| Groups | Blog | Home |
iis security : iis 5.1, internet explorer, cached credentials and kerberos
We have a 5.1 web site set for 'Integrated Windows Authenticatioin' (only).
In Internet Explorer 7.0, we have this site added to our list of local intranet sites and the User Authentication for that zone is set to 'Automatic logon only in intranet zone'. We also have 'Enable Integrated Windows Authenticate' (best try kerberos) enabled. If a user does a domain logon (when connected to our domain network) and then takes his machine into the field and logs back onto his machine using his cached domain credentials, connects to an ISP and attempts to access our site, Internet Explorer comes up with a 'Cannot display the WebPage'. If we turn off kerberos the user is auto logged on (good). If we remove site from the local intranet zone or temporarily force logon for that zone we are prompted for credentials and can successful connect using our domain credentials (good). if the user logs on to a local account on the machine, the user is prompted for domain credentials (good). Any idea why Internet Explorer might be choking in the situation described (cached domain credentials, ISP connect, Kerberos authentication? Any suggestions for a preferred work aorund given that we want to continue to use windows integrated security over the internet? Any opinion on reverting back to NTLM (uncheck 'Enable Integrated Windows Authenticate' in IE)? Thanks for any info,
I've been doing a little homework and am looking for validation of what I
think I understand. If I connect to the internet via my ISP (no VPNing involved), is it correct to say that there is NO way for Internet Explorer to authenticate to my companies IIS served web site via Kerberos even if the site is set for 'Negotiate' and Internet Explorer is set to 'Enable Integrated Windows Authenticate' (I'll call best try kerberos). I say that because I now understand there is no way for me to obtain a kerberos ticket when not connected to my companies network. Have I got that right? As I undertand it, NTLM is the best I can hope for in this scenario. Have I got that right? Again any feedback appreciated, Brian [quoted text, click to view] "Brian Yuill" wrote:
> We have a 5.1 web site set for 'Integrated Windows Authenticatioin' (only). > > In Internet Explorer 7.0, we have this site added to our list of local > intranet sites and the User Authentication for that zone is set to 'Automatic > logon only in intranet zone'. We also have 'Enable Integrated Windows > Authenticate' (best try kerberos) enabled. > > If a user does a domain logon (when connected to our domain network) and > then takes his machine into the field and logs back onto his machine using > his cached domain credentials, connects to an ISP and attempts to access our > site, Internet Explorer comes up with a 'Cannot display the WebPage'. > > If we turn off kerberos the user is auto logged on (good). > > If we remove site from the local intranet zone or temporarily force logon > for that zone we are prompted for credentials and can successful connect > using our domain credentials (good). > > if the user logs on to a local account on the machine, the user is prompted > for domain credentials (good). > > Any idea why Internet Explorer might be choking in the situation described > (cached domain credentials, ISP connect, Kerberos authentication? > > Any suggestions for a preferred work aorund given that we want to continue > to use windows integrated security over the internet? > > Any opinion on reverting back to NTLM (uncheck 'Enable Integrated Windows > Authenticate' in IE)? > > Thanks for any info,
Hi there,
To obtain a Kerberos ticket you need to connect to the KDC. This is hosted on your AD domain controller if it's a Windows domain. Unless you expose your DCs to the public internet and you have the necessary SRV records published in the DNS, the client can not contact the KDC. So no Kerberos available. That said, I don't think you should be having the issue you are describing. The client should detect that there is no KDC available, and attempt NTLM instead (according to network packet captures I have seen). Can you get a packet capture from a client when the problem is occuring? Cheers Ken -- My IIS blog: http://adopenstatic.com/blog [quoted text, click to view] "Brian Yuill" <BrianYuill@discussions.microsoft.com> wrote in message
news:DA26DE5A-1BBE-45E8-AE3B-31967530E24E@microsoft.com... > I've been doing a little homework and am looking for validation of what I > think I understand. > > If I connect to the internet via my ISP (no VPNing involved), is it > correct > to say that there is NO way for Internet Explorer to authenticate to my > companies IIS served web site via Kerberos even if the site is set for > 'Negotiate' and Internet Explorer is set to 'Enable Integrated Windows > Authenticate' (I'll call best try kerberos). I say that because I now > understand there is no way for me to obtain a kerberos ticket when not > connected to my companies network. > Have I got that right? > > As I undertand it, NTLM is the best I can hope for in this scenario. > Have I got that right? > > Again any feedback appreciated, > Brian > > > "Brian Yuill" wrote: > >> We have a 5.1 web site set for 'Integrated Windows Authenticatioin' >> (only). >> >> In Internet Explorer 7.0, we have this site added to our list of local >> intranet sites and the User Authentication for that zone is set to >> 'Automatic >> logon only in intranet zone'. We also have 'Enable Integrated Windows >> Authenticate' (best try kerberos) enabled. >> >> If a user does a domain logon (when connected to our domain network) and >> then takes his machine into the field and logs back onto his machine >> using >> his cached domain credentials, connects to an ISP and attempts to access >> our >> site, Internet Explorer comes up with a 'Cannot display the WebPage'. >> >> If we turn off kerberos the user is auto logged on (good). >> >> If we remove site from the local intranet zone or temporarily force logon >> for that zone we are prompted for credentials and can successful connect >> using our domain credentials (good). >> >> if the user logs on to a local account on the machine, the user is >> prompted >> for domain credentials (good). >> >> Any idea why Internet Explorer might be choking in the situation >> described >> (cached domain credentials, ISP connect, Kerberos authentication? >> >> Any suggestions for a preferred work aorund given that we want to >> continue >> to use windows integrated security over the internet? >> >> Any opinion on reverting back to NTLM (uncheck 'Enable Integrated >> Windows >> Authenticate' in IE)? >> >> Thanks for any info, >> Brian
Thanks Ken,
On failure IE says The page cannot be displayed Cannot find server or DNS Error Internet Explorer Took a look at packet tracket. Last packets are IE asking ISP guy for ptr to domain controller via bios name (no response) and then one final TCP call. Some frame info below. Frame: + Ethernet: Etype = Internet IP (IPv4) + Ipv4: Next Protocol = UDP, Packet ID = 2188, Total IP Length = 78 + Udp: SrcPort = NETBIOS Name Service(137), DstPort = NETBIOS Name Service(137), Length = 58 - Nbtns: Query Request for AAAADOM <0x1C> Domain Controllers TransactionId: 32836 (0x8044) - Flag: 272 (0x110) R: (0...............) Request OPCode: (.0000...........) Query AA: (.....0..........) Non-authorized answer TC: (......0.........) Datagram not truncated RD: (.......1........) Recursion desired RA: (........0.......) Recursion not available Reserved: (.........00.....) B: (...........1....) Broadcast RCode: (............0000) Success QuestionCount: 1 (0x1) AnswerCount: 0 (0x0) NameServiceCount: 0 (0x0) AdditionalCount: 0 (0x0) - NbtNsQuestionSectionData: - QuestionName: AAAADOM <0x1C> Domain Controllers Name: AAAADOM QuestionType: NetBIOS General Name Service QuestionClass: Internet Class 1(0x1) Frame: + Ethernet: Etype = Internet IP (IPv4) + Ipv4: Next Protocol = TCP, Packet ID = 2189, Total IP Length = 40 - Tcp: Flags=..R.A..., SrcPort=1233, DstPort=HTTP(80), Len=0, Seq=433479785, Ack=423573933, Win=0 (scale factor not found) SrcPort: 1233 DstPort: HTTP(80) SequenceNumber: 433479785 (0x19D66069) AcknowledgementNumber: 423573933 (0x193F39AD) + DataOffset: 80 (0x50) - Flags: ..R.A... CWR: (0.......) CWR not significant ECE: (.0......) ECN-Echo not significant Urgent: (..0.....) Not Urgent Data Ack: (...1....) Acknowledgement field significant Push: (....0...) No Push Function Reset: (.....1..) Reset Syn: (......0.) Not Synchronize sequence numbers Fin: (.......0) Not End of data Window: 0 (scale factor not found) Checksum: 37734 (0x9366) UrgentPointer: 0 (0x0) [quoted text, click to view] "Ken Schaefer" wrote:
> Hi there, > > To obtain a Kerberos ticket you need to connect to the KDC. This is hosted > on your AD domain controller if it's a Windows domain. Unless you expose > your DCs to the public internet and you have the necessary SRV records > published in the DNS, the client can not contact the KDC. So no Kerberos > available. > > That said, I don't think you should be having the issue you are describing. > The client should detect that there is no KDC available, and attempt NTLM > instead (according to network packet captures I have seen). > > Can you get a packet capture from a client when the problem is occuring? > > Cheers > Ken > > -- > My IIS blog: http://adopenstatic.com/blog > > "Brian Yuill" <BrianYuill@discussions.microsoft.com> wrote in message > news:DA26DE5A-1BBE-45E8-AE3B-31967530E24E@microsoft.com... > > I've been doing a little homework and am looking for validation of what I > > think I understand. > > > > If I connect to the internet via my ISP (no VPNing involved), is it > > correct > > to say that there is NO way for Internet Explorer to authenticate to my > > companies IIS served web site via Kerberos even if the site is set for > > 'Negotiate' and Internet Explorer is set to 'Enable Integrated Windows > > Authenticate' (I'll call best try kerberos). I say that because I now > > understand there is no way for me to obtain a kerberos ticket when not > > connected to my companies network. > > Have I got that right? > > > > As I undertand it, NTLM is the best I can hope for in this scenario. > > Have I got that right? > > > > Again any feedback appreciated, > > Brian > > > > > > "Brian Yuill" wrote: > > > >> We have a 5.1 web site set for 'Integrated Windows Authenticatioin' > >> (only). > >> > >> In Internet Explorer 7.0, we have this site added to our list of local > >> intranet sites and the User Authentication for that zone is set to > >> 'Automatic > >> logon only in intranet zone'. We also have 'Enable Integrated Windows > >> Authenticate' (best try kerberos) enabled. > >> > >> If a user does a domain logon (when connected to our domain network) and > >> then takes his machine into the field and logs back onto his machine > >> using > >> his cached domain credentials, connects to an ISP and attempts to access > >> our > >> site, Internet Explorer comes up with a 'Cannot display the WebPage'. > >> > >> If we turn off kerberos the user is auto logged on (good). > >> > >> If we remove site from the local intranet zone or temporarily force logon > >> for that zone we are prompted for credentials and can successful connect > >> using our domain credentials (good). > >> > >> if the user logs on to a local account on the machine, the user is > >> prompted > >> for domain credentials (good). > >> > >> Any idea why Internet Explorer might be choking in the situation > >> described > >> (cached domain credentials, ISP connect, Kerberos authentication? > >> > >> Any suggestions for a preferred work aorund given that we want to > >> continue > >> to use windows integrated security over the internet? > >> > >> Any opinion on reverting back to NTLM (uncheck 'Enable Integrated > >> Windows > >> Authenticate' in IE)? > >> > >> Thanks for any info, > >> Brian >
After googling around some more it feels like my problem lives in IE.
I've tried IE versions 6 and 7. Both fail the same way. Multiple machines. Same problem. Couple of different ISPs. Same problem. I've tried running site under IIS 6. Problem persists. It seems like the conventional wisdom is that IE should revert to NTLM when it realizes it can't talk to a KDC. In my case it appears IE makes a request to my ISP (my assigned address but with 255 in the last segment 168,111,111,255) for a pointer to the DC for the cached credential's domain. When IE gets no response it gives up and reports the error. Any suggestions on other things to try? If I set ISS or IE to NTLM then my problem goes away. I'm considering configuring my 5.0 IIS server to NTLM (from Negotiate,NTLM). Most of the access to those sites is from inside the network and so will change from kerberos to NTLM. Is there much cause for concern if I do that? I currently don't have any need to propagate credentials. Brian [quoted text, click to view] "Brian Yuill" wrote:
> Thanks Ken, > > On failure IE says > > The page cannot be displayed > > Cannot find server or DNS Error > Internet Explorer > > Took a look at packet tracket. > > Last packets are IE asking ISP guy for ptr to domain controller via bios > name (no response) and then one final TCP call. Some frame info below. > > > Frame: > + Ethernet: Etype = Internet IP (IPv4) > + Ipv4: Next Protocol = UDP, Packet ID = 2188, Total IP Length = 78 > + Udp: SrcPort = NETBIOS Name Service(137), DstPort = NETBIOS Name > Service(137), Length = 58 > - Nbtns: Query Request for AAAADOM <0x1C> Domain Controllers > TransactionId: 32836 (0x8044) > - Flag: 272 (0x110) > R: (0...............) Request > OPCode: (.0000...........) Query > AA: (.....0..........) Non-authorized answer > TC: (......0.........) Datagram not truncated > RD: (.......1........) Recursion desired > RA: (........0.......) Recursion not available > Reserved: (.........00.....) > B: (...........1....) Broadcast > RCode: (............0000) Success > QuestionCount: 1 (0x1) > AnswerCount: 0 (0x0) > NameServiceCount: 0 (0x0) > AdditionalCount: 0 (0x0) > - NbtNsQuestionSectionData: > - QuestionName: AAAADOM <0x1C> Domain Controllers > Name: AAAADOM > QuestionType: NetBIOS General Name Service > QuestionClass: Internet Class 1(0x1) > > Frame: > + Ethernet: Etype = Internet IP (IPv4) > + Ipv4: Next Protocol = TCP, Packet ID = 2189, Total IP Length = 40 > - Tcp: Flags=..R.A..., SrcPort=1233, DstPort=HTTP(80), Len=0, Seq=433479785, > Ack=423573933, Win=0 (scale factor not found) > SrcPort: 1233 > DstPort: HTTP(80) > SequenceNumber: 433479785 (0x19D66069) > AcknowledgementNumber: 423573933 (0x193F39AD) > + DataOffset: 80 (0x50) > - Flags: ..R.A... > CWR: (0.......) CWR not significant > ECE: (.0......) ECN-Echo not significant > Urgent: (..0.....) Not Urgent Data > Ack: (...1....) Acknowledgement field significant > Push: (....0...) No Push Function > Reset: (.....1..) Reset > Syn: (......0.) Not Synchronize sequence numbers > Fin: (.......0) Not End of data > Window: 0 (scale factor not found) > Checksum: 37734 (0x9366) > UrgentPointer: 0 (0x0) > > "Ken Schaefer" wrote: > > > Hi there, > > > > To obtain a Kerberos ticket you need to connect to the KDC. This is hosted > > on your AD domain controller if it's a Windows domain. Unless you expose > > your DCs to the public internet and you have the necessary SRV records > > published in the DNS, the client can not contact the KDC. So no Kerberos > > available. > > > > That said, I don't think you should be having the issue you are describing. > > The client should detect that there is no KDC available, and attempt NTLM > > instead (according to network packet captures I have seen). > > > > Can you get a packet capture from a client when the problem is occuring? > > > > Cheers > > Ken > > > > -- > > My IIS blog: http://adopenstatic.com/blog > > > > "Brian Yuill" <BrianYuill@discussions.microsoft.com> wrote in message > > news:DA26DE5A-1BBE-45E8-AE3B-31967530E24E@microsoft.com... > > > I've been doing a little homework and am looking for validation of what I > > > think I understand. > > > > > > If I connect to the internet via my ISP (no VPNing involved), is it > > > correct > > > to say that there is NO way for Internet Explorer to authenticate to my > > > companies IIS served web site via Kerberos even if the site is set for > > > 'Negotiate' and Internet Explorer is set to 'Enable Integrated Windows > > > Authenticate' (I'll call best try kerberos). I say that because I now > > > understand there is no way for me to obtain a kerberos ticket when not > > > connected to my companies network. > > > Have I got that right? > > > > > > As I undertand it, NTLM is the best I can hope for in this scenario. > > > Have I got that right? > > > > > > Again any feedback appreciated, > > > Brian > > > > > > > > > "Brian Yuill" wrote: > > > > > >> We have a 5.1 web site set for 'Integrated Windows Authenticatioin' > > >> (only). > > >> > > >> In Internet Explorer 7.0, we have this site added to our list of local > > >> intranet sites and the User Authentication for that zone is set to > > >> 'Automatic > > >> logon only in intranet zone'. We also have 'Enable Integrated Windows > > >> Authenticate' (best try kerberos) enabled. > > >> > > >> If a user does a domain logon (when connected to our domain network) and > > >> then takes his machine into the field and logs back onto his machine > > >> using > > >> his cached domain credentials, connects to an ISP and attempts to access > > >> our > > >> site, Internet Explorer comes up with a 'Cannot display the WebPage'. > > >> > > >> If we turn off kerberos the user is auto logged on (good). > > >> > > >> If we remove site from the local intranet zone or temporarily force logon > > >> for that zone we are prompted for credentials and can successful connect > > >> using our domain credentials (good). > > >> > > >> if the user logs on to a local account on the machine, the user is > > >> prompted > > >> for domain credentials (good). > > >> > > >> Any idea why Internet Explorer might be choking in the situation > > >> described > > >> (cached domain credentials, ISP connect, Kerberos authentication? > > >> > > >> Any suggestions for a preferred work aorund given that we want to > > >> continue > > >> to use windows integrated security over the internet? > > >> > > >> Any opinion on reverting back to NTLM (uncheck 'Enable Integrated > > >> Windows > > >> Authenticate' in IE)? > > >>
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |