Re: AW: Some Users get Basic Auth?


On Jun 12, 2007, at 11:04 PM, Djihangiroff, Matthias (KC-DD) wrote:

I've checked the browser settings, Integrated Windows Auth is checked.

Where can i configer the browser, that it use only Kerberos?
I didnt find any option.

You can't. A lot of it depends on the URL you present to IE, which
will in turn dictate what protocol is chosen under SPNEGO.

When you type "http://someserver";, then IE will present the kerberos
package on the client with the service principal name (SPN) of http/
someserver. For kerberos to work, you need a service ticket matching
that SPN. This will only be possible if the web server is properly
registered with a machine account in your client's domain, or
potentially another domain in the forest (assuming you're using AD).

In some cases, IE will do a reverse lookup and expand the someserver
to http/someserver.domain.com, but the SPN lookup rule still applies.

If kerberos can't find the SPN (for example if the target server
isn't registered in a trusted domain, or the client's KDC can't be
reached over the presently connected network), it will drop back to
NTLM (wrapped in SPNEGO tokens). There's really no easy way to
guarantee Kerberos, and, in fact, NTLM is frequently the protocol
chosen for http auth.

We tried, in the old days to get rid of NTLM, but that's not possible
w/o service interruptions unless you can *always* get a service
ticket to the server.

Todd
________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos

.

Relevant Pages

  • Re: Kerberos Authentication to VWMare...
    ... A Kerberos Error Message was received: ... Server Realm: ... We have checked the SPN using SetSPN with -L option and see that both MOSS ...
    (microsoft.public.windows.server.security)
  • Re: Integrated Windows Authentication Timeout?
    ... Is it possible that a different host name is being used for one of the subsequent requests that would break Kerberos auth? ... If you have "Negotiate" authentication set in the metabase, then this can still negotiate down to NTLM if for some reason the protocol thinks that Kerberos is unavailable. ... server. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Delegation: IIS Server setup in typical 3-tier scenario.
    ... doesn't already have an SPN and/or you need to change the existing SPN. ... Kerberos is being used - it just means that an API is used to determine what ... so I'm trying to set up delegation. ... Authenticated using NTLM not Kerberos on the Web Server. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Kerberos to NTLM???
    ... It is by design if Kerberos authentication fails, ... Windows 2000 and 2003 domain controllers support Kerberos and NTLM ... 2-way trust between 2 Windows Server 2003 domains. ...
    (microsoft.public.windows.server.networking)
  • Re: Kerberos NTLM
    ... I'll assume it was just a typo, and you do have an SPN registered for your IIS computer account as HTTP/server1.domain.com. ... you want to follow some basic Kerberos troubleshooting steps (like making sure the time is correct on both client and server). ... Joseph T. Corey MCSE, Security+ ...
    (microsoft.public.windows.server.active_directory)