"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:ezPUjiBbHHA.4000@TK2MSFTNGP02.phx.gbl...
> Hi,
>
> a) IE will only attempt Kerberos authentication if the site is in the
> Intranet security zone. If you are accessing the site as
> http://www.somesite.tld then this is not in the Intranet security zone by
> default
>
> b) Ensure that you don't have duplicate SPNs (same SPN registered under
> multiple accounts in AD). That will cause Kerberos Auth to fail.
>
> Cheers
> Ken
>
>
> "Andrey Nepomnyaschih" <nas@i-free.ru> wrote in message
> news:uC0O9b7aHHA.2064@TK2MSFTNGP05.phx.gbl...
>> Hello,
>>
>> I'm having problems with setting up the Kerberos Authentication. No
>> matter what I do, the client always tries to use NTLM package.
>>
>> Well, I have a IIS Server on a member server. The Default Web Site, has
>> only the "Integrated Windows authentication" box checked. The Internet
>> Explorer, has "Enable Integrated Windows Authentication" option enabled,
>> but when I try to access the page on this site the client is being
>> authenticated using NTLM.
>>
>> Ok, the what I have done so far.
>> - The computer account for the member server has the "Trust this computer
>> for delegation to any service (Kerberos only)" option enabled in Active
>> Directory.
>> - It doesn't matter whether application pool runs under NETWORK SERVICE
>> account, or under a correcltly configured domain account.
>> By correctly configured domain account I mean, an account which has
>> "Trust this computer for delegation to any service (Kerberos only)"
>> option enabled in Active Directory and has an SPN records setup like
>> this:
>>
>> setspn -A http/host DOMAIN\ACCOUNT
>> setspn -A http/host.domain.tld DOMAIN\ACCOUNT
>>
>> - I removed the NTLM from the list by running cscript adsutil.vbs set
>> w3svc/WebSite/root/NTAuthenticationProviders "Negotiate".
>>
>> But whenever I try to access to page the Security log, shows the
>> following message:
>>
>> Successful Network Logon:
>> User Name: nas
>> Domain: DOMAIN
>> Logon ID: (0x0,0x2F4638)
>> Logon Type: 3
>> Logon Process: NtLmSsp
>> Authentication Package: NTLM
>> Workstation Name: IT-NAS-W571A
>> Logon GUID: -
>> Caller User Name: -
>> Caller Domain: -
>> Caller Logon ID: -
>> Caller Process ID: -
>> Transited Services: -
>> Source Network Address: 192.168.1.196
>> Source Port: 1996
>>
>> Does anyone have a clue why it can happen?
>>
>> Have a good time
>> Andrey Nepomnyaschih
>>
>

"Andrey Nepomnyaschih" <nas@i-free.ru> wrote in message
news:%23K8TrwIbHHA.2076@TK2MSFTNGP04.phx.gbl...
> Hi, Ken.
>
> Thanks for your answer. But I just forgot to mention that. Yes the server
> is listed in "Intranet Zone", and Intranet Zone has the option to
> automatically send username and password to sites in the zone.
>
> Well, I tried to capture packets using Ethereal. And the findings are that
> the client doesn't even consider using Kerberos. It uses NEGOTIATE, falls
> back to NTLM. And during that it does not contact KDC for service ticket.
> Does anyone know how address that?
>
> Best Regards,
> Andrey Nepomnyaschih
>
>
> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
> news:ezPUjiBbHHA.4000@TK2MSFTNGP02.phx.gbl...
>> Hi,
>>
>> a) IE will only attempt Kerberos authentication if the site is in the
>> Intranet security zone. If you are accessing the site as
>> http://www.somesite.tld then this is not in the Intranet security zone by
>> default
>>
>> b) Ensure that you don't have duplicate SPNs (same SPN registered under
>> multiple accounts in AD). That will cause Kerberos Auth to fail.
>>
>> Cheers
>> Ken
>>
>>
>> "Andrey Nepomnyaschih" <nas@i-free.ru> wrote in message
>> news:uC0O9b7aHHA.2064@TK2MSFTNGP05.phx.gbl...
>>> Hello,
>>>
>>> I'm having problems with setting up the Kerberos Authentication. No
>>> matter what I do, the client always tries to use NTLM package.
>>>
>>> Well, I have a IIS Server on a member server. The Default Web Site, has
>>> only the "Integrated Windows authentication" box checked. The Internet
>>> Explorer, has "Enable Integrated Windows Authentication" option enabled,
>>> but when I try to access the page on this site the client is being
>>> authenticated using NTLM.
>>>
>>> Ok, the what I have done so far.
>>> - The computer account for the member server has the "Trust this
>>> computer for delegation to any service (Kerberos only)" option enabled
>>> in Active Directory.
>>> - It doesn't matter whether application pool runs under NETWORK SERVICE
>>> account, or under a correcltly configured domain account.
>>> By correctly configured domain account I mean, an account which has
>>> "Trust this computer for delegation to any service (Kerberos only)"
>>> option enabled in Active Directory and has an SPN records setup like
>>> this:
>>>
>>> setspn -A http/host DOMAIN\ACCOUNT
>>> setspn -A http/host.domain.tld DOMAIN\ACCOUNT
>>>
>>> - I removed the NTLM from the list by running cscript adsutil.vbs set
>>> w3svc/WebSite/root/NTAuthenticationProviders "Negotiate".
>>>
>>> But whenever I try to access to page the Security log, shows the
>>> following message:
>>>
>>> Successful Network Logon:
>>> User Name: nas
>>> Domain: DOMAIN
>>> Logon ID: (0x0,0x2F4638)
>>> Logon Type: 3
>>> Logon Process: NtLmSsp
>>> Authentication Package: NTLM
>>> Workstation Name: IT-NAS-W571A
>>> Logon GUID: -
>>> Caller User Name: -
>>> Caller Domain: -
>>> Caller Logon ID: -
>>> Caller Process ID: -
>>> Transited Services: -
>>> Source Network Address: 192.168.1.196
>>> Source Port: 1996
>>>
>>> Does anyone have a clue why it can happen?
>>>
>>> Have a good time
>>> Andrey Nepomnyaschih
>>>
>>
>
>