473,767 Members | 2,198 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

IE falls back to NTLM -- won't use Kerberos

I've established user login identity impersonation and delegation for a
multi-tier web application. I'm running into a case where authentication
fails when a user accesses the app from a browser on one machine, but not
from another machine.

The relevant details -- in both cases, all of the following are in effect:

Same user account.
Same web application, same IIS host.
Client OS is XP Pro SP2.
Client browser is IE 6.0.
Both instances of IE have Windows integrated authentication enabled, and the
browsers were restarted.
Both instances of IE have the web app host in their list of Intranet sites.

I sniffed the packet traffic for both cases. In both cases, I see the
expected initial anonymous request for the application URL, with the
expected 401 response. The 401 response header in both cases includes
WWW-Authenticate: Negotiate and WWW-Authenticate: NTLM as authentication
options.

In the good case, the client responds by going to the Kerberos server to
authenticate itself and ask for a ticket for the server. All is good from
there on.

In the bad case, the client does not authenticate using Kerberos at all, but
immediately replies to the web server with NTLM credentials. This fails.

The good client responds to the 401 by trying Kerberos first. The bad
client responds by trying NTML first, and never trying Kerberos at all.

I can make the good client behave *exactly* like the bad one by disabling
Windows integrated authentication in the good browser. Enabling windows
integrated authentication and adding the web app host to the intranet site
list are the only fixes for the bad client that I can find in the MSDN docs,
and I've put those in place, but still no joy.

Any suggestions on what else to look at?

Many thanks -

R
Feb 27 '06 #1
1 2729
Hi Russell,

Welcome.

As for the Negotiate Authentication, at server-side, we just need to make
the IIS use intergrated windows authenitcation and add the "Negotiate"
header in IIS metabase:

#How to configure IIS to support both Kerberos and NTLM authentication
http://support.microsoft.com/kb/215383/

At clientside, as long as the operating system meet the requirement(sup port
kerberos), like XP, 2000 or 2003, what we need to configure in IE is just
the "Enable Integrated Windows Authentication" setting you mentioned. The
following kb articles have mentioned this setting:

#Unable to negotiate Kerberos authentication after upgrading to Internet
Explorer 6
http://support.microsoft.com/kb/q299838/

#Internet Explorer Does Not Support Kerberos Authentication With Proxy
Servers
http://support.microsoft.com/kb/321728/

One of them mentioned the web proxy server scenario which maybe a potential
cause. Anyway, I think this should be a client-side specific issue. You can
also try posting in some IE related newsgroup or forums to see whether any
other community members can give you any furhter tips.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Feb 28 '06 #2

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
6
15487
NTLM Authentication
by: Alexander Gnauck | last post by:
Hello, i need to perform NTML Authentication with SMTP against a exchange server. I cant use existing libraries like CDO. The type1 and type2 mesages work OK. Now i have to create the type3 message to authenticate. Are there any .NET classes that i could use to create the NTLM response? Or smth else that can do the NTLM authentication for me? Thanx Alex
C# / C Sharp
3
5146
NTLM failure
by: John Lee | last post by:
Hi, I have a virtual directory configured as "integrated windows authentication" and "anonymous acccess" is turned off. I can use IE to acccess that page but when I try to access the page using HttpWebRequest wr = (HttpWebRequest) System.Net.WebRequest.Create(url); wr.Credentials = CredentialCache.DefaultCredentials; HttpWebResponse resp = (System.Net.HttpWebResponse)wr.GetResponse();
C# / C Sharp
2
3437
.NET HttpModule & NTLM Integrated Authentication
by: Rob Mayo | last post by:
What I'm trying to do is Create an ASP.Net app that has both Windows-authenticated users and Anonymous users. The idea is this: When authenticated users attempt to access the site, their credentials are passed to the Request, and I use the DOMAIN\USER value via the AUTH_USER server variable to access their accounts. These people would never have to log in to the app, only their machines on the network. When anonymous users attempt to...
ASP.NET
1
2408
NTLM Authentication with multi-tiered application
by: Andy Fish | last post by:
Hi, I have an asp.net application in several tiers and I would like to enable it for NTLM. Say the web front end is running on server X and the business logic is running on server Y. In the non-NTLM case, the user types his password into the web front end and server X passes it to Y in order to authenticate him. In the NTLM case, the user is already authenticated to X but since X does
ASP.NET
4
8520
Add NTLM proxy authentication to urllib2
by: looping | last post by:
Hi, I have to make internet connections through an ISA proxy server that use NTLM or Kerberos authorization method. I've found a program in python called ntlmaps that act like a proxy and could make the NTLM authentication, but you have to run it and make all your connection through it, not an optimal solution. So what I really need is an enhanced urllib2 that support NTLM or Kerberos. I've found that pywin32 could manage NTLM encryption...
Python
3
7093
NTLM Proxy Authorization
by: George Vasiliou | last post by:
Hi to all, I have made up a small client / server application with WinSock (port 443) at VB6. I have install server in my Home, and client is running behind a proxy server. Client cannot reach server, because proxy requires NTLM Authorization before redirecting.
Visual Basic 4 / 5 / 6
40
7597
NTLM authentication
by: webrod | last post by:
Dear All, let's say I have a web service. I would like to authenticate users who try to access it. I am on a winnt server so I will have to use NTLM but I don't want to use IIS settings. Is there a way to authenticate a user using WSE 3.0 against NTLM?? All the samples I have found on the web provide a solution based on
C# / C Sharp
1
2721
NTLM APS python version 0.98
by: pycraze | last post by:
Hi , I am working on NTLM (Windows NT Lan Manager )APS (Authentication Proxy Server ) , to port to C language . I am using ethereal to monitor the packets sent between client and server . NTLM is a MS proprietary protocol designed so that will allow authentication only from MS browsers . This proprietary was cracked and code was written in python by
Python
1
1369
NTLM to Kerberos
by: akettani | last post by:
Hello, We have an ASP.NET application that needs to connect to a Netweaver (SAP) application (which runs on Windows). Users first log into ASP.NET application (NTLM) and we need to be able to give them access to the Netweaver application which runs on a different machine and uses a different authentication protocol (KERBEROS). Is there anyway we can turn the NTLM authentication into KERBEROS through code, ie, C# so we can provide the user...
.NET Framework
0
9571
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
General
0
10009
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
Online Marketing
1
9959
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
Windows Server
0
8835
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
Career Advice
1
7381
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
Microsoft Access / VBA
0
5279
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
Networking - Hardware / Configuration
0
5423
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
1
3929
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp
2
3532
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us