PROBLEMS with AuthenticationType being NTLM and Negotiate -- asp.net security

tepe.hughes NO[at]SPAM gmail.com
8/25/2005 2:52:37 AM

I have two webservers running the same aspx pages. (The webpage allows
Active Directory Editing).

These pages run fine on the 1st server but not on the second server (it
errors with Logon failure: unknown user name or bad password).

The web.config file (on both servers) have these options set

authentication mode="Windows"
deny users="?"
identity impersonate="true"

After some looking around the only difference I can see between the two
server is that the 1st server reports that
Page.User.Identity.AuthenticationType is "NTLM" while the 2nd
server reports "Negotiate".

Both servers are in the same domain, as far as I can tell both iis
setting are the same.

Can only one help me out?

Dominick Baier [DevelopMentor]
8/25/2005 5:21:08 AM

Hello tepe.hughes@gmail.com,

to access remote Active Directory using impersonated credentials, delegation
has to be enabled for both web server. this is done in Active Directoy Users
and Computers. Select the "Trust this Computer for Delegation" check box.

Another important part is, that the authentication between browser and web
server has to be done via Kerberos. Have a look in the security event log
on your servers, you should see logon events for the client running the browser.
The authentication package has to be Kerberos. If you see NTLM, this can
have various reasons.

also check out keiths new article in msdnmag:
http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/default.aspx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

[quoted text, click to view]

asp.net security : PROBLEMS with AuthenticationType being NTLM and Negotiate