Re: Internet Explorer is using NTLM insted of Kerberos
- From: "Ace Fekay [MVP]" <PleaseSubstituteMyActualFirstName&LastNameHere@xxxxxxxxxxx>
- Date: Thu, 15 Sep 2005 22:01:33 -0400
In news:1126828245.331159.116050@xxxxxxxxxxxxxxxxxxxxxxxxxxxx,
Eitan <noyasoft@xxxxxxxxxxxxxxxx> made this post, which I then commented
about below:
> Hi,
> Not sure if this is the correct place to post this question so I'm
> sorry if it's not.
>
> I've created in a test environment the following configuration:
> - PC A: Running Windows 2003 as active directory domain controller.
> - PC B: Windows XP Pro (that was added to the AD) logged on to the AD.
> - PC C: Simply running a sniffer.
>
> Now..
> Having read this :
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/6291dce1-4ea8-4b4f-a9c1-23926ab6e8dd.mspx
>
> I fixed what was stated in this article (added the AD server to the
> correct zone on the XP client, and made sure that the Integrated logon
> was checked)
> After this setup I was ready to start the browser and post a request
> for a simple "Hello world" page on the AD server (and yes , the URL
> was constructed with the FQDN of the Ad and not it's IP)
>
> When the TCP stream was decoded by the sniffer I found that the server
> sent a single "Authorization" header to the client stating "Negotiate"
> and the client sent an NTLM keys (decoded into "NTLMSSP" string)
> no mater what I tried I keep getting those NTLM sessions and no
> Kerberos.
>
> Eitan.
Did you also see these articles?
How to configure IIS to support both Kerberos and NTLM authentication:
http://support.microsoft.com/kb/215383/EN-US/
Unable to Negotiate Kerberos Authentication After Upgrading to Internet
Explorer 6:
http://support.microsoft.com/kb/299838
Also, keep in mind:
1. Kerberos SPNEGO Negotiation requires a reverse zone with Win2003.
2. When you will need to connect by http://servername instead of using the
FQDN (http://www.domain.com) to force either NTLM or Kerberos
authentication. The FQDN method uses clear text, which can be protected by
SSL.
3. Make sure that all your machines (all machines) are only using your
internal AD's DNS server in their IP properties and not an external server,
or it may or may not properly find AD's Kerberos services to authenticate in
that matter (among numerous other issues that can occur in AD).
--
Regards,
Ace
If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit.
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================
.
- References:
- Prev by Date: Re: NAS Storage Accounts and Windows 2000
- Next by Date: Re: Domain Setup questions
- Previous by thread: Internet Explorer is using NTLM insted of Kerberos
- Next by thread: accessing shares I get 'reference account is currently locked out'
- Index(es):
Relevant Pages
|
