We have a windows2003 member server in a native AD domain that runs SPS2003
as well as a number of non-SPS IIS6 web sites.
We have managed to configure all the web sites *except* SPS2003 to use
kerberos as their preferred authentication - so we know kerberos is working
on the box.

We have followed KB832769 to enable kerberos on the SPS web but still
whenever a client browser connects (XP + IE6SP1) the authentication method
selected is NTLM. Why?

We have:
a) Set NTAuthenticationProviders to "Negoatiate,NTLM" in the metabase for
the SPS site
b) Set the computer account as trusted for delegation in AD
c) Set the user account used by the app pool as trusted in AD
d) Used setspn to add HTTP/DOMAIN\USER SERVER as an additional spn

but still NTLM is used as the authentication mechanism.

As a side issue, when tryng to access the box from another windows2003
server (such as our TS server) which is running IE 6.0.3790.0 we get
repeatedly prompted to login if authentication mechanism is
"Negotiate,NTLM". Checking in the event log shows a kerberos failure for a
blank username.

Trying from XP+IE6SP1 clients we do not get prompted to login (ie windows
authentication works) but checking in the event log indicates that NTLM has
been used ! So XPIE6SP1 is NOT using kerberos to authenticate with the SPS
site. Why not?

Al Blake, Canberra, Australia

Hi,

As mentioned in your other thread, let's please look at what is actually
happening between server and client before speculating about causes.

Cheers
Ken


[quoted text, click to view]
: We have a windows2003 member server in a native AD domain that runs
SPS2003
: as well as a number of non-SPS IIS6 web sites.
: We have managed to configure all the web sites *except* SPS2003 to use
: kerberos as their preferred authentication - so we know kerberos is
working
: on the box.
:
: We have followed KB832769 to enable kerberos on the SPS web but still
: whenever a client browser connects (XP + IE6SP1) the authentication method
: selected is NTLM. Why?
:
: We have:
: a) Set NTAuthenticationProviders to "Negoatiate,NTLM" in the metabase for
: the SPS site
: b) Set the computer account as trusted for delegation in AD
: c) Set the user account used by the app pool as trusted in AD
: d) Used setspn to add HTTP/DOMAIN\USER SERVER as an additional spn
:
: but still NTLM is used as the authentication mechanism.
:
: As a side issue, when tryng to access the box from another windows2003
: server (such as our TS server) which is running IE 6.0.3790.0 we get
: repeatedly prompted to login if authentication mechanism is
: "Negotiate,NTLM". Checking in the event log shows a kerberos failure for a
: blank username.
:
: Trying from XP+IE6SP1 clients we do not get prompted to login (ie windows
: authentication works) but checking in the event log indicates that NTLM
has
: been used ! So XPIE6SP1 is NOT using kerberos to authenticate with the SPS
: site. Why not?
:
: Al Blake, Canberra, Australia
:
:

Sure.
But what would you like to know ?
Al.

[quoted text, click to view]

Is the server actually sending back:

WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM

in the HTTP response headers. You can use WFetch to test this:
http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&DisplayLang=en

Is the client then attempting to use Kerberos to authenticate. You will need
to use something like Ethereal to test this: www.ethereal.com

Cheers
Ken


[quoted text, click to view]
: Sure.
: But what would you like to know ?
: Al.
:
[quoted text, click to view]
: > Hi,
: >
: > As mentioned in your other thread, let's please look at what is actually
: > happening between server and client before speculating about causes.
: >
: > Cheers
: > Ken
: >
: >
[quoted text, click to view]
: > : We have a windows2003 member server in a native AD domain that runs
: > SPS2003
: > : as well as a number of non-SPS IIS6 web sites.
: > : We have managed to configure all the web sites *except* SPS2003 to use
: > : kerberos as their preferred authentication - so we know kerberos is
: > working
: > : on the box.
: > :
: > : We have followed KB832769 to enable kerberos on the SPS web but still
: > : whenever a client browser connects (XP + IE6SP1) the authentication
: method
: > : selected is NTLM. Why?
: > :
: > : We have:
: > : a) Set NTAuthenticationProviders to "Negoatiate,NTLM" in the metabase
: for
: > : the SPS site
: > : b) Set the computer account as trusted for delegation in AD
: > : c) Set the user account used by the app pool as trusted in AD
: > : d) Used setspn to add HTTP/DOMAIN\USER SERVER as an additional spn
: > :
: > : but still NTLM is used as the authentication mechanism.
: > :
: > : As a side issue, when tryng to access the box from another windows2003
: > : server (such as our TS server) which is running IE 6.0.3790.0 we get
: > : repeatedly prompted to login if authentication mechanism is
: > : "Negotiate,NTLM". Checking in the event log shows a kerberos failure
for
: a
: > : blank username.
: > :
: > : Trying from XP+IE6SP1 clients we do not get prompted to login (ie
: windows
: > : authentication works) but checking in the event log indicates that
NTLM
: > has
: > : been used ! So XPIE6SP1 is NOT using kerberos to authenticate with the
: SPS
: > : site. Why not?
: > :
: > : Al Blake, Canberra, Australia
: > :
: > :
: >
: >
:
:

Fantastic Ken,
This is just the sort of info/troubleshooting I was looking for.
I'll check it out and let you know in the next couple of days.
Thanks again.

[quoted text, click to view]

More info:
Every time the connection fails the SPS IIS server logs:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 31/05/2004
Time: 4:10:44 PM
User: NT AUTHORITY\SYSTEM
Computer: ATHENA
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.38.85
Source Port: 1501

ie a connection failure for an unknown (blank) user - where to next?
Al.

Thankyou for getting the information I requested. Not.
Can you look in the IIS Logfiles for the STS website - is the UserID being
recorded in there correctly?

Cheers
Ken


[quoted text, click to view]
: More info:
: Every time the connection fails the SPS IIS server logs:
:
: Event Type: Failure Audit
: Event Source: Security
: Event Category: Logon/Logoff
: Event ID: 529
: Date: 31/05/2004
: Time: 4:10:44 PM
: User: NT AUTHORITY\SYSTEM
: Computer: ATHENA
: Description:
: Logon Failure:
: Reason: Unknown user name or bad password
: User Name:
: Domain:
: Logon Type: 3
: Logon Process: Kerberos
: Authentication Package: Kerberos
: Workstation Name: -
: Caller User Name: -
: Caller Domain: -
: Caller Logon ID: -
: Caller Process ID: -
: Transited Services: -
: Source Network Address: 192.168.38.85
: Source Port: 1501
:
: ie a connection failure for an unknown (blank) user - where to next?
: Al.
:
:

Ken,
I *did* post exactly the information you asked for (ie a trace using wfetch
between the client and server).
I posted it an hour ago via dejanews.....but it doesnt seem to have appeared
yet and the other post overtook it.
If it is not there in an hour or so I'll post it again.

Al.



[quoted text, click to view]

Thanks Al - it doesn't seem to be here on the MS newsserver. Apologies for
the flame.

But, it does seem like some kind of Kerberos authentication attempt is
happening. Does the IIS webserver log record the correct User ID?

Cheers
Ken


[quoted text, click to view]
: Ken,
: I *did* post exactly the information you asked for (ie a trace using
wfetch
: between the client and server).
: I posted it an hour ago via dejanews.....but it doesnt seem to have
appeared
: yet and the other post overtook it.
: If it is not there in an hour or so I'll post it again.
:
: Al.
:
:
:
[quoted text, click to view]
: > Thankyou for getting the information I requested. Not.
: > Can you look in the IIS Logfiles for the STS website - is the UserID
being
: > recorded in there correctly?
: >
: > Cheers
: > Ken
: >
: >
[quoted text, click to view]
: > : More info:
: > : Every time the connection fails the SPS IIS server logs:
: > :
: > : Event Type: Failure Audit
: > : Event Source: Security
: > : Event Category: Logon/Logoff
: > : Event ID: 529
: > : Date: 31/05/2004
: > : Time: 4:10:44 PM
: > : User: NT AUTHORITY\SYSTEM
: > : Computer: ATHENA
: > : Description:
: > : Logon Failure:
: > : Reason: Unknown user name or bad password
: > : User Name:
: > : Domain:
: > : Logon Type: 3
: > : Logon Process: Kerberos
: > : Authentication Package: Kerberos
: > : Workstation Name: -
: > : Caller User Name: -
: > : Caller Domain: -
: > : Caller Logon ID: -
: > : Caller Process ID: -
: > : Transited Services: -
: > : Source Network Address: 192.168.38.85
: > : Source Port: 1501
: > :
: > : ie a connection failure for an unknown (blank) user - where to next?
: > : Al.
: > :
: > :
: >
: >
:
:

Dont worry about it ;)
I am reposting the information from wfetch: if it ends up here twice then so
be it.
Havent checked the webserver log yet as this is a *production* server - so
there are certain hours I can mess around with it. I'll try to trace that
part of it later tonight. (what am I particularly looing for in the IIS
logs?)
Al.

===wfectch stuff=====
Sharepoint application is running as CGGS\Sharepoint. This user is trusted
for delegation.
User and FQDN (portal.cggs.act.edu.au) have been added as SPN on server
ATHENA:

C:\Program Files\Resource Kit>setspn -L athena
Registered ServicePrincipalNames for CN=ATHENA,OU=Permit Student
Access,OU=CGGS Member Servers,OU=Machines,DC=cggs,DC=act,DC=edu,DC=au:
HTTP/cggs.act.edu.au/Sharepoint
HTTP/CGGS\Sharepoint
HOST/portal.cggs.act.edu.au
HOST/portal
HTTP/portal.cggs.act.edu.au
HTTP/portal
HOST/intranet
HTTP/intranet
HTTP/intranet.cggs.act.edu.au
SMTPSVC/athena.cggs.act.edu.au
SMTPSVC/ATHENA
HOST/ATHENA
HOST/athena.cggs.act.edu.au

When I use wfetch to watch the conversation between the server and the
browser I see that the browser asks for Negotiate:
WWWConnect::Connect("portal.cggs.act.edu.au","80")\nIP =
"192.168.31.9:80"\nsource port: 4372\r\n
ISC_REQ_MUTUAL_AUTH | ISC_REQ_DELEGATE set\nSEC_I_CONTINUE_NEEDED\nREQUEST:
**************\nGET /default.aspx HTTP/1.1\r\n
Host: portal.cggs.act.edu.au\r\n
Accept: */*\r\n
Connection: Keep-Alive\r\n
Authorization: Negotiate YIINSwYGKw
etc etc etc

Host responds with Negotiate:
HTTP/1.1 401 Unauthorized\r\n
Content-Length: 1539\r\n
Content-Type: text/html\r\n
Server: Microsoft-IIS/6.0\r\n
WWW-Authenticate: Negotiate etc etc
\r\n
X-Powered-By: ASP.NET\r\n
MicrosoftSharePointTeamServices: 6.0.2.5530\r\n
Date: Mon, 31 May 2004 05:45:19 GMT\r\n
\r\n


then host sends back the 'not authorised page'
SEC_I_CONTINUE_NEEDED\n<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">\r\n
<HTML><HEAD><TITLE>You are not authorized to view this page</TITLE>\r\n
<META HTTP-EQUIV="Content-Type" Content="text/html;
charset=Windows-1252">\r\n
<STYLE type="text/css">\r\n
BODY { font: 8pt/12pt verdana }\r\n
etc

Client tries again:
REQUEST: **************\nGET /default.aspx HTTP/1.1\r\n
Host: portal.cggs.act.edu.au\r\n
Accept: */*\r\n
Connection: Keep-Alive\r\n
Authorization: Negotiate etc etc

Host replies with an Unable to InitializeSecurityContext.
RESPONSE: **************\nHTTP/1.1 401 Unauthorized\r\n
Content-Length: 1539\r\n
Content-Type: text/html\r\n
Server: Microsoft-IIS/6.0\r\n
WWW-Authenticate: Negotiate etc etc
X-Powered-By: ASP.NET\r\n
MicrosoftSharePointTeamServices: 6.0.2.5530\r\n
Date: Mon, 31 May 2004 05:45:19 GMT\r\n
\r\n
0x80090322 Unable to InitializeSecurityContext <<<<<<====== here's where it
fails


So any ideas why this is failing given that I have added everything I can
think of as an SPN (!), I have given both the machine account AND the
apppool account delegate permission in AD *and* kerberos is working for 4
other IIS webs on the same server - it is only not working for the SPS
site... :(

Regards
Al Blake, Canberra, Australia

Hi,

I found this thread while troubleshooting, hope you're still reading
it.

I'm troubleshooting SPS, where i cannot reach the webpage by it's
fqdn. I get an error message stating that i'm "not authorised to view
this page".
Reaching the page by http://servername/page is not a problem.

In this thread you said "User and FQDN (portal.cggs.act.edu.au) have
been added as SPN on server ATHENA:"

Could one of you explain to me what "SPN" is? I think it might have
something to do with my problem.

Thanks,

SPN = service principal name

If you are connecting to your server using NETBIOS name, then generally
kerberos doesnt have any problem. But if you are connecting using some other
alias then kerberos wont work.....as it doesnt think that is a valid name
for the server.
So if your server name is SERV1
but you connect as
intranet.mydomain

then you must add intranet.mydomain as a valid SPN for kerberos to work.

Hope this helps?
Al.


[quoted text, click to view]

That helps, thank you for explaining!

[quoted text, click to view]