Re: Kerberos NTLM

---

• From: "Joseph T Corey" <jcorey@xxxxxxxxxxxxxx>
• Date: Thu, 8 May 2008 09:51:58 -0400

---

Was your setspn command line just a typo? You have srver1 instead of server1. I'll assume it was just a typo, and you do have an SPN registered for your IIS computer account as HTTP/server1.domain.com. At this point, you want to follow some basic Kerberos troubleshooting steps (like making sure the time is correct on both client and server). It would also be very helpful to look at a packet trace that will show the Kerberos error and subsequent fallback to NTLM. As long as the IIS site is configured for "Negotiate,NTLM" as its authentication provider, the site (or file/folder) is set to Integrated Authentication, and your URL is in IE's IntrAnet zone, it will attempt Kerberos first so we should be able to see the exact error which should easily be mapped to your problem.

--
Joseph T. Corey MCSE, Security+
Systems Administrator
jcorey@xxxxxxx


"filip" <fmatosic@xxxxxxx> wrote in message news:%231h793IsIHA.4788@xxxxxxxxxxxxxxxxxxxxxxx

IE is properly configured, by steps stated below.
I have setup an SPN as follows(my web server is on a machine named "server"1, and url to access it is "server1.mydomain.com"
so i setup spn as follows (on my server runnung the kerberos service named "exchangeServer1", in my case a win2003 R2 server which is an exchange as well as DC):

setspn -A HTTP/srver1.mydomain.com server1

i have krbtray on the machine doing the request with IE7, and on my server, after requesting the page, no ticket is issued as I see no ticket for HTTP/server1,
allso from the request header Authorization i get the NTLM not KERBEROS. Looked at logs on server, i couldn't find, don't know where to find a log where it say's that it falls back to NTLM for any reason.



"Joseph T Corey" <jcorey@xxxxxxxxxxxxxx> wrote in message news:CF17988C-CA5D-4C3B-B6D1-F834FC0395AA@xxxxxxxxxxxxxxxx

First, download Kerbtray and have it running when you login to this website. If you neglect to see a HTTP/hostname (where hostname is your web site address) under the list of tickets, then you know you aren't using Kerberos.

If IE and IIS are configured properly to do Kerberos, then the problem is probably SPN related. Make sure you have a valid HTTP SPN registered for the account running the IIS application pool. If the application pool is running as Network Service (which is the default configuration), then the SPN will need to be set on the computer account.

To add an SPN, use the setspn tool. Something like: "setspn -a http/hostname computer" where hostname is the web address and computer is the computer account name in AD. Here are some useful links:

http://technet2.microsoft.com/WindowsServer/en/library/b3a029a1-7ff0-4f6f-87d2-f2e70294a5761033.mspx
http://support.microsoft.com/kb/326985

--
Joseph T. Corey MCSE, Security+
Systems Administrator
jcorey@xxxxxxx


"filip" <fmatosic@@inet.hr> wrote in message news:unDoVMvrIHA.4492@xxxxxxxxxxxxxxxxxxxxxxx

Is there a reason that IE(IE7) would send NTLM instead of KERBEROS after setting IE as follows?
Is thee something else i have to lok for?

1. put the requesting site in IE to local-network
2. in the IE extended security option enable Integrated Windows
Authentication


To configure Intranet Authentication:
1. Click the Security tab, click Local intranet, and then click Custom
Level.
2. In the Security Settings dialog box, scroll down to the User
Authentication section of the list.
3. Select Automatic logon only in Intranet zone. This setting prevents users
from having to re-enter logon credentials; a key piece to this solution.
4. Click OK to close the Security Settings dialog box.


In addition to the previous settings, one additional setting is required if
you are running Internet Explorer 6.0.
1. In Internet Explorer, click Tools, and then click Internet Options.
2. Click the Advanced tab.
3. Scroll down to the Security section.
4. Make sure that Enable Integrated Windows Authentication (requires
restart) is checked, and then click OK.
5. If this box was not checked, restart the browser.

.

---

• Prev by Date: Re: Administrator Account Locking Out
• Next by Date: Password complexity policy
• Previous by thread: Administrator Account Locking Out
• Next by thread: Password complexity policy
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Kerberos Authentication to VWMare... ... A Kerberos Error Message was received: ... Server Realm: ... We have checked the SPN using SetSPN with -L option and see that both MOSS ... (microsoft.public.windows.server.security) Re: Security in Cubes and Dimension ... You may need to build application-level security logic into your IIS ... unless you can use Kerberos to pass UserID: ... Microsoft SQL Server 2000 Analysis Services Operations Guide ... (microsoft.public.sqlserver.olap) Re: Delegation: IIS Server setup in typical 3-tier scenario. ... doesn't already have an SPN and/or you need to change the existing SPN. ... Kerberos is being used - it just means that an API is used to determine what ... so I'm trying to set up delegation. ... Authenticated using NTLM not Kerberos on the Web Server. ... (microsoft.public.inetserver.iis.security) Re: services not starting ... A few months ago I was looking at a server move to new hardware. ... The other error is the same but is the SYstem Attendant. ... I have looked at an article from MS that tells me to change the Kerberos ... The security account manager or local security authority ... (microsoft.public.exchange.admin) Re: UserName and Kerberos tokens at the same time ... I have tried it on a Windows 2003 server as well and there I get the ... My client is a Windows application and I can se that the kerberos token is ... The kerberos Security token will try establish the security ... (microsoft.public.dotnet.framework.webservices.enhancements)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)