Kerberos

Kerberos

am 01.04.2008 23:03:49 von ck

I can not get Kerberos to work on my web server. I have done all of Ken
Schaefers troubleshooting techniques still to no avail. I created a test.htm
page and when i hit it, I check the security event log and it is still using
NTLM. Any ideas why Kerberos is not running? I am ultimately trying to set
up constrianed delegation to an Exchange 2007 web service. I have been
working on this for weeks and I am absolutely stumped. Does anyone have any
suggestions at this point?

Cheers,
CK

Re: Kerberos

am 02.04.2008 01:16:44 von Tiago Halm

You probably followed much of these steps (Ken must have pointed them). Make
it work in IIS to get a sense on how it works

1. make sure NTAuthenticationProviders is not overridden so we start with
the default "Negotiate, NTLM".
type
> cscript adsutil.vbs delete w3svc/NTAuthenticationProviders
> cscript adsutil.vbs delete w3svc/1/NTAuthenticationProviders
> cscript adsutil.vbs delete w3svc/1/ROOT/NTAuthenticationProviders

See more steps on:
http://support.microsoft.com/kb/215383
http://www.microsoft.com/technet/prodtechnol/WindowsServer20 03/Library/IIS/ea7cd846-33da-49c9-927f-d4e76d6309ac.mspx?mfr =true

2. Create an FQDN (xxx.yyy.zzz) in DNS pointing to IIS ip address
3. Select a WebSite, make sure all VDirs use the same AppPool as the WebSite
and define the Host Header on port 80 with that FQDN (xxx.yyy.zzz). Specify
the port address if needed.
4. create the SPN, by using the account setup on the hostheader
> setspn.exe http/xxx.yyy.zzz domain\apppoolaccount
5. Setup IIS with Integrated Windows Authentication. Force inheritance if
needed.

Open IE, make sure xxx.yyy.zzz is a local intranet site, browse a page, look
into the security log. Filter by 540 event (not sure about this one) and
your windows account.

Final t-shoot stage is to enable kerberos logging:
http://support.microsoft.com/kb/262177

let us know the steps you took until now ...

Tiago Halm

"CK" wrote in message
news:1pxIj.378$ch4.135@nlpi064.nbdc.sbc.com...
>I can not get Kerberos to work on my web server. I have done all of Ken
>Schaefers troubleshooting techniques still to no avail. I created a
>test.htm page and when i hit it, I check the security event log and it is
>still using NTLM. Any ideas why Kerberos is not running? I am ultimately
>trying to set up constrianed delegation to an Exchange 2007 web service. I
>have been working on this for weeks and I am absolutely stumped. Does
>anyone have any suggestions at this point?
>
> Cheers,
> CK
>

Re: Kerberos

am 02.04.2008 16:48:23 von ck

I did all the steps you mentioned and I still get
Logon Process: NtLmSsp

Authentication Package: NTLM

Any ideas? I enable Kerberos logging but I don't see any new entries in the
Event Log. What am I missing here? I also want to mention that this
webserver is on a VM. Not sure if that makes a difference.



Thanks,

~ck


"Tiago Halm" wrote in message
news:OOeG25ElIHA.3400@TK2MSFTNGP03.phx.gbl...
> You probably followed much of these steps (Ken must have pointed them).
> Make it work in IIS to get a sense on how it works
>
> 1. make sure NTAuthenticationProviders is not overridden so we start with
> the default "Negotiate, NTLM".
> type
>> cscript adsutil.vbs delete w3svc/NTAuthenticationProviders
>> cscript adsutil.vbs delete w3svc/1/NTAuthenticationProviders
>> cscript adsutil.vbs delete w3svc/1/ROOT/NTAuthenticationProviders
>
> See more steps on:
> http://support.microsoft.com/kb/215383
> http://www.microsoft.com/technet/prodtechnol/WindowsServer20 03/Library/IIS/ea7cd846-33da-49c9-927f-d4e76d6309ac.mspx?mfr =true
>
> 2. Create an FQDN (xxx.yyy.zzz) in DNS pointing to IIS ip address
> 3. Select a WebSite, make sure all VDirs use the same AppPool as the
> WebSite and define the Host Header on port 80 with that FQDN
> (xxx.yyy.zzz). Specify the port address if needed.
> 4. create the SPN, by using the account setup on the hostheader
>> setspn.exe http/xxx.yyy.zzz domain\apppoolaccount
> 5. Setup IIS with Integrated Windows Authentication. Force inheritance if
> needed.
>
> Open IE, make sure xxx.yyy.zzz is a local intranet site, browse a page,
> look into the security log. Filter by 540 event (not sure about this one)
> and your windows account.
>
> Final t-shoot stage is to enable kerberos logging:
> http://support.microsoft.com/kb/262177
>
> let us know the steps you took until now ...
>
> Tiago Halm
>
> "CK" wrote in message
> news:1pxIj.378$ch4.135@nlpi064.nbdc.sbc.com...
>>I can not get Kerberos to work on my web server. I have done all of Ken
>>Schaefers troubleshooting techniques still to no avail. I created a
>>test.htm page and when i hit it, I check the security event log and it is
>>still using NTLM. Any ideas why Kerberos is not running? I am ultimately
>>trying to set up constrianed delegation to an Exchange 2007 web service. I
>>have been working on this for weeks and I am absolutely stumped. Does
>>anyone have any suggestions at this point?
>>
>> Cheers,
>> CK
>>
>
>

Re: Kerberos

am 02.04.2008 18:44:28 von Ken Schaefer

Can you get a packet capture between your browser and the webserver?

Cheers
Ken

--
My IIS blog: http://adopenstatic.com/blog

"CK" wrote in message
news:i%MIj.11612$qS5.2465@nlpi069.nbdc.sbc.com...
>I did all the steps you mentioned and I still get
> Logon Process: NtLmSsp
>
> Authentication Package: NTLM
>
> Any ideas? I enable Kerberos logging but I don't see any new entries in
> the Event Log. What am I missing here? I also want to mention that this
> webserver is on a VM. Not sure if that makes a difference.
>
>
>
> Thanks,
>
> ~ck
>
>
> "Tiago Halm" wrote in message
> news:OOeG25ElIHA.3400@TK2MSFTNGP03.phx.gbl...
>> You probably followed much of these steps (Ken must have pointed them).
>> Make it work in IIS to get a sense on how it works
>>
>> 1. make sure NTAuthenticationProviders is not overridden so we start with
>> the default "Negotiate, NTLM".
>> type
>>> cscript adsutil.vbs delete w3svc/NTAuthenticationProviders
>>> cscript adsutil.vbs delete w3svc/1/NTAuthenticationProviders
>>> cscript adsutil.vbs delete w3svc/1/ROOT/NTAuthenticationProviders
>>
>> See more steps on:
>> http://support.microsoft.com/kb/215383
>> http://www.microsoft.com/technet/prodtechnol/WindowsServer20 03/Library/IIS/ea7cd846-33da-49c9-927f-d4e76d6309ac.mspx?mfr =true
>>
>> 2. Create an FQDN (xxx.yyy.zzz) in DNS pointing to IIS ip address
>> 3. Select a WebSite, make sure all VDirs use the same AppPool as the
>> WebSite and define the Host Header on port 80 with that FQDN
>> (xxx.yyy.zzz). Specify the port address if needed.
>> 4. create the SPN, by using the account setup on the hostheader
>>> setspn.exe http/xxx.yyy.zzz domain\apppoolaccount
>> 5. Setup IIS with Integrated Windows Authentication. Force inheritance if
>> needed.
>>
>> Open IE, make sure xxx.yyy.zzz is a local intranet site, browse a page,
>> look into the security log. Filter by 540 event (not sure about this one)
>> and your windows account.
>>
>> Final t-shoot stage is to enable kerberos logging:
>> http://support.microsoft.com/kb/262177
>>
>> let us know the steps you took until now ...
>>
>> Tiago Halm
>>
>> "CK" wrote in message
>> news:1pxIj.378$ch4.135@nlpi064.nbdc.sbc.com...
>>>I can not get Kerberos to work on my web server. I have done all of Ken
>>>Schaefers troubleshooting techniques still to no avail. I created a
>>>test.htm page and when i hit it, I check the security event log and it is
>>>still using NTLM. Any ideas why Kerberos is not running? I am ultimately
>>>trying to set up constrianed delegation to an Exchange 2007 web service.
>>>I have been working on this for weeks and I am absolutely stumped. Does
>>>anyone have any suggestions at this point?
>>>
>>> Cheers,
>>> CK
>>>
>>
>>
>
>

Re: Kerberos

am 02.04.2008 19:00:07 von ck

I would love to. Please tell me how to do that. I have installed Network
Monitor but I do not know how to porperly use it. Should it be installed on
the client or on the web server? I currently have it installed on the
client. I appreciate your help Ken. You seem to be the authoritative source.
Great blog by the way sir.

~ck

"Ken Schaefer" wrote in message
news:ulxOUDOlIHA.3888@TK2MSFTNGP03.phx.gbl...
> Can you get a packet capture between your browser and the webserver?
>
> Cheers
> Ken
>
> --
> My IIS blog: http://adopenstatic.com/blog
>
> "CK" wrote in message
> news:i%MIj.11612$qS5.2465@nlpi069.nbdc.sbc.com...
>>I did all the steps you mentioned and I still get
>> Logon Process: NtLmSsp
>>
>> Authentication Package: NTLM
>>
>> Any ideas? I enable Kerberos logging but I don't see any new entries in
>> the Event Log. What am I missing here? I also want to mention that this
>> webserver is on a VM. Not sure if that makes a difference.
>>
>>
>>
>> Thanks,
>>
>> ~ck
>>
>>
>> "Tiago Halm" wrote in message
>> news:OOeG25ElIHA.3400@TK2MSFTNGP03.phx.gbl...
>>> You probably followed much of these steps (Ken must have pointed them).
>>> Make it work in IIS to get a sense on how it works
>>>
>>> 1. make sure NTAuthenticationProviders is not overridden so we start
>>> with the default "Negotiate, NTLM".
>>> type
>>>> cscript adsutil.vbs delete w3svc/NTAuthenticationProviders
>>>> cscript adsutil.vbs delete w3svc/1/NTAuthenticationProviders
>>>> cscript adsutil.vbs delete w3svc/1/ROOT/NTAuthenticationProviders
>>>
>>> See more steps on:
>>> http://support.microsoft.com/kb/215383
>>> http://www.microsoft.com/technet/prodtechnol/WindowsServer20 03/Library/IIS/ea7cd846-33da-49c9-927f-d4e76d6309ac.mspx?mfr =true
>>>
>>> 2. Create an FQDN (xxx.yyy.zzz) in DNS pointing to IIS ip address
>>> 3. Select a WebSite, make sure all VDirs use the same AppPool as the
>>> WebSite and define the Host Header on port 80 with that FQDN
>>> (xxx.yyy.zzz). Specify the port address if needed.
>>> 4. create the SPN, by using the account setup on the hostheader
>>>> setspn.exe http/xxx.yyy.zzz domain\apppoolaccount
>>> 5. Setup IIS with Integrated Windows Authentication. Force inheritance
>>> if needed.
>>>
>>> Open IE, make sure xxx.yyy.zzz is a local intranet site, browse a page,
>>> look into the security log. Filter by 540 event (not sure about this
>>> one) and your windows account.
>>>
>>> Final t-shoot stage is to enable kerberos logging:
>>> http://support.microsoft.com/kb/262177
>>>
>>> let us know the steps you took until now ...
>>>
>>> Tiago Halm
>>>
>>> "CK" wrote in message
>>> news:1pxIj.378$ch4.135@nlpi064.nbdc.sbc.com...
>>>>I can not get Kerberos to work on my web server. I have done all of Ken
>>>>Schaefers troubleshooting techniques still to no avail. I created a
>>>>test.htm page and when i hit it, I check the security event log and it
>>>>is still using NTLM. Any ideas why Kerberos is not running? I am
>>>>ultimately trying to set up constrianed delegation to an Exchange 2007
>>>>web service. I have been working on this for weeks and I am absolutely
>>>>stumped. Does anyone have any suggestions at this point?
>>>>
>>>> Cheers,
>>>> CK
>>>>
>>>
>>>
>>
>>
>

Re: Kerberos

am 02.04.2008 19:25:47 von ck

Ultimately Ken, I am trying to configure KCD from this web server, to
another web server running the Exchange 2007 Web Service. We are having the
double hop issue. A couple of questions for that setup. There are two client
access servers in a cluster that handle the web service requests. There is a
dns entry for the cluster. We will call it "CASCLUSTER" that resolves to one
IP address. It consists of CAS01 and CAS02. Do you know the proper way to
set up an SPN for this scenario? I have a service account I use on the web
server that has an SPN. The CAS boxes run under the default application pool
and use the "NETWORK SERVICE" account. The IT gods do not want to change the
application pool identities. So I guess my question is how do I set up an
SPN for the cluster that uses Network Service and not a domain service
account? All this is dependent of course on getting Kerberos configured on
the web server. I appreciate any help you might be able to provide. We have
been struggling with this for the last month. I have some fancy exchange web
service code that works great on my local box but when we tried to deploy it
to our dev environment, we started finding out about the double hop issue
and figured KCD is our best choice to resolve it. Ok enough babbling. Thanks
for hearing me out.

Cheers,
~ck





"CK" wrote in message
news:rYOIj.23285$0o7.11481@newssvr13.news.prodigy.net...
>I would love to. Please tell me how to do that. I have installed Network
>Monitor but I do not know how to porperly use it. Should it be installed on
>the client or on the web server? I currently have it installed on the
>client. I appreciate your help Ken. You seem to be the authoritative
>source. Great blog by the way sir.
>
> ~ck
>
> "Ken Schaefer" wrote in message
> news:ulxOUDOlIHA.3888@TK2MSFTNGP03.phx.gbl...
>> Can you get a packet capture between your browser and the webserver?
>>
>> Cheers
>> Ken
>>
>> --
>> My IIS blog: http://adopenstatic.com/blog
>>
>> "CK" wrote in message
>> news:i%MIj.11612$qS5.2465@nlpi069.nbdc.sbc.com...
>>>I did all the steps you mentioned and I still get
>>> Logon Process: NtLmSsp
>>>
>>> Authentication Package: NTLM
>>>
>>> Any ideas? I enable Kerberos logging but I don't see any new entries in
>>> the Event Log. What am I missing here? I also want to mention that this
>>> webserver is on a VM. Not sure if that makes a difference.
>>>
>>>
>>>
>>> Thanks,
>>>
>>> ~ck
>>>
>>>
>>> "Tiago Halm" wrote in message
>>> news:OOeG25ElIHA.3400@TK2MSFTNGP03.phx.gbl...
>>>> You probably followed much of these steps (Ken must have pointed them).
>>>> Make it work in IIS to get a sense on how it works
>>>>
>>>> 1. make sure NTAuthenticationProviders is not overridden so we start
>>>> with the default "Negotiate, NTLM".
>>>> type
>>>>> cscript adsutil.vbs delete w3svc/NTAuthenticationProviders
>>>>> cscript adsutil.vbs delete w3svc/1/NTAuthenticationProviders
>>>>> cscript adsutil.vbs delete w3svc/1/ROOT/NTAuthenticationProviders
>>>>
>>>> See more steps on:
>>>> http://support.microsoft.com/kb/215383
>>>> http://www.microsoft.com/technet/prodtechnol/WindowsServer20 03/Library/IIS/ea7cd846-33da-49c9-927f-d4e76d6309ac.mspx?mfr =true
>>>>
>>>> 2. Create an FQDN (xxx.yyy.zzz) in DNS pointing to IIS ip address
>>>> 3. Select a WebSite, make sure all VDirs use the same AppPool as the
>>>> WebSite and define the Host Header on port 80 with that FQDN
>>>> (xxx.yyy.zzz). Specify the port address if needed.
>>>> 4. create the SPN, by using the account setup on the hostheader
>>>>> setspn.exe http/xxx.yyy.zzz domain\apppoolaccount
>>>> 5. Setup IIS with Integrated Windows Authentication. Force inheritance
>>>> if needed.
>>>>
>>>> Open IE, make sure xxx.yyy.zzz is a local intranet site, browse a page,
>>>> look into the security log. Filter by 540 event (not sure about this
>>>> one) and your windows account.
>>>>
>>>> Final t-shoot stage is to enable kerberos logging:
>>>> http://support.microsoft.com/kb/262177
>>>>
>>>> let us know the steps you took until now ...
>>>>
>>>> Tiago Halm
>>>>
>>>> "CK" wrote in message
>>>> news:1pxIj.378$ch4.135@nlpi064.nbdc.sbc.com...
>>>>>I can not get Kerberos to work on my web server. I have done all of Ken
>>>>>Schaefers troubleshooting techniques still to no avail. I created a
>>>>>test.htm page and when i hit it, I check the security event log and it
>>>>>is still using NTLM. Any ideas why Kerberos is not running? I am
>>>>>ultimately trying to set up constrianed delegation to an Exchange 2007
>>>>>web service. I have been working on this for weeks and I am absolutely
>>>>>stumped. Does anyone have any suggestions at this point?
>>>>>
>>>>> Cheers,
>>>>> CK
>>>>>
>>>>
>>>>
>>>
>>>
>>
>
>

Re: Kerberos

am 02.04.2008 22:02:51 von Ken Schaefer

I think you'll find this tool a bit easier to use than the old Net Mon:
www.wireshark.org

Just select the interface you wish to monitor and then click the "Capture"
button. Then go and hit the page you want, and afterwards, stop the capture.
Save the .cap file.

Cheers
Ken

"CK" wrote in message
news:rYOIj.23285$0o7.11481@newssvr13.news.prodigy.net...
>I would love to. Please tell me how to do that. I have installed Network
>Monitor but I do not know how to porperly use it. Should it be installed on
>the client or on the web server? I currently have it installed on the
>client. I appreciate your help Ken. You seem to be the authoritative
>source. Great blog by the way sir.
>
> ~ck
>
> "Ken Schaefer" wrote in message
> news:ulxOUDOlIHA.3888@TK2MSFTNGP03.phx.gbl...
>> Can you get a packet capture between your browser and the webserver?
>>
>> Cheers
>> Ken
>>
>> --
>> My IIS blog: http://adopenstatic.com/blog
>>
>> "CK" wrote in message
>> news:i%MIj.11612$qS5.2465@nlpi069.nbdc.sbc.com...
>>>I did all the steps you mentioned and I still get
>>> Logon Process: NtLmSsp
>>>
>>> Authentication Package: NTLM
>>>
>>> Any ideas? I enable Kerberos logging but I don't see any new entries in
>>> the Event Log. What am I missing here? I also want to mention that this
>>> webserver is on a VM. Not sure if that makes a difference.
>>>
>>>
>>>
>>> Thanks,
>>>
>>> ~ck
>>>
>>>
>>> "Tiago Halm" wrote in message
>>> news:OOeG25ElIHA.3400@TK2MSFTNGP03.phx.gbl...
>>>> You probably followed much of these steps (Ken must have pointed them).
>>>> Make it work in IIS to get a sense on how it works
>>>>
>>>> 1. make sure NTAuthenticationProviders is not overridden so we start
>>>> with the default "Negotiate, NTLM".
>>>> type
>>>>> cscript adsutil.vbs delete w3svc/NTAuthenticationProviders
>>>>> cscript adsutil.vbs delete w3svc/1/NTAuthenticationProviders
>>>>> cscript adsutil.vbs delete w3svc/1/ROOT/NTAuthenticationProviders
>>>>
>>>> See more steps on:
>>>> http://support.microsoft.com/kb/215383
>>>> http://www.microsoft.com/technet/prodtechnol/WindowsServer20 03/Library/IIS/ea7cd846-33da-49c9-927f-d4e76d6309ac.mspx?mfr =true
>>>>
>>>> 2. Create an FQDN (xxx.yyy.zzz) in DNS pointing to IIS ip address
>>>> 3. Select a WebSite, make sure all VDirs use the same AppPool as the
>>>> WebSite and define the Host Header on port 80 with that FQDN
>>>> (xxx.yyy.zzz). Specify the port address if needed.
>>>> 4. create the SPN, by using the account setup on the hostheader
>>>>> setspn.exe http/xxx.yyy.zzz domain\apppoolaccount
>>>> 5. Setup IIS with Integrated Windows Authentication. Force inheritance
>>>> if needed.
>>>>
>>>> Open IE, make sure xxx.yyy.zzz is a local intranet site, browse a page,
>>>> look into the security log. Filter by 540 event (not sure about this
>>>> one) and your windows account.
>>>>
>>>> Final t-shoot stage is to enable kerberos logging:
>>>> http://support.microsoft.com/kb/262177
>>>>
>>>> let us know the steps you took until now ...
>>>>
>>>> Tiago Halm
>>>>
>>>> "CK" wrote in message
>>>> news:1pxIj.378$ch4.135@nlpi064.nbdc.sbc.com...
>>>>>I can not get Kerberos to work on my web server. I have done all of Ken
>>>>>Schaefers troubleshooting techniques still to no avail. I created a
>>>>>test.htm page and when i hit it, I check the security event log and it
>>>>>is still using NTLM. Any ideas why Kerberos is not running? I am
>>>>>ultimately trying to set up constrianed delegation to an Exchange 2007
>>>>>web service. I have been working on this for weeks and I am absolutely
>>>>>stumped. Does anyone have any suggestions at this point?
>>>>>
>>>>> Cheers,
>>>>> CK
>>>>>
>>>>
>>>>
>>>
>>>
>>
>
>

Re: Kerberos

am 09.04.2008 15:55:41 von ck

Well we tried everything. We were never able to get Kerberos to work. Wow
that was certainly fun. Oh well what a complete waste of time. Thanks for
trying to help.

~ck

"Ken Schaefer" wrote in message
news:ulxOUDOlIHA.3888@TK2MSFTNGP03.phx.gbl...
> Can you get a packet capture between your browser and the webserver?
>
> Cheers
> Ken
>
> --
> My IIS blog: http://adopenstatic.com/blog
>
> "CK" wrote in message
> news:i%MIj.11612$qS5.2465@nlpi069.nbdc.sbc.com...
>>I did all the steps you mentioned and I still get
>> Logon Process: NtLmSsp
>>
>> Authentication Package: NTLM
>>
>> Any ideas? I enable Kerberos logging but I don't see any new entries in
>> the Event Log. What am I missing here? I also want to mention that this
>> webserver is on a VM. Not sure if that makes a difference.
>>
>>
>>
>> Thanks,
>>
>> ~ck
>>
>>
>> "Tiago Halm" wrote in message
>> news:OOeG25ElIHA.3400@TK2MSFTNGP03.phx.gbl...
>>> You probably followed much of these steps (Ken must have pointed them).
>>> Make it work in IIS to get a sense on how it works
>>>
>>> 1. make sure NTAuthenticationProviders is not overridden so we start
>>> with the default "Negotiate, NTLM".
>>> type
>>>> cscript adsutil.vbs delete w3svc/NTAuthenticationProviders
>>>> cscript adsutil.vbs delete w3svc/1/NTAuthenticationProviders
>>>> cscript adsutil.vbs delete w3svc/1/ROOT/NTAuthenticationProviders
>>>
>>> See more steps on:
>>> http://support.microsoft.com/kb/215383
>>> http://www.microsoft.com/technet/prodtechnol/WindowsServer20 03/Library/IIS/ea7cd846-33da-49c9-927f-d4e76d6309ac.mspx?mfr =true
>>>
>>> 2. Create an FQDN (xxx.yyy.zzz) in DNS pointing to IIS ip address
>>> 3. Select a WebSite, make sure all VDirs use the same AppPool as the
>>> WebSite and define the Host Header on port 80 with that FQDN
>>> (xxx.yyy.zzz). Specify the port address if needed.
>>> 4. create the SPN, by using the account setup on the hostheader
>>>> setspn.exe http/xxx.yyy.zzz domain\apppoolaccount
>>> 5. Setup IIS with Integrated Windows Authentication. Force inheritance
>>> if needed.
>>>
>>> Open IE, make sure xxx.yyy.zzz is a local intranet site, browse a page,
>>> look into the security log. Filter by 540 event (not sure about this
>>> one) and your windows account.
>>>
>>> Final t-shoot stage is to enable kerberos logging:
>>> http://support.microsoft.com/kb/262177
>>>
>>> let us know the steps you took until now ...
>>>
>>> Tiago Halm
>>>
>>> "CK" wrote in message
>>> news:1pxIj.378$ch4.135@nlpi064.nbdc.sbc.com...
>>>>I can not get Kerberos to work on my web server. I have done all of Ken
>>>>Schaefers troubleshooting techniques still to no avail. I created a
>>>>test.htm page and when i hit it, I check the security event log and it
>>>>is still using NTLM. Any ideas why Kerberos is not running? I am
>>>>ultimately trying to set up constrianed delegation to an Exchange 2007
>>>>web service. I have been working on this for weeks and I am absolutely
>>>>stumped. Does anyone have any suggestions at this point?
>>>>
>>>> Cheers,
>>>> CK
>>>>
>>>
>>>
>>
>>
>

Re: Kerberos

am 10.04.2008 04:52:51 von Ken Schaefer

Well, I woudl suggest that you didn't "try everything", but your scenario
should work. Something isn't correct if it's not working :-)

As asked before, did you get the packet captures?

Cheers
Ken

"CK" wrote in message
news:vT3Lj.1044$%41.985@nlpi064.nbdc.sbc.com...
> Well we tried everything. We were never able to get Kerberos to work. Wow
> that was certainly fun. Oh well what a complete waste of time. Thanks for
> trying to help.
>
> ~ck
>
> "Ken Schaefer" wrote in message
> news:ulxOUDOlIHA.3888@TK2MSFTNGP03.phx.gbl...
>> Can you get a packet capture between your browser and the webserver?
>>
>> Cheers
>> Ken
>>
>> --
>> My IIS blog: http://adopenstatic.com/blog
>>
>> "CK" wrote in message
>> news:i%MIj.11612$qS5.2465@nlpi069.nbdc.sbc.com...
>>>I did all the steps you mentioned and I still get
>>> Logon Process: NtLmSsp
>>>
>>> Authentication Package: NTLM
>>>
>>> Any ideas? I enable Kerberos logging but I don't see any new entries in
>>> the Event Log. What am I missing here? I also want to mention that this
>>> webserver is on a VM. Not sure if that makes a difference.
>>>
>>>
>>>
>>> Thanks,
>>>
>>> ~ck
>>>
>>>
>>> "Tiago Halm" wrote in message
>>> news:OOeG25ElIHA.3400@TK2MSFTNGP03.phx.gbl...
>>>> You probably followed much of these steps (Ken must have pointed them).
>>>> Make it work in IIS to get a sense on how it works
>>>>
>>>> 1. make sure NTAuthenticationProviders is not overridden so we start
>>>> with the default "Negotiate, NTLM".
>>>> type
>>>>> cscript adsutil.vbs delete w3svc/NTAuthenticationProviders
>>>>> cscript adsutil.vbs delete w3svc/1/NTAuthenticationProviders
>>>>> cscript adsutil.vbs delete w3svc/1/ROOT/NTAuthenticationProviders
>>>>
>>>> See more steps on:
>>>> http://support.microsoft.com/kb/215383
>>>> http://www.microsoft.com/technet/prodtechnol/WindowsServer20 03/Library/IIS/ea7cd846-33da-49c9-927f-d4e76d6309ac.mspx?mfr =true
>>>>
>>>> 2. Create an FQDN (xxx.yyy.zzz) in DNS pointing to IIS ip address
>>>> 3. Select a WebSite, make sure all VDirs use the same AppPool as the
>>>> WebSite and define the Host Header on port 80 with that FQDN
>>>> (xxx.yyy.zzz). Specify the port address if needed.
>>>> 4. create the SPN, by using the account setup on the hostheader
>>>>> setspn.exe http/xxx.yyy.zzz domain\apppoolaccount
>>>> 5. Setup IIS with Integrated Windows Authentication. Force inheritance
>>>> if needed.
>>>>
>>>> Open IE, make sure xxx.yyy.zzz is a local intranet site, browse a page,
>>>> look into the security log. Filter by 540 event (not sure about this
>>>> one) and your windows account.
>>>>
>>>> Final t-shoot stage is to enable kerberos logging:
>>>> http://support.microsoft.com/kb/262177
>>>>
>>>> let us know the steps you took until now ...
>>>>
>>>> Tiago Halm
>>>>
>>>> "CK" wrote in message
>>>> news:1pxIj.378$ch4.135@nlpi064.nbdc.sbc.com...
>>>>>I can not get Kerberos to work on my web server. I have done all of Ken
>>>>>Schaefers troubleshooting techniques still to no avail. I created a
>>>>>test.htm page and when i hit it, I check the security event log and it
>>>>>is still using NTLM. Any ideas why Kerberos is not running? I am
>>>>>ultimately trying to set up constrianed delegation to an Exchange 2007
>>>>>web service. I have been working on this for weeks and I am absolutely
>>>>>stumped. Does anyone have any suggestions at this point?
>>>>>
>>>>> Cheers,
>>>>> CK
>>>>>
>>>>
>>>>
>>>
>>>
>>
>
>

Re: Kerberos

am 14.04.2008 23:38:18 von ck

No I was not able to get them. I installed WireShark but I am not sure how
to use or moreso how to interpret the data.
I ended up using impersonation and was able to get that to work. We still
would really like to get Kerberos working. Any suggestions? I really
appreciate your help. I don't want to abandon this as we have put a great
deal of work into trying to make it happen.

Cheers,
ck


"Ken Schaefer" wrote in message
news:A4E4FA4A-6B5B-45B6-9FEF-3780E5B16EAF@microsoft.com...
> Well, I woudl suggest that you didn't "try everything", but your scenario
> should work. Something isn't correct if it's not working :-)
>
> As asked before, did you get the packet captures?
>
> Cheers
> Ken
>
> "CK" wrote in message
> news:vT3Lj.1044$%41.985@nlpi064.nbdc.sbc.com...
>> Well we tried everything. We were never able to get Kerberos to work. Wow
>> that was certainly fun. Oh well what a complete waste of time. Thanks for
>> trying to help.
>>
>> ~ck
>>
>> "Ken Schaefer" wrote in message
>> news:ulxOUDOlIHA.3888@TK2MSFTNGP03.phx.gbl...
>>> Can you get a packet capture between your browser and the webserver?
>>>
>>> Cheers
>>> Ken
>>>
>>> --
>>> My IIS blog: http://adopenstatic.com/blog
>>>
>>> "CK" wrote in message
>>> news:i%MIj.11612$qS5.2465@nlpi069.nbdc.sbc.com...
>>>>I did all the steps you mentioned and I still get
>>>> Logon Process: NtLmSsp
>>>>
>>>> Authentication Package: NTLM
>>>>
>>>> Any ideas? I enable Kerberos logging but I don't see any new entries in
>>>> the Event Log. What am I missing here? I also want to mention that this
>>>> webserver is on a VM. Not sure if that makes a difference.
>>>>
>>>>
>>>>
>>>> Thanks,
>>>>
>>>> ~ck
>>>>
>>>>
>>>> "Tiago Halm" wrote in message
>>>> news:OOeG25ElIHA.3400@TK2MSFTNGP03.phx.gbl...
>>>>> You probably followed much of these steps (Ken must have pointed
>>>>> them). Make it work in IIS to get a sense on how it works
>>>>>
>>>>> 1. make sure NTAuthenticationProviders is not overridden so we start
>>>>> with the default "Negotiate, NTLM".
>>>>> type
>>>>>> cscript adsutil.vbs delete w3svc/NTAuthenticationProviders
>>>>>> cscript adsutil.vbs delete w3svc/1/NTAuthenticationProviders
>>>>>> cscript adsutil.vbs delete w3svc/1/ROOT/NTAuthenticationProviders
>>>>>
>>>>> See more steps on:
>>>>> http://support.microsoft.com/kb/215383
>>>>> http://www.microsoft.com/technet/prodtechnol/WindowsServer20 03/Library/IIS/ea7cd846-33da-49c9-927f-d4e76d6309ac.mspx?mfr =true
>>>>>
>>>>> 2. Create an FQDN (xxx.yyy.zzz) in DNS pointing to IIS ip address
>>>>> 3. Select a WebSite, make sure all VDirs use the same AppPool as the
>>>>> WebSite and define the Host Header on port 80 with that FQDN
>>>>> (xxx.yyy.zzz). Specify the port address if needed.
>>>>> 4. create the SPN, by using the account setup on the hostheader
>>>>>> setspn.exe http/xxx.yyy.zzz domain\apppoolaccount
>>>>> 5. Setup IIS with Integrated Windows Authentication. Force inheritance
>>>>> if needed.
>>>>>
>>>>> Open IE, make sure xxx.yyy.zzz is a local intranet site, browse a
>>>>> page, look into the security log. Filter by 540 event (not sure about
>>>>> this one) and your windows account.
>>>>>
>>>>> Final t-shoot stage is to enable kerberos logging:
>>>>> http://support.microsoft.com/kb/262177
>>>>>
>>>>> let us know the steps you took until now ...
>>>>>
>>>>> Tiago Halm
>>>>>
>>>>> "CK" wrote in message
>>>>> news:1pxIj.378$ch4.135@nlpi064.nbdc.sbc.com...
>>>>>>I can not get Kerberos to work on my web server. I have done all of
>>>>>>Ken Schaefers troubleshooting techniques still to no avail. I created
>>>>>>a test.htm page and when i hit it, I check the security event log and
>>>>>>it is still using NTLM. Any ideas why Kerberos is not running? I am
>>>>>>ultimately trying to set up constrianed delegation to an Exchange 2007
>>>>>>web service. I have been working on this for weeks and I am absolutely
>>>>>>stumped. Does anyone have any suggestions at this point?
>>>>>>
>>>>>> Cheers,
>>>>>> CK
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>>
>

Re: Kerberos

am 15.04.2008 15:14:05 von tiago.halm

CK,

I read on your previous post that you want to setup Kerberos when the
AppPool account is NetworkService. When using NetworkService or
LocalService the SPN is already set for you as HOST/
machinename.company.local where company.local is your domain name.

If you pick up a normal IIS, make sure the associated AppPool identity
is NetworkService and set the host header to machinename.company.com.
Make sure "Integrated Windows Authentication" is setup and you're
ready to go. Just do not forget on the browser, to make sure
http://machinename.company.com is part of the local intranet sites
(its set on the pryvacy tab of Internet Tools).

One final word, if needed, use setspn to view the already setup SPN
(its set when you add the box to the domain) by typing:
# setspn.exe -L company\machinename

(remember, in this case company.local is your domain name)

Again, as I said before, it would be interesting if you could setup
Kerberos on a normal box and go from there to the more advanced
scenarios. Setting up kerberos is simple, viewing the Kerberos packets
is also simple (using either NetworkMonitor or Wireshard), and, above
that, the Security Log helps to view what is going on.

Tiago Halm

Re: Kerberos

am 18.04.2008 18:38:32 von Ken Schaefer

Hi,

It seems that you have most of the bits in place. However, for some reason,
something is misconfigured hence it's not working.

Enabling Kerberos logging on all the servers in question (which will give us
what the servers think they are seeing) as a well as getting packet captures
of what is going onto the wire, will help us narrow down the problem.

I have all the necessary configuration steps up on my blog - I know that
that configuration works (because I've set it up many times :-)), so there's
probably just one little thing missing or not set correctly in your
environment and we just need to work out what it is.

Cheers
Ken

"CK" wrote in message
news:e9QMj.1200$FF6.7@newssvr29.news.prodigy.net...
> No I was not able to get them. I installed WireShark but I am not sure how
> to use or moreso how to interpret the data.
> I ended up using impersonation and was able to get that to work. We still
> would really like to get Kerberos working. Any suggestions? I really
> appreciate your help. I don't want to abandon this as we have put a great
> deal of work into trying to make it happen.
>
> Cheers,
> ck
>
>
> "Ken Schaefer" wrote in message
> news:A4E4FA4A-6B5B-45B6-9FEF-3780E5B16EAF@microsoft.com...
>> Well, I woudl suggest that you didn't "try everything", but your scenario
>> should work. Something isn't correct if it's not working :-)
>>
>> As asked before, did you get the packet captures?
>>
>> Cheers
>> Ken
>>
>> "CK" wrote in message
>> news:vT3Lj.1044$%41.985@nlpi064.nbdc.sbc.com...
>>> Well we tried everything. We were never able to get Kerberos to work.
>>> Wow that was certainly fun. Oh well what a complete waste of time.
>>> Thanks for trying to help.
>>>
>>> ~ck
>>>
>>> "Ken Schaefer" wrote in message
>>> news:ulxOUDOlIHA.3888@TK2MSFTNGP03.phx.gbl...
>>>> Can you get a packet capture between your browser and the webserver?
>>>>
>>>> Cheers
>>>> Ken
>>>>
>>>> --
>>>> My IIS blog: http://adopenstatic.com/blog
>>>>
>>>> "CK" wrote in message
>>>> news:i%MIj.11612$qS5.2465@nlpi069.nbdc.sbc.com...
>>>>>I did all the steps you mentioned and I still get
>>>>> Logon Process: NtLmSsp
>>>>>
>>>>> Authentication Package: NTLM
>>>>>
>>>>> Any ideas? I enable Kerberos logging but I don't see any new entries
>>>>> in the Event Log. What am I missing here? I also want to mention that
>>>>> this webserver is on a VM. Not sure if that makes a difference.
>>>>>
>>>>>
>>>>>
>>>>> Thanks,
>>>>>
>>>>> ~ck
>>>>>
>>>>>
>>>>> "Tiago Halm" wrote in message
>>>>> news:OOeG25ElIHA.3400@TK2MSFTNGP03.phx.gbl...
>>>>>> You probably followed much of these steps (Ken must have pointed
>>>>>> them). Make it work in IIS to get a sense on how it works
>>>>>>
>>>>>> 1. make sure NTAuthenticationProviders is not overridden so we start
>>>>>> with the default "Negotiate, NTLM".
>>>>>> type
>>>>>>> cscript adsutil.vbs delete w3svc/NTAuthenticationProviders
>>>>>>> cscript adsutil.vbs delete w3svc/1/NTAuthenticationProviders
>>>>>>> cscript adsutil.vbs delete w3svc/1/ROOT/NTAuthenticationProviders
>>>>>>
>>>>>> See more steps on:
>>>>>> http://support.microsoft.com/kb/215383
>>>>>> http://www.microsoft.com/technet/prodtechnol/WindowsServer20 03/Library/IIS/ea7cd846-33da-49c9-927f-d4e76d6309ac.mspx?mfr =true
>>>>>>
>>>>>> 2. Create an FQDN (xxx.yyy.zzz) in DNS pointing to IIS ip address
>>>>>> 3. Select a WebSite, make sure all VDirs use the same AppPool as the
>>>>>> WebSite and define the Host Header on port 80 with that FQDN
>>>>>> (xxx.yyy.zzz). Specify the port address if needed.
>>>>>> 4. create the SPN, by using the account setup on the hostheader
>>>>>>> setspn.exe http/xxx.yyy.zzz domain\apppoolaccount
>>>>>> 5. Setup IIS with Integrated Windows Authentication. Force
>>>>>> inheritance if needed.
>>>>>>
>>>>>> Open IE, make sure xxx.yyy.zzz is a local intranet site, browse a
>>>>>> page, look into the security log. Filter by 540 event (not sure about
>>>>>> this one) and your windows account.
>>>>>>
>>>>>> Final t-shoot stage is to enable kerberos logging:
>>>>>> http://support.microsoft.com/kb/262177
>>>>>>
>>>>>> let us know the steps you took until now ...
>>>>>>
>>>>>> Tiago Halm
>>>>>>
>>>>>> "CK" wrote in message
>>>>>> news:1pxIj.378$ch4.135@nlpi064.nbdc.sbc.com...
>>>>>>>I can not get Kerberos to work on my web server. I have done all of
>>>>>>>Ken Schaefers troubleshooting techniques still to no avail. I created
>>>>>>>a test.htm page and when i hit it, I check the security event log and
>>>>>>>it is still using NTLM. Any ideas why Kerberos is not running? I am
>>>>>>>ultimately trying to set up constrianed delegation to an Exchange
>>>>>>>2007 web service. I have been working on this for weeks and I am
>>>>>>>absolutely stumped. Does anyone have any suggestions at this point?
>>>>>>>
>>>>>>> Cheers,
>>>>>>> CK
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>
>
>