kerberos and IIS: tough question... 1

[rbelt]

My understanding of kerberos is that after you go through the initial authentication process (long-term-key -> ticket granting ticket -> session key...), you end up with a session ticket which allows your client to 'automatically authenticate' to other services/resources within the domain (realm) -- however, I have noticed that when I disable anonymous access on (a site on) IIS (which leaves either basic, digest or integrated authentication), when Internet Explorer is launched (and pointed to this IIS/site), I am prompted for credentials.

This is a simple setup w/a W2K DC (single server domain) running IIS and a W2K client that has joined the domain with the user already logged into the domain... What gives here? If the client has already been authenticated to the domain through kerberos, why is IE prompting for re-autorization to access the web site (which is on an IIS server that is part of the domain).

Thanks for ANY help in this!

//RB

 

[GiaBetiu]

If you unchecked Anonymous authentication, you should check Windows Integrated.
It has nothing to do with kerberos. It has to do with that setting, or with the version of IE that you are using. Install latest version, and should not ask you again for authorization.
Tell me if is working.


Gia Betiu
gia@almondeyes.net
Computer Eng. CNE 4, CNE 5, MCSE Win2K
new:

http://www.almondeyes.net

(just started)

 

[rbelt]

I'm finding that this is not the case (tried this in two different test labs... everything is updated...). If you disable anonymous access and select integrated, you get prompted every time you hit the web site.

Kerberos comes into the picture because a pure windows 2000 environment defaults to kerberos (over ntlm) so when the w2k workstation logs in, it receives (through the ticketing process) it's session key. In order for an authorized workstation to access any resource on the domain, it must present a session key that authorizes that client for that particular service... e.g. if I want to access a share on a remote (but domain member) server, I must first present my session key to the resource before I can attach to the share. This is the same with exchange, etc. I figured it would be the same with IIS but apparently it isn't and I'm wondering why...

any thoughts?

thanks!

//RB

 

[GiaBetiu]

Yes rb, I know how Kerberos is working. And I can tell you that without a special settings in the registry your IIS authentication is using NTLM.
Don't believe? try and sniff a communication IIS and a client of you (HTTPsniff is a good tool).

Gia Betiu
gia@almondeyes.net
Computer Eng. CNE 4, CNE 5, MCSE Win2K
new:

http://www.almondeyes.net

(just started)

 

[xmsre]

Kerberos is not enabled by default on a member server:

http://support.microsoft.com/default.aspx?scid=kb;en-us;331834

John
MOSMWNMTK

 

[GiaBetiu]

Here is an article from microsoft, that might be your problem:

http://support.microsoft.com/defaul...port/kb/articles/Q258/0/63.ASP&NoWebContent=1

Gia Betiu
gia@almondeyes.net
Computer Eng. CNE 4, CNE 5, MCSE Win2K
new:

http://www.almondeyes.net

(just started)

 

[xmsre]

I gave the wrong link.

Should be:

http://support.microsoft.com/default.aspx?scid=kb;en-us;326089

John
MOSMWNMTK

 

[rbelt]

Thanks for ALL the info -- I've got to admit that I'm slightly puzzled over the ntlm authentication. Everything I've read tells me that if the system was not an upgrade from IIS4 (clean install) then the system will opt for kerberos over ntlm... I double checked the IIS metadata and it shows that authentication will proceed in the 'negotiate, NTLM' stage (meaning it will negotiate for kerberos first...). However, I did set up a sniffer and at first, I saw the IIS offer to negotiate (kerberos) but damn, you're correct cause the client responds in ntlm -- what gives??!!?? And what is the fix?

Thanks for all the links -- they are all in my favorites now...

The issue was that the browser needed to be set so that the internal web site was registered as 'internal'. Once I added the info, authentication passed straight through.

These message boards and the people on them are awesome!

//RB

 

[xmsre]

Hopefully, this explains the process a little better.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;264921

John
MOSMWNMTK

 

[rbelt]

Thanks for the additional link -- It confirms my understanding and readings of IE/IIS authentication however I'm still confused as to why my particualr client is authenticating via ntlm when it should be using kerberos. I'm going to keep looking into this but if people have comments... I'd love to know how Gia knew that it would be using ntlm.

//RB

 

[MHenke]

I am having a very similar situation. I have a Win2K member server with MS Proxy running on it. MS Proxy uses IIS5 for serving the web pages. We upgraded to Active Directory, and since then we get prompted for userid & password by MS Proxy. IIS is configured to use Windows-integrated authentication, but it doesn't appear to be working. I tried the fix posted above, but it didn't seem to help. I can use MS Proxy with IIS set to use anonymous authentication, but I need to use windows-integrated.

 

[rbelt]

for clarity, you are talking about internal clients getting out, yes? I'm also assuming you enabled the 'Trust Computer for Delegation' part...

Make sure your IIS is set to negotiate authentication:

http://www.windowswebsolutions.com/Articles/Index.cfm?ArticleID=8507

use the cscript get to see if you get 'negotiate, ntlm' and read all the crap about the IE settings in the above links...

I also came across this link -- it may indicate a problem with using proxy in an active directory environment (but I didn't dig too deep...):

http://www.jsiinc.com/SUBL/tip5500/rh5509.htm

I found the reg hack to get IE to respond w/kerberos (I think... haven't tried it yet but will report back when I do)... Still not sure why I have to hack the registry to get this to work though -- it should have been automatic!

//RB