hr>\r\n
<p>Please try the following:</p>\r\n
<ul>\r\n
<li>Contact the Web site administrator if you believe you should be able to
view this directory or page.</li>\r\n
<li>Click the <a href="java script:location.reload()">Refresh</a> button to
try again with different credentials.</li>\r\n
</ul>\r\n
<h2>HTTP Error 401.2 - Unauthorized: Access is denied due to server
configuration.<br>Internet Information Services (IIS)</h2>\r\n
<hr>\r\n
<p>Technical Information (for support personnel)</p>\r\n
<ul>\r\n
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft
Product Support Services</a> and perform a title search for the words
<b>HTTP
</b> and <b>401</b>.</li>\r\n
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),\r\n
and search for topics titled <b>About Security</b>, <b>Authentication</b>,
and <b>About Custom Error Messages</b>.</li>\r\n
</ul>\r\n
\r\n
</TD></TR></TABLE></BODY></HTML>\r\n
finished.
""WenJun Zhang[msft]"" <wjzhang@online.microsoft.com> wrote in message
news:$VCTLOwiGHA.4500@TK2MSFTNGXA01.phx.gbl...
> Hi Tim,
>
> I suggest you use webfetch to perform a test and trace the rawdata of http
> request/response. It will ensure Kerberos token can be properly sent to
> the
> server-side.
>
> HOW TO: Use Wfetch.exe to Troubleshoot HTTP Connections
> http://support.microsoft.com/defaul...kb;en-us;284285
>
> To use, please input:
>
> Host: (Your servername)
> Path: (The relative path of your page. e.g: /simple.htm)
> Auth: (Select Kerberos and input the proper username/password)
>
> Press Go! to issue a http request to the server and check what response is
> returned. You can paste the whole log data here for me to take a look.
>
> Best regards,
>
> WenJun Zhang
> Microsoft Online Partner Support
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
>
| |
| WenJun Zhang[msft] 2006-06-12, 1:24 pm |
| Hi Tim,
This indicates Kerberos auth actually didn't work on your server. Please
make sure your KDC is correctly configured and also check if integrated
windows auth is enabled in IIS.
Also by default, both Kerberos and NTLM are enabled in
NTAuthenticationProviders metabase entry. You may have to verify this to
see if Kerberos is removed.
215383 How to configure IIS to support both the Kerberos protocol and the
NTLM protocol for network authentication
http://support.microsoft.com/defaul...kb;EN-US;215383
Best regards,
WenJun Zhang
Microsoft Online Partner Support
This posting is provided "AS IS" with no warranties, and confers no rights.
| |
| WenJun Zhang[msft] 2006-06-13, 7:29 am |
| Hi Tim,
If so, what's the result in webfetch with Kerberos auth? Could you provide
me with the trace to take a look?
If Kerberos auth actually fails on the server-side, you will have to post a
new thread to our Windows 2003 security or AD newsgroup to troubleshoot the
Kerberos auth part.
Best regards,
WenJun Zhang
Microsoft Online Partner Support
This posting is provided "AS IS" with no warranties, and confers no rights.
| |
|
| Here is the result:
started....
WWWConnect::Connect("vmdynamics","80")\n
IP = "10.1.1.201:80"\n
source port: 2022\r\n
ISC_REQ_MUTUAL_AUTH | ISC_REQ_DELEGATE set\n
0x80090303 (The specified target is unknown or unreachable): Unable to
InitializeSecurityContext
finished.
WWWConnect::Close("vmdynamics","80")\n
closed source port: 2022\r\n
""WenJun Zhang[msft]"" <wjzhang@online.microsoft.com> wrote in message
news:4XuCoKsjGHA.764@TK2MSFTNGXA01.phx.gbl...
> Hi Tim,
>
> If so, what's the result in webfetch with Kerberos auth? Could you provide
> me with the trace to take a look?
>
> If Kerberos auth actually fails on the server-side, you will have to post
> a
> new thread to our Windows 2003 security or AD newsgroup to troubleshoot
> the
> Kerberos auth part.
>
> Best regards,
>
> WenJun Zhang
> Microsoft Online Partner Support
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
>
| |
| WenJun Zhang[msft] 2006-06-14, 1:23 pm |
| Hi Tim,
I'm not sure why it would fail with servername but worked with IP address
but I believe this should be related to the root cause. Looks like the
problem client has some problem on communicating with your domain
controller? Otherwise there shouldn't be such kind of name resolution
issue. You may try to remove the client machine from your domain and then
add it back to have a test.
If it's still no success, please post the issue to our Windows AD or
security newsgroup for suggestions. Thanks.
Best regards,
WenJun Zhang
Microsoft Online Partner Support
This posting is provided "AS IS" with no warranties, and confers no rights.
| |
|
| No luck there either. I'll try the other NG. Thank you very much for your
help.
-Tim
""WenJun Zhang[msft]"" <wjzhang@online.microsoft.com> wrote in message
news:SeNzO96jGHA.4528@TK2MSFTNGXA01.phx.gbl...
> Hi Tim,
>
> I'm not sure why it would fail with servername but worked with IP address
> but I believe this should be related to the root cause. Looks like the
> problem client has some problem on communicating with your domain
> controller? Otherwise there shouldn't be such kind of name resolution
> issue. You may try to remove the client machine from your domain and then
> add it back to have a test.
>
> If it's still no success, please post the issue to our Windows AD or
> security newsgroup for suggestions. Thanks.
>
> Best regards,
>
> WenJun Zhang
> Microsoft Online Partner Support
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
>
|
|
|
|
|