I forgot one detail. I am accessing this site from a computer that is joined up to a different forest. That metabase key NTAuthenticationProviders also didn't do what I was hoping for.
-Brandon -----Original Message----- From: Bernier, Brandon (.) Sent: Thursday, May 18, 2006 8:56 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM I am running the application pool for this website as "Network Service". It is not explicitly defined in my IE Intranet Security Zone, but we have a proxy script that enables "bypass from proxy server" and we have that condition in IE security zone enabled, so yes its there. I know it is using Kerberos (unless .Net is wrong) because I do a catch that poops out the user context System.Security.Principal.WindowsIdentity.GetCurrent().ImpersonationLeve l.ToString(); System.Security.Principal.WindowsIdentity.GetCurrent().AuthenticationTyp e; and HttpContext.Current.User.Identity.Name.ToString(); A.) Yes B.) Yes C.) Yes D.) Until development is completed it is accessed under the server FQDN, I registered an HTTP SPN as followings "setspn -a servername.com servername". E.) Yes F.) I'm not getting any related failures on either the IIS server or the DC it contacting. My network traces show it trying to authing as NTLM...I thought if it can use kerb it does that first then NTLM...I'm going to add NTAuthenticationProviders=Negotiate in the metabase for this site so it forces kerb or nothing. Thanks again! -Brandon ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: Wednesday, May 17, 2006 7:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM There's lots of information missing from your post. If you are using a FQDN or IP address to access the site, then the site must be in IE's Intranet Security zone (not Internet zone). IE doesn't attempt Kerberos authentication for sites in the Internet zone. You haven't mentioned what security contexts you are running your website under. If your web application is running under a custom account, all applications accessible at the same FQDN must also be running under that account (even if they are in a different web app pool). And you need to register the SPN under that custom account. If you are using the default Network Service account, then you do not need to register a HTTP SPN unless you are using a non-default port. So, perhaps you can give us the following configuration details? a) Is website in Intranet security zone in IE? b) Is "Enable Integrated Windows AuthN" enabled in IE? c) Is IIS computer account trusted for delegation in AD? d) What is the URL you are using to access the site, what SPN did you register and where? e) The other applications accessible at the FQDN/IP address - are they also running under the same user context? f) In the Security event log, what logon failure events do you see? Can you cut-n-paste them here please? Cheers Ken -- My IIS Blog: www.adOpenStatic.com/cs/blogs/ken Tech.Ed Boston 2006 See you there: Everything the web administrator needs to know about MOM 2005 ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.) Sent: Thursday, 18 May 2006 6:51 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] [OT] IIS6 - Kerb/NTLM OK...I've got a nice issue here and I've been bashing my head against my desk to the point where I need help. I'm writing a very directory intensive application in C# with ASP.Net 2.0. If I authenticate to the webpage via NTLM my directory calls will fail, this is because of the NTLM double hop (trying to pass it from the client to IIS and do stuff to Active Directory). Sooooo I say I'll use Kerberos instead, I figured if I enabled the computer object for the IIS box to be trusted for delegation and give it an HTTP SPN it should work. It will work locally from the webserver, but not from any client. My guess is it wants to the client computers to be trusted as well to support the mutual auth (I hope I'm wrong). Any suggestions? -Brandon List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
