Wow - that would be frustrating. Glad you got it sorted. Cheers Ken
-- My IIS Blog: www.adOpenStatic.com/cs/blogs/ken Tech.Ed Boston 2006 See you there: Everything the web administrator needs to know about MOM 2005 : -----Original Message----- : From: [EMAIL PROTECTED] [mailto:ActiveDir- : [EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.) : Sent: Friday, 19 May 2006 9:57 PM : To: ActiveDir@mail.activedir.org : Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM : : Ken, : : Thanks for the help. The problem was someone felt the need to audit : computers objects in my testlab and was walking behind me turning off : that specific computer for delegation. Grrrrrr. : : -Brandon : : -----Original Message----- : From: [EMAIL PROTECTED] : [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer : Sent: Thursday, May 18, 2006 10:41 PM : To: ActiveDir@mail.activedir.org : Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM : : Well, you need to ensure that referrals are happening properly (so : that : the DC in your domain is referring you to the correct KDC in the : foreign : domain in the foreign forest) : : Cheers : Ken : : : : -----Original Message----- : : From: [EMAIL PROTECTED] [mailto:ActiveDir- : : [EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.) : : Sent: Thursday, 18 May 2006 11:10 PM : : To: ActiveDir@mail.activedir.org : : Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM : : : : I forgot one detail. I am accessing this site from a computer that : is : : joined up to a different forest. That metabase key : : NTAuthenticationProviders also didn't do what I was hoping for. : : : : -Brandon : : : : -----Original Message----- : : From: Bernier, Brandon (.) : : Sent: Thursday, May 18, 2006 8:56 AM : : To: 'ActiveDir@mail.activedir.org' : : Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM : : : : I am running the application pool for this website as "Network : : Service". : : It is not explicitly defined in my IE Intranet Security Zone, but : we : : have a proxy script that enables "bypass from proxy server" and we : : have : : that condition in IE security zone enabled, so yes its there. I : know : : it : : is using Kerberos (unless .Net is wrong) because I do a catch that : : poops : : out the user context : : : : : System.Security.Principal.WindowsIdentity.GetCurrent().ImpersonationLe : : ve : : l.ToString(); : : : System.Security.Principal.WindowsIdentity.GetCurrent().AuthenticationT : : yp : : e; : : : : and : : : : HttpContext.Current.User.Identity.Name.ToString(); : : : : A.) Yes : : B.) Yes : : C.) Yes : : D.) Until development is completed it is accessed under the server : : FQDN, : : I registered an HTTP SPN as followings "setspn -a servername.com : : servername". : : E.) Yes : : F.) I'm not getting any related failures on either the IIS server : or : : the : : DC it contacting. : : : : My network traces show it trying to authing as NTLM...I thought if : it : : can use kerb it does that first then NTLM...I'm going to add : : NTAuthenticationProviders=Negotiate in the metabase for this site : so : : it : : forces kerb or nothing. Thanks again! : : : : -Brandon : : : : ________________________________ : : : : From: [EMAIL PROTECTED] : : [mailto:[EMAIL PROTECTED] On Behalf Of Ken : Schaefer : : Sent: Wednesday, May 17, 2006 7:45 PM : : To: ActiveDir@mail.activedir.org : : Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM : : : : : : : : There's lots of information missing from your post. : : : : : : : : If you are using a FQDN or IP address to access the site, then the : : site : : must be in IE's Intranet Security zone (not Internet zone). IE : doesn't : : attempt Kerberos authentication for sites in the Internet zone. : : : : : : : : You haven't mentioned what security contexts you are running your : : website under. If your web application is running under a custom : : account, all applications accessible at the same FQDN must also be : : running under that account (even if they are in a different web app : : pool). And you need to register the SPN under that custom account. : If : : you are using the default Network Service account, then you do not : : need : : to register a HTTP SPN unless you are using a non-default port. : : : : : : : : So, perhaps you can give us the following configuration details? : : : : a) Is website in Intranet security zone in IE? : : : : b) Is "Enable Integrated Windows AuthN" enabled in IE? : : : : c) Is IIS computer account trusted for delegation in AD? : : : : d) What is the URL you are using to access the site, what SPN : did : : you register and where? : : : : e) The other applications accessible at the FQDN/IP address - : are : : they also running under the same user context? : : : : f) In the Security event log, what logon failure events do : you : : see? Can you cut-n-paste them here please? : : : : : : : : Cheers : : : : Ken : : : : : : : : -- : : : : My IIS Blog: www.adOpenStatic.com/cs/blogs/ken : : : : Tech.Ed Boston 2006 See you there: Everything the web administrator : : needs to know about MOM 2005 : : : : ________________________________ : : : : From: [EMAIL PROTECTED] : : [mailto:[EMAIL PROTECTED] On Behalf Of Bernier, : : Brandon (.) : : Sent: Thursday, 18 May 2006 6:51 AM : : To: ActiveDir@mail.activedir.org : : Subject: [ActiveDir] [OT] IIS6 - Kerb/NTLM : : : : : : : : : : : : OK...I've got a nice issue here and I've been bashing my head : against : : my : : desk to the point where I need help. : : : : I'm writing a very directory intensive application in C# with : ASP.Net : : 2.0. If I authenticate to the webpage via NTLM my directory calls : will : : fail, this is because of the NTLM double hop (trying to pass it : from : : the : : client to IIS and do stuff to Active Directory). Sooooo I say I'll : use : : Kerberos instead, I figured if I enabled the computer object for : the : : IIS : : box to be trusted for delegation and give it an HTTP SPN it should : : work. : : It will work locally from the webserver, but not from any client. : My : : guess is it wants to the client computers to be trusted as well to : : support the mutual auth (I hope I'm wrong). Any suggestions? : : : : -Brandon : : : : : : List info : http://www.activedir.org/List.aspx : : List FAQ : http://www.activedir.org/ListFAQ.aspx : : List archive: http://www.mail- : : archive.com/activedir%40mail.activedir.org/ : List info : http://www.activedir.org/List.aspx : List FAQ : http://www.activedir.org/ListFAQ.aspx : List archive: : http://www.mail-archive.com/activedir%40mail.activedir.org/ : : : List info : http://www.activedir.org/List.aspx : List FAQ : http://www.activedir.org/ListFAQ.aspx : List archive: http://www.mail- : archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
