NTLM and Kerberos

I have a website using Windows Authentication and Delegation to access a
backend SQL Server.

Everything works when I am on the LAN. When I try to access the website
from home I get the Login failed for User NULL...

I am using the same name to access when I am on the LAN as when I am at home
and it resolves to the same IP address.
http://server.domain.com
I have put this into my trusted sites in IE (I have also tried Local
Intranet).
I can see in the event log on the web server that when I am at home it is
using NTLM authentication wheras when I am on the network it is using
Kerberos.
I added the SPN for the FQDN with this:
setspn -A http/sever.domain.com NtDomain\ServerName
(not sure if that is required)
IIS is running under the local system account
I have delegation set to Trust this computer for delegation to any service
(Kerberos only)
The server is Windows 2003
IIS Security is set up for Integrated Windows Authention


The only differences that I can think of are (1) my computer at home is not
a memeber of the domain and (2) I only have port 80 open when I am at home.

Anyone know how to get this to work?

Re: NTLM and Kerberos

As a follow up...

I downloaded the Wfetch utility. When I ran this and forced the Kerberos
Authentication I got an error:
0x80090311 (No authority could be contacted for authentication.): Unable to
InitializeSecurityContext

Leads me to believe that Kerberos needs to talk to the AD controller to get
the ticket???
What would I have to open up to make this happen and where would I tell IE
to be able to find my domain controller?



"Joe" wrote in message
news:%23uu$QCoNGHA.456@TK2MSFTNGP15.phx.gbl...
>I have a website using Windows Authentication and Delegation to access a
>backend SQL Server.
>
> Everything works when I am on the LAN. When I try to access the website
> from home I get the Login failed for User NULL...
>
> I am using the same name to access when I am on the LAN as when I am at
> home and it resolves to the same IP address.
> http://server.domain.com
> I have put this into my trusted sites in IE (I have also tried Local
> Intranet).
> I can see in the event log on the web server that when I am at home it is
> using NTLM authentication wheras when I am on the network it is using
> Kerberos.
> I added the SPN for the FQDN with this:
> setspn -A http/sever.domain.com NtDomain\ServerName
> (not sure if that is required)
> IIS is running under the local system account
> I have delegation set to Trust this computer for delegation to any service
> (Kerberos only)
> The server is Windows 2003
> IIS Security is set up for Integrated Windows Authention
>
>
> The only differences that I can think of are (1) my computer at home is
> not a memeber of the domain and (2) I only have port 80 open when I am at
> home.
>
> Anyone know how to get this to work?
>
>
>
>
>

Re: NTLM and Kerberos

Hi,

a) Kerberos requires the user to obtain a Kerberos Service Ticket for the
remote service (namely IIS). This is obtained from the KDC (Key Distribution
Centre). The KDC is hosted on Windows Domain Controllers. So, you'd need to
be able to contact a DC

b) IIRC, you'd need to open port 88. Additionally, your client at home would
need to locate the DC in the first place via the msadc forward lookup zone
hosted on your internal network's DNS servers

c) Because of the restrictions required to get Kerberos working, IE doesn't
even attempt Kerberos authentication for sites in the Internet zone.

d) A much more secure way of doing this (if you really want to use Kerberos)
would be to VPN into your network network from home, and then access the
server the same way you do at the office

Cheers
Ken



"Joe" wrote in message
news:%23weXsHoNGHA.2124@TK2MSFTNGP14.phx.gbl...
: As a follow up...
:
: I downloaded the Wfetch utility. When I ran this and forced the Kerberos
: Authentication I got an error:
: 0x80090311 (No authority could be contacted for authentication.): Unable
to
: InitializeSecurityContext
:
: Leads me to believe that Kerberos needs to talk to the AD controller to
get
: the ticket???
: What would I have to open up to make this happen and where would I tell IE
: to be able to find my domain controller?
:
:
:
: "Joe" wrote in message
: news:%23uu$QCoNGHA.456@TK2MSFTNGP15.phx.gbl...
: >I have a website using Windows Authentication and Delegation to access a
: >backend SQL Server.
: >
: > Everything works when I am on the LAN. When I try to access the website
: > from home I get the Login failed for User NULL...
: >
: > I am using the same name to access when I am on the LAN as when I am at
: > home and it resolves to the same IP address.
: > http://server.domain.com
: > I have put this into my trusted sites in IE (I have also tried Local
: > Intranet).
: > I can see in the event log on the web server that when I am at home it
is
: > using NTLM authentication wheras when I am on the network it is using
: > Kerberos.
: > I added the SPN for the FQDN with this:
: > setspn -A http/sever.domain.com NtDomain\ServerName
: > (not sure if that is required)
: > IIS is running under the local system account
: > I have delegation set to Trust this computer for delegation to any
service
: > (Kerberos only)
: > The server is Windows 2003
: > IIS Security is set up for Integrated Windows Authention
: >
: >
: > The only differences that I can think of are (1) my computer at home is
: > not a memeber of the domain and (2) I only have port 80 open when I am
at
: > home.
: >
: > Anyone know how to get this to work?
: >
: >
: >
: >
: >
:
:

Re: NTLM and Kerberos

Thanks for your quick response!

I would have to open port 88 to my Domain Controller?
How would IE know which server is the Domain Controller (my home computer is
not on the domain) - I get the msadc DNS lookup, I going to
server.domain.com where my domain is NTDomain.local - my domain controller
does not know anything about domain.com.




"Ken Schaefer" wrote in message
news:OXyC5NoNGHA.3936@TK2MSFTNGP10.phx.gbl...
> Hi,
>
> a) Kerberos requires the user to obtain a Kerberos Service Ticket for the
> remote service (namely IIS). This is obtained from the KDC (Key
> Distribution
> Centre). The KDC is hosted on Windows Domain Controllers. So, you'd need
> to
> be able to contact a DC
>
> b) IIRC, you'd need to open port 88. Additionally, your client at home
> would
> need to locate the DC in the first place via the msadc forward lookup zone
> hosted on your internal network's DNS servers
>
> c) Because of the restrictions required to get Kerberos working, IE
> doesn't
> even attempt Kerberos authentication for sites in the Internet zone.
>
> d) A much more secure way of doing this (if you really want to use
> Kerberos)
> would be to VPN into your network network from home, and then access the
> server the same way you do at the office
>
> Cheers
> Ken
>
>
>
> "Joe" wrote in message
> news:%23weXsHoNGHA.2124@TK2MSFTNGP14.phx.gbl...
> : As a follow up...
> :
> : I downloaded the Wfetch utility. When I ran this and forced the
> Kerberos
> : Authentication I got an error:
> : 0x80090311 (No authority could be contacted for authentication.): Unable
> to
> : InitializeSecurityContext
> :
> : Leads me to believe that Kerberos needs to talk to the AD controller to
> get
> : the ticket???
> : What would I have to open up to make this happen and where would I tell
> IE
> : to be able to find my domain controller?
> :
> :
> :
> : "Joe" wrote in message
> : news:%23uu$QCoNGHA.456@TK2MSFTNGP15.phx.gbl...
> : >I have a website using Windows Authentication and Delegation to access
> a
> : >backend SQL Server.
> : >
> : > Everything works when I am on the LAN. When I try to access the
> website
> : > from home I get the Login failed for User NULL...
> : >
> : > I am using the same name to access when I am on the LAN as when I am
> at
> : > home and it resolves to the same IP address.
> : > http://server.domain.com
> : > I have put this into my trusted sites in IE (I have also tried Local
> : > Intranet).
> : > I can see in the event log on the web server that when I am at home it
> is
> : > using NTLM authentication wheras when I am on the network it is using
> : > Kerberos.
> : > I added the SPN for the FQDN with this:
> : > setspn -A http/sever.domain.com NtDomain\ServerName
> : > (not sure if that is required)
> : > IIS is running under the local system account
> : > I have delegation set to Trust this computer for delegation to any
> service
> : > (Kerberos only)
> : > The server is Windows 2003
> : > IIS Security is set up for Integrated Windows Authention
> : >
> : >
> : > The only differences that I can think of are (1) my computer at home
> is
> : > not a memeber of the domain and (2) I only have port 80 open when I am
> at
> : > home.
> : >
> : > Anyone know how to get this to work?
> : >
> : >
> : >
> : >
> : >
> :
> :
>
>

Re: NTLM and Kerberos

You would need to open that port on your firewall.

And you would need to put your home computer to a DNS server that knows
about your work domain (i.e. your work DNS servers that contain the msadc
forward lookup zone for yourWorkDomain.local).

As you can see, there are a few difficulties doing this over the internet.
Hence my suggestion of using a VPN to connect into the work network, and
your VPN connection would pick up the necessary settings. Windows Server has
RRAS (Routing and Remote Access Server) which can act as a VPN endpoint if
you don't have a physical device that supports VPN.

Cheers
Ken

"Joe" wrote in message
news:OnrbDaoNGHA.2624@TK2MSFTNGP12.phx.gbl...
: Thanks for your quick response!
:
: I would have to open port 88 to my Domain Controller?
: How would IE know which server is the Domain Controller (my home computer
is
: not on the domain) - I get the msadc DNS lookup, I going to
: server.domain.com where my domain is NTDomain.local - my domain controller
: does not know anything about domain.com.
:
:
:
:
: "Ken Schaefer" wrote in message
: news:OXyC5NoNGHA.3936@TK2MSFTNGP10.phx.gbl...
: > Hi,
: >
: > a) Kerberos requires the user to obtain a Kerberos Service Ticket for
the
: > remote service (namely IIS). This is obtained from the KDC (Key
: > Distribution
: > Centre). The KDC is hosted on Windows Domain Controllers. So, you'd need
: > to
: > be able to contact a DC
: >
: > b) IIRC, you'd need to open port 88. Additionally, your client at home
: > would
: > need to locate the DC in the first place via the msadc forward lookup
zone
: > hosted on your internal network's DNS servers
: >
: > c) Because of the restrictions required to get Kerberos working, IE
: > doesn't
: > even attempt Kerberos authentication for sites in the Internet zone.
: >
: > d) A much more secure way of doing this (if you really want to use
: > Kerberos)
: > would be to VPN into your network network from home, and then access the
: > server the same way you do at the office
: >
: > Cheers
: > Ken
: >
: >
: >
: > "Joe" wrote in message
: > news:%23weXsHoNGHA.2124@TK2MSFTNGP14.phx.gbl...
: > : As a follow up...
: > :
: > : I downloaded the Wfetch utility. When I ran this and forced the
: > Kerberos
: > : Authentication I got an error:
: > : 0x80090311 (No authority could be contacted for authentication.):
Unable
: > to
: > : InitializeSecurityContext
: > :
: > : Leads me to believe that Kerberos needs to talk to the AD controller
to
: > get
: > : the ticket???
: > : What would I have to open up to make this happen and where would I
tell
: > IE
: > : to be able to find my domain controller?
: > :
: > :
: > :
: > : "Joe" wrote in message
: > : news:%23uu$QCoNGHA.456@TK2MSFTNGP15.phx.gbl...
: > : >I have a website using Windows Authentication and Delegation to
access
: > a
: > : >backend SQL Server.
: > : >
: > : > Everything works when I am on the LAN. When I try to access the
: > website
: > : > from home I get the Login failed for User NULL...
: > : >
: > : > I am using the same name to access when I am on the LAN as when I am
: > at
: > : > home and it resolves to the same IP address.
: > : > http://server.domain.com
: > : > I have put this into my trusted sites in IE (I have also tried Local
: > : > Intranet).
: > : > I can see in the event log on the web server that when I am at home
it
: > is
: > : > using NTLM authentication wheras when I am on the network it is
using
: > : > Kerberos.
: > : > I added the SPN for the FQDN with this:
: > : > setspn -A http/sever.domain.com NtDomain\ServerName
: > : > (not sure if that is required)
: > : > IIS is running under the local system account
: > : > I have delegation set to Trust this computer for delegation to any
: > service
: > : > (Kerberos only)
: > : > The server is Windows 2003
: > : > IIS Security is set up for Integrated Windows Authention
: > : >
: > : >
: > : > The only differences that I can think of are (1) my computer at home
: > is
: > : > not a memeber of the domain and (2) I only have port 80 open when I
am
: > at
: > : > home.
: > : >
: > : > Anyone know how to get this to work?
: > : >
: > : >
: > : >
: > : >
: > : >
: > :
: > :
: >
: >
:
: