Integrated Authentication (Kerberos) Problem

Web Server Talk > Web Servers reviews > IIS server support > IIS Server Security > Integrated Authentication (Kerberos) Problem

Last Thread Next Thread Next

Integrated Authentication (Kerberos) Problem

Mark Parter

07-16-04 01:12 PM

Hello All,

I have the following 3 machines involved in this process;

1. A Windows XP SP1 with IE6 client machine
2. A Windows 2003 server with IIS 6
3. A Windows 200 Server with SQL Server 2000

I'm trying to get a report I've created in Reporting Services (which is serv
er from machine 2) to access data from a SQL database on machine 3.

I cannot get Kerberos to work, IE6 on machine 1 seems to indicate that NTLM 
is being used instead. I am testing with an ASP script from a Microsoft arti
cle. The script always returns the Authentication Type as NTLM. Here's what 
I've done so far;

1. Configured IIS 6 ot use ONLY Integrated Windows Authentication
2. Given machine 2 delegation privileges in AD
3. Given the domain account under which the IIS application runs, delegation
 privileges in AD.
4. Set SPN's for this domain account (not sure if I've done this OK so a poi
nter on this may be helpful)
5. Verified that IE has the "Enable Integrated Windows Authentication" optio
n checked.
6. Changed the NTAuthenticationProviders attribute in the metabase.xml file 
from NTAuthenticationProviders="NTLM" to NTAuthenticationProviders="Negotiat
e,NTLM"
7. Gone throught the MS article at http://www.microsoft.com/technet/pr...y/tkerbdel.mspx but still no further for
ward.
8. Confirmed that authentications only fails from machine 1. If accessing th
e same site on machine 2, everything works fine.

Here's an extract form the IIS log;

2004-07-16 13:58:33 10.20.16.27 GET /tests/kerberos.asp |17|80004005|Login_f
ailed_for_user_'(null)'. _Reason:_Not_associated_with_a_trusted_S
QL_Server_co
nnection. 80 STAFF\M-Parter 10.20.20.55 Mozilla/4.0+(compatible;+MSIE+6.0;+W
indows+NT+5.1;+.NET+CLR+1.1
.4322) 500 0 0
2004-07-16 13:58:40 10.20.16.27 GET /tests/kerberos.asp - 80 - 10.20.20.55 M
ozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 2 2
148074254
2004-07-16 13:58:40 10.20.16.27 GET /tests/kerberos.asp - 80 - 10.20.20.55 M
ozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 1 0
2004-07-16 13:58:40 10.20.16.27 GET /tests/kerberos.asp |17|80004005|Login_f
ailed_for_user_'(null)'. _Reason:_Not_associated_with_a_trusted_S
QL_Server_co
nnection. 80 STAFF\M-Parter 10.20.20.55 Mozilla/4.0+(compatible;+MSIE+6.0;+W
indows+NT+5.1;+.NET+CLR+1.1
.4322) 500 0 0


When I performed step 6, I then get prompted for a username and password in 
IE on machine 1. No matter what I enter for a username and password, I don't
 get access. If I then undo the changes in Step 6, I can gain access to the 
site again.

[ Post a follow-up to this message ]

RE: Integrated Authentication (Kerberos) Problem

Steve Dodson [MSFT]

07-16-04 10:53 PM

Mark,

Verify the SPN for the SQL service account is registered such as the
following:

setspn -A MSSQLSvc/server23.northamerica.microsoft.com:1433 sqlaccount

I have also seen it where you need to register another SPN (NetBIOS name)
such as:

setspn -A MSSQLSvc/server1:1433 sqlaccount

Hope that helps!


Steve Dodson [MSFT]
MCSE, CISSP
PSS Security

--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note:  For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.
--------------------
>Thread-Topic: Integrated Authentication (Kerberos) Problem
>thread-index: AcRrPpYjVry3YR/4RguAm4RyKKICRw==
>X-WBNR-Posting-Host: 212.219.188.130
>From: "examnotes" <MarkParter@discussions.microsoft.com>
>Subject: Integrated Authentication (Kerberos) Problem
>Date: Fri, 16 Jul 2004 07:10:02 -0700
>Lines: 30
>Message-ID: <2DCED5E2-3BEE-4B3F-BEB5-0C9C57BB6FB8@microsoft.com>
>MIME-Version: 1.0
>Content-Type: text/plain;
>	charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.inetserver.iis.security
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 127.0.0.1
>Path: cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: cpmsftngxa06.phx.gbl microsoft.public.inetserver.iis.security:13438
>X-Tomcat-NG: microsoft.public.inetserver.iis.security
>
>Hello All,
>
>I have the following 3 machines involved in this process;
>
>1. A Windows XP SP1 with IE6 client machine
>2. A Windows 2003 server with IIS 6
>3. A Windows 200 Server with SQL Server 2000
>
>I'm trying to get a report I've created in Reporting Services (which is
server from machine 2) to access data from a SQL database on machine 3.
>
>I cannot get Kerberos to work, IE6 on machine 1 seems to indicate that
NTLM is being used instead. I am testing with an ASP script from a
Microsoft article. The script always returns the Authentication Type as
NTLM. Here's what I've done so far;
>
>1. Configured IIS 6 ot use ONLY Integrated Windows Authentication
>2. Given machine 2 delegation privileges in AD
>3. Given the domain account under which the IIS application runs,
delegation privileges in AD.
>4. Set SPN's for this domain account (not sure if I've done this OK so a
pointer on this may be helpful)
>5. Verified that IE has the "Enable Integrated Windows Authentication"
option checked.
>6. Changed the NTAuthenticationProviders attribute in the metabase.xml
file from NTAuthenticationProviders="NTLM" to
NTAuthenticationProviders="Negotiate,NTLM"
>7. Gone throught the MS article at
http://www.microsoft.com/technet/pr...3/technologies/
security/tkerbdel.mspx but still no further forward.
>8. Confirmed that authentications only fails from machine 1. If accessing
the same site on machine 2, everything works fine.
>
>Here's an extract form the IIS log;
>
>2004-07-16 13:58:33 10.20.16.27 GET /tests/kerberos.asp
 |17|80004005|Login_failed_for_user_'(nul
l)'._Reason:_Not_associated_with_a_t
rusted_SQL_Server_connection. 80 STAFF\M-Parter 10.20.20.55
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 500 0
0
>2004-07-16 13:58:40 10.20.16.27 GET /tests/kerberos.asp - 80 - 10.20.20.55
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 2
2148074254
>2004-07-16 13:58:40 10.20.16.27 GET /tests/kerberos.asp - 80 - 10.20.20.55
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 1
0
>2004-07-16 13:58:40 10.20.16.27 GET /tests/kerberos.asp
 |17|80004005|Login_failed_for_user_'(nul
l)'._Reason:_Not_associated_with_a_t
rusted_SQL_Server_connection. 80 STAFF\M-Parter 10.20.20.55
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 500 0
0
>
>
>When I performed step 6, I then get prompted for a username and password
in IE on machine 1. No matter what I enter for a username and password, I
don't get access. If I then undo the changes in Step 6, I can gain access
to the site again.
>

[ Post a follow-up to this message ]

Re: Integrated Authentication (Kerberos) Problem

Ken Schaefer

07-18-04 07:48 AM

What is the servername that you are accessing the IIS server with?

If it is a fully qualified domain name (FQDN), then IE will think that this
machine is the "Internet" security zone by default, and will not attempt
Kerberos Authentication (I think this is mentioned in the Troubleshooting
Kerberos doc you have). You need to add the site to the Intranet zone -or-
access the site by NetBIOS name.

Also, if you are accessing by FQDN, ensure that the relevant SPN is
registered:
http://support.microsoft.com/defaul...kb;EN-US;294382

Cheers
Ken


"Mark Parter" <MarkParter@discussions.microsoft.com> wrote in message
news:2DCED5E2-3BEE-4B3F-BEB5-0C9C57BB6FB8@microsoft.com...
> Hello All,
>
> I have the following 3 machines involved in this process;
>
> 1. A Windows XP SP1 with IE6 client machine
> 2. A Windows 2003 server with IIS 6
> 3. A Windows 200 Server with SQL Server 2000
>
> I'm trying to get a report I've created in Reporting Services (which is
server from machine 2) to access data from a SQL database on machine 3.
>
> I cannot get Kerberos to work, IE6 on machine 1 seems to indicate that
NTLM is being used instead. I am testing with an ASP script from a Microsoft
article. The script always returns the Authentication Type as NTLM. Here's
what I've done so far;
>
> 1. Configured IIS 6 ot use ONLY Integrated Windows Authentication
> 2. Given machine 2 delegation privileges in AD
> 3. Given the domain account under which the IIS application runs,
delegation privileges in AD.
> 4. Set SPN's for this domain account (not sure if I've done this OK so a
pointer on this may be helpful)
> 5. Verified that IE has the "Enable Integrated Windows Authentication"
option checked.
> 6. Changed the NTAuthenticationProviders attribute in the metabase.xml
file from NTAuthenticationProviders="NTLM" to
NTAuthenticationProviders="Negotiate,NTLM"
> 7. Gone throught the MS article at
http://www.microsoft.com/technet/pr...el.mspx
 but still no further forward.
> 8. Confirmed that authentications only fails from machine 1. If accessing
the same site on machine 2, everything works fine.
>
> Here's an extract form the IIS log;
>
> 2004-07-16 13:58:33 10.20.16.27 GET /tests/kerberos.asp
 |17|80004005|Login_failed_for_user_'(nul
l)'._Reason:_Not_associated_with_a_t
rusted_SQL_Server_connection. 80 STAFF\M-Parter 10.20.20.55
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 500 0
0
> 2004-07-16 13:58:40 10.20.16.27 GET /tests/kerberos.asp - 80 - 10.20.20.55
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 2
2148074254
> 2004-07-16 13:58:40 10.20.16.27 GET /tests/kerberos.asp - 80 - 10.20.20.55
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 1
0
> 2004-07-16 13:58:40 10.20.16.27 GET /tests/kerberos.asp
 |17|80004005|Login_failed_for_user_'(nul
l)'._Reason:_Not_associated_with_a_t
rusted_SQL_Server_connection. 80 STAFF\M-Parter 10.20.20.55
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 500 0
0
>
>
> When I performed step 6, I then get prompted for a username and password
in IE on machine 1. No matter what I enter for a username and password, I
don't get access. If I then undo the changes in Step 6, I can gain access to
the site again.

[ Post a follow-up to this message ]

Re: Integrated Authentication (Kerberos) Problem

Mark Parter

07-27-04 10:57 PM

The IIS server is called dv2anai
The SQL Server is called sql-server

Imaginative titles or what 

I access the site using http://dv2anai
IE shows this as being part of the "Intranet Zone"

"Ken Schaefer" wrote:

> What is the servername that you are accessing the IIS server with?
>
> If it is a fully qualified domain name (FQDN), then IE will think that thi
s
> machine is the "Internet" security zone by default, and will not attempt
> Kerberos Authentication (I think this is mentioned in the Troubleshooting
> Kerberos doc you have). You need to add the site to the Intranet zone -or-
> access the site by NetBIOS name.
>
> Also, if you are accessing by FQDN, ensure that the relevant SPN is
> registered:
> http://support.microsoft.com/defaul...kb;EN-US;294382
>
> Cheers
> Ken
>
>
> "Mark Parter" <MarkParter@discussions.microsoft.com> wrote in message
> news:2DCED5E2-3BEE-4B3F-BEB5-0C9C57BB6FB8@microsoft.com... 
> server from machine 2) to access data from a SQL database on machine 3. 
> NTLM is being used instead. I am testing with an ASP script from a Microso
ft
> article. The script always returns the Authentication Type as NTLM. Here's
> what I've done so far; 
> delegation privileges in AD. 
> pointer on this may be helpful) 
> option checked. 
> file from NTAuthenticationProviders="NTLM" to
> NTAuthenticationProviders="Negotiate,NTLM" 
> http://www.microsoft.com/technet/pr...y/tkerbdel.mspx but still no further forward. 
> the same site on machine 2, everything works fine. 
>  |17|80004005|Login_failed_for_user_'(nul
l)'._Reason:_Not_associated_with_a
_t
> rusted_SQL_Server_connection. 80 STAFF\M-Parter 10.20.20.55
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 500 
0
> 0 
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 
2
> 2148074254 
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 
1
> 0 
>  |17|80004005|Login_failed_for_user_'(nul
l)'._Reason:_Not_associated_with_a
_t
> rusted_SQL_Server_connection. 80 STAFF\M-Parter 10.20.20.55
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 500 
0
> 0 
> in IE on machine 1. No matter what I enter for a username and password, I
> don't get access. If I then undo the changes in Step 6, I can gain access 
to
> the site again.
>
>
>

[ Post a follow-up to this message ]