Re: REPOST - IIS6 /WebDAV/NTLM/Kerberos and Remote Storage
From: Ariel (anonymous_at_discussions.microsoft.com)
Date: 04/21/04
- Next message: Toby: "Re: IIS not sending SMTP"
- Previous message: alanb: "Re: Upload file(s) to my IIS server"
- In reply to: Ken Schaefer: "Re: REPOST - IIS6 /WebDAV/NTLM/Kerberos and Remote Storage"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 21 Apr 2004 05:55:14 -0700
Ken,
Not sure if you are still listening, but I just wanted to
thank you for your response. You've given me much to
digest.
Ariel
>-----Original Message-----
>A few points:
>
>a) You are probably running into a double-hop issue,
because of using IWA.
>
>b) You need to verify what authentication mechanism that
IIS and the browser
>are using to authentication.
> 1) check the IIS metabase to ensure
the "negotiate,NTLM" is set as the
>authentication provider, not just "NTLM". Negotiate
indicates to use
>Kerberos
> 2) Your browser must support Kerberos - i.e. IE v5+
running on Windows
>2000, XP or 2003 Server. Additionally the checkbox "Use
Integrated Windows
>Authentication (requires a restart)" must be checked in
IE.
> 3) Use a packet sniffer to verify that "negotiate" is
the authentication
>mechanism, or if NTLM is the authentication mechanism,
that you are using
>Protocol Transition.
>
>c) For the credentials to be passed back to the remote
storage
> - You need to enable both the computer and user
accounts for delegation
>in Active Directory
> - If you are using a Windows 2003 Domain, you can use
Protocol
>Transition but only if you use "Constrained Delegation",
then choose "Use
>any authentication Protocol" - this means that the the
initial
>authentication can be non-Kerberos, but a Kerberos ticket
will be issued to
>the webserver to contact the remote service.
> - Ensure an appropriate SPN (Service Principal Name)
is registered in
>the directory (AD). Kerberos tickets target a service
principal name. If the
>SPN isn't registered in the directory, then an encrypted
session key can not
>be generated by the KDC. You can use the Windows 2000 Res
Kit setSPN.exe
>tool if you need to register additional SPNs
>
>NOTE: Protocol Transition is *not* available in a Windows
2000 domain, nor
>is constrained delegation. If you are using a Windows
2000 domain (even if
>the remote storage is Windows 2003 Server), you *must*
use Kerberos to
>authenticate to IIS from the client browser. For Kerberos
to work, the
>client browser must be able to contact the KDC (DCs in
the Active Directory
>world), so Kerberos is not suitable for an application
where the browser is
>on the non-secure site of a firewall. In this case,
you're best off using
>Basic Authentication secured with SSL.
>
>HTH
>
>Cheers
>Ken
>
>
>
>
>
>
>"Ariel" <anonymous@discussions.microsoft.com> wrote in
message
>news:1887e01c42307$0a35d5a0$a001280a@phx.gbl...
>: Hello,
>:
>: The following is a repost in an attempt to re-engage
David
>: Wang (or others) as I was away for a while and was not
>: able to continue the thread. It has since gone dormant.
>: Any comments would be greatly appreciated.
>:
>: ______
>: I'm trying to setup an II6 server to serve up a
directory
>: structure on a Win2K server. I enable the WebDAV
Service
>: Extention, I create a virtual dir in IIS6, I give the VD
>: r+w+index+directory browsing. I setup the Connect As
>: dialog to use pass though authentication. Directory
>: security has anonymous turned off and Integrated Windows
>: auth turned on. I setup the Share and NTFS perms on the
>: Win2K directory.
>:
>: When I attempt to open the web folder in the browser, I
>: get challenged, after providing my credentials 3 times,
I
>: get turned away with a 401.1 error page.
>:
>: I did some poking around and found an article that talks
>: about what I *think* is the problem.
>:
>:
http://www.microsoft.com/technet/prodtechnol/windowsserver2
>:
003/technologies/webapp/iis/remstorg.mspx#XSLTsection124121
>: 120120
>:
>: (See: Protocol Transition and NTLM in the article)
>:
>: Is NTLM and Kerberos the problem? I think the 2K server
>: wants to use NTLM and the 2K3 server wants to use
>: Kerberos, but the tickets aren't being passed properly.
>: (I don't know why the 2K server would be using NTLM
>: though, both servers are in AD and should default to
>: Kerberos, correct?). There is a setting I can make in
AD
>: on the 2K3 server object that would allow the tranlstion
>: to take place (at least that's how I understand it)---
>: "Trust computer for delegation", but this seems to
>: indicate that there are security concerns--are there?
>:
>: Am I headed in the right direction? Why am I challenged
>: to authenticate in the first place if pass-through is
>: enabled? Is there a way around this?
>:
>: ____
>:
>: Is this IIS6 server in a domain.
>: Are you using Custom AppPool Identity.
>:
>: --
>: //David
>:
>: ___
>:
>:
>: The IIS6 server and the Win2K server are both in the
same
>: OU.
>:
>: Since I don't know what Custom AppPool Identity is, I
>: would think the answer is no.
>:
>: Thanks for your response.
>:
>:
>
>
>.
>
- Next message: Toby: "Re: IIS not sending SMTP"
- Previous message: alanb: "Re: Upload file(s) to my IIS server"
- In reply to: Ken Schaefer: "Re: REPOST - IIS6 /WebDAV/NTLM/Kerberos and Remote Storage"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
|
