: -----Original Message----- : From: [EMAIL PROTECTED] [mailto:ActiveDir- : [EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.) : Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM : : I am running the application pool for this website as "Network : Service". : It is not explicitly defined in my IE Intranet Security Zone, but we : have a proxy script that enables "bypass from proxy server" and we : have that condition in IE security zone enabled, so yes its there.
I would recommend against making assumptions for reasons that are listed below. Verify by looking at the icon in IE : I know it is using Kerberos (unless .Net is wrong) because I do a : catch that poops out the user context : : System.Security.Principal.WindowsIdentity.GetCurrent().ImpersonationLe : ve : l.ToString(); : System.Security.Principal.WindowsIdentity.GetCurrent().AuthenticationT : yp : e; How do you know this is Kerberos and not NTLM?!? I think you are making an assumption here as well. As you say below, your packet capture is showing NTLM. You could look in the Windows Security event long on the IIS box to find out which package is being used to authenticate the user. : D.) Until development is completed it is accessed under the server FQDN, : I registered an HTTP SPN as followings "setspn -a servername.com servername". Remove this SPN, it is not necessary. If you are running as Network Service, the HOST SPN will be fine. : My network traces show it trying to authing as NTLM...I thought if it : can use kerb it does that first then NTLM This is an incorrect assumption. There is no fall back. If IE is using NTLM, then Kerberos is not being attempted at all. This is why I want you to verify that IE thinks the site is in the Intranet security zone. : ...I'm going to add : NTAuthenticationProviders=Negotiate in the metabase for this site so : it forces kerb or nothing. Thanks again! This is another assumption. The Negotiate HTTP header does not force Kerberos. It is a fancy way of telling the client that Kerberos is available (and so is NTLM, and the browser needs to choose which out of the two it wants to use). If you already have the Negotiate header in there, then IE is deliberately choosing to use NTLM, and editing this property will not help you. If Negotiate is not there at all (and only NTLM is there), then you will need to add it, and that may fix your problem. Cheers Ken : : -Brandon : : ________________________________ : : From: [EMAIL PROTECTED] : [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer : Sent: Wednesday, May 17, 2006 7:45 PM : To: ActiveDir@mail.activedir.org : Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM : : : : There's lots of information missing from your post. : : : : If you are using a FQDN or IP address to access the site, then the : site : must be in IE's Intranet Security zone (not Internet zone). IE doesn't : attempt Kerberos authentication for sites in the Internet zone. : : : : You haven't mentioned what security contexts you are running your : website under. If your web application is running under a custom : account, all applications accessible at the same FQDN must also be : running under that account (even if they are in a different web app : pool). And you need to register the SPN under that custom account. If : you are using the default Network Service account, then you do not : need : to register a HTTP SPN unless you are using a non-default port. : : : : So, perhaps you can give us the following configuration details? : : a) Is website in Intranet security zone in IE? : : b) Is "Enable Integrated Windows AuthN" enabled in IE? : : c) Is IIS computer account trusted for delegation in AD? : : d) What is the URL you are using to access the site, what SPN did : you register and where? : : e) The other applications accessible at the FQDN/IP address - are : they also running under the same user context? : : f) In the Security event log, what logon failure events do you : see? Can you cut-n-paste them here please? : : : : Cheers : : Ken : : : : -- : : My IIS Blog: www.adOpenStatic.com/cs/blogs/ken : : Tech.Ed Boston 2006 See you there: Everything the web administrator : needs to know about MOM 2005 : : ________________________________ : : From: [EMAIL PROTECTED] : [mailto:[EMAIL PROTECTED] On Behalf Of Bernier, : Brandon (.) : Sent: Thursday, 18 May 2006 6:51 AM : To: ActiveDir@mail.activedir.org : Subject: [ActiveDir] [OT] IIS6 - Kerb/NTLM : : : : : : OK...I've got a nice issue here and I've been bashing my head against : my : desk to the point where I need help. : : I'm writing a very directory intensive application in C# with ASP.Net : 2.0. If I authenticate to the webpage via NTLM my directory calls will : fail, this is because of the NTLM double hop (trying to pass it from : the : client to IIS and do stuff to Active Directory). Sooooo I say I'll use : Kerberos instead, I figured if I enabled the computer object for the : IIS : box to be trusted for delegation and give it an HTTP SPN it should : work. : It will work locally from the webserver, but not from any client. My : guess is it wants to the client computers to be trusted as well to : support the mutual auth (I hope I'm wrong). Any suggestions? : : -Brandon : : : List info : http://www.activedir.org/List.aspx : List FAQ : http://www.activedir.org/ListFAQ.aspx : List archive: http://www.mail- : archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
