|
Home > Archive > IIS Server Security > March 2007 > Windows Integrated Authentication and Kerberos
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Windows Integrated Authentication and Kerberos
|
|
| Andrey Nepomnyaschih 2007-03-21, 1:25 pm |
| Hello,
I'm having problems with setting up the Kerberos Authentication. No matter
what I do, the client always tries to use NTLM package.
Well, I have a IIS Server on a member server. The Default Web Site, has only
the "Integrated Windows authentication" box checked. The Internet Explorer,
has "Enable Integrated Windows Authentication" option enabled, but when I
try to access the page on this site the client is being authenticated using
NTLM.
Ok, the what I have done so far.
- The computer account for the member server has the "Trust this computer
for delegation to any service (Kerberos only)" option enabled in Active
Directory.
- It doesn't matter whether application pool runs under NETWORK SERVICE
account, or under a correcltly configured domain account.
By correctly configured domain account I mean, an account which has
"Trust this computer for delegation to any service (Kerberos only)" option
enabled in Active Directory and has an SPN records setup like this:
setspn -A http/host DOMAIN\ACCOUNT
setspn -A http/host.domain.tld DOMAIN\ACCOUNT
- I removed the NTLM from the list by running cscript adsutil.vbs set
w3svc/WebSite/root/NTAuthenticationProviders "Negotiate".
But whenever I try to access to page the Security log, shows the following
message:
Successful Network Logon:
User Name: nas
Domain: DOMAIN
Logon ID: (0x0,0x2F4638)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: IT-NAS-W571A
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.1.196
Source Port: 1996
Does anyone have a clue why it can happen?
Have a good time
Andrey Nepomnyaschih
| |
| Ken Schaefer 2007-03-22, 1:24 am |
| Hi,
a) IE will only attempt Kerberos authentication if the site is in the
Intranet security zone. If you are accessing the site as
http://www.somesite.tld then this is not in the Intranet security zone by
default
b) Ensure that you don't have duplicate SPNs (same SPN registered under
multiple accounts in AD). That will cause Kerberos Auth to fail.
Cheers
Ken
"Andrey Nepomnyaschih" <nas@i-free.ru> wrote in message
news:uC0O9b7aHHA.2064@TK2MSFTNGP05.phx.gbl...
> Hello,
>
> I'm having problems with setting up the Kerberos Authentication. No matter
> what I do, the client always tries to use NTLM package.
>
> Well, I have a IIS Server on a member server. The Default Web Site, has
> only the "Integrated Windows authentication" box checked. The Internet
> Explorer, has "Enable Integrated Windows Authentication" option enabled,
> but when I try to access the page on this site the client is being
> authenticated using NTLM.
>
> Ok, the what I have done so far.
> - The computer account for the member server has the "Trust this computer
> for delegation to any service (Kerberos only)" option enabled in Active
> Directory.
> - It doesn't matter whether application pool runs under NETWORK SERVICE
> account, or under a correcltly configured domain account.
> By correctly configured domain account I mean, an account which has
> "Trust this computer for delegation to any service (Kerberos only)" option
> enabled in Active Directory and has an SPN records setup like this:
>
> setspn -A http/host DOMAIN\ACCOUNT
> setspn -A http/host.domain.tld DOMAIN\ACCOUNT
>
> - I removed the NTLM from the list by running cscript adsutil.vbs set
> w3svc/WebSite/root/NTAuthenticationProviders "Negotiate".
>
> But whenever I try to access to page the Security log, shows the following
> message:
>
> Successful Network Logon:
> User Name: nas
> Domain: DOMAIN
> Logon ID: (0x0,0x2F4638)
> Logon Type: 3
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Workstation Name: IT-NAS-W571A
> Logon GUID: -
> Caller User Name: -
> Caller Domain: -
> Caller Logon ID: -
> Caller Process ID: -
> Transited Services: -
> Source Network Address: 192.168.1.196
> Source Port: 1996
>
> Does anyone have a clue why it can happen?
>
> Have a good time
> Andrey Nepomnyaschih
>
| |
| Andrey Nepomnyaschih 2007-03-22, 1:26 pm |
| Hi, Ken.
Thanks for your answer. But I just forgot to mention that. Yes the server is
listed in "Intranet Zone", and Intranet Zone has the option to automatically
send username and password to sites in the zone.
Well, I tried to capture packets using Ethereal. And the findings are that
the client doesn't even consider using Kerberos. It uses NEGOTIATE, falls
back to NTLM. And during that it does not contact KDC for service ticket.
Does anyone know how address that?
Best Regards,
Andrey Nepomnyaschih
"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:ezPUjiBbHHA.4000@TK2MSFTNGP02.phx.gbl...
> Hi,
>
> a) IE will only attempt Kerberos authentication if the site is in the
> Intranet security zone. If you are accessing the site as
> http://www.somesite.tld then this is not in the Intranet security zone by
> default
>
> b) Ensure that you don't have duplicate SPNs (same SPN registered under
> multiple accounts in AD). That will cause Kerberos Auth to fail.
>
> Cheers
> Ken
>
>
> "Andrey Nepomnyaschih" <nas@i-free.ru> wrote in message
> news:uC0O9b7aHHA.2064@TK2MSFTNGP05.phx.gbl...
>
| |
| Ken Schaefer 2007-03-24, 1:17 pm |
| Hi,
a) in Internet Explorer -> Tools -> Options -> Advanced verify that "Enable
Integrated Windows Authentication (requires a restart)" is enabled. This is
required to be checked for Kerberos to be used (NTLM works without that
being checked)
b) check for duplicate SPNs - that will cause Kerberos to fail. You can not
have the same SPN registered under multiple machine/user accounts in AD.
Cheers
Ken
"Andrey Nepomnyaschih" <nas@i-free.ru> wrote in message
news:%23K8TrwIbHHA.2076@TK2MSFTNGP04.phx.gbl...
> Hi, Ken.
>
> Thanks for your answer. But I just forgot to mention that. Yes the server
> is listed in "Intranet Zone", and Intranet Zone has the option to
> automatically send username and password to sites in the zone.
>
> Well, I tried to capture packets using Ethereal. And the findings are that
> the client doesn't even consider using Kerberos. It uses NEGOTIATE, falls
> back to NTLM. And during that it does not contact KDC for service ticket.
> Does anyone know how address that?
>
> Best Regards,
> Andrey Nepomnyaschih
>
>
> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
> news:ezPUjiBbHHA.4000@TK2MSFTNGP02.phx.gbl...
>
>
|
|
|
|
|