IIS Server Security - Re: Unable to authenticate via kerberos to IIS site accepting clie

This is Interesting: Free IT Magazines  
Home > Archive > IIS Server Security > February 2007 > Re: Unable to authenticate via kerberos to IIS site accepting clie





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Re: Unable to authenticate via kerberos to IIS site accepting clie
David Wang

2007-02-15, 7:21 am

Can you please first answer my prior questions so that we can make
forward progress.
1. In the failing case, is it Kerberos over SSL Client Certificate.
and NOT NTLM over SSL CLient Certificate
2. If it is Kerberos, determine the size of the ticket blob in the
request header. You can do this test over HTTP to sniff the traffic

In general, I recommend *against* making changes without making the
diagnosis first, and changes to UploadReadAheadSize on IIS5 has no
affect on what I suspect to be the issue and has other consequences...
so I suggest you *revert* your changes.

Do not make changes before diagnosing the issue. How would you feel if
your physician first performs open heart surgery on you and then looks
at your blood sample.

IE is not doing anything "special" when you dismiss the Client Cert
selection dialog - just Integrated Authentication without Client
Certificates, which we know works. But, that is NOT what you want -
Kerberos over Client Certificates - so please do not get distracted.

IFF the issue is large Kerberos ticket over SSL Client Certificate,
then:
1. there is no solution on IIS5/IIS5.1 (UploadReadAheadSize does not
work)
2. You will need IIS6 on Windows Server 2003 and change
UploadReadAheadSize, as documented
3. Or make your Kerberos ticket smaller.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//





On Feb 15, 12:51 am, jacorona <jacor...@discussions.microsoft.com>
wrote:
> Hello David,
> please forgive my delaying in answering your comments.
>
> I have had some time to test your suggestion, but it still doesn't work. The
> client program still times out.
>
> I first have made the change in the IIS metabase manually using MetaEdit,
> trying to set this parameter (uploadreadaheadsize) in a couple os branches (I
> was unsure exactly where to set it) and via script (in this case specifically
> in w3svc/1/uploadreadaheadsize). In all the cases the result was the same (I
> restarted IIS, etc,...)
>
> Apart from not having read anything that suggested that it shouldn't work,
> the fact is that in the same environment (locally in W2K or WXP) when
> accessing an .aspx page in the same directory via IE, and after dismissing
> the dialog for selecting a certificate, IE accesses the page with integrated
> credentials. What I don't know is what IE does programmatically.
>
> As an aside, do you know of any debugging tool that let you inspect an https
> communication (in case it were possible, obviously providing it first with
> any needed certificate).
>
> Thank you for your help.
> Alfonso Corona
>
>
>
> "David Wang" wrote:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> - Show quoted text -


Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com