IIS Network authentication using "Negotiate,NTLM"

Hello:
I hope someone here can help me with this situation:

I have a website setup in IIS6.0 on a Windows Server 2003 SP2. The website
has it's home directory located in a network share. A user account is
specified in the network directory security credentials via the "connect as"
tab. This user account has full access to the share. "Anonymous access" is
disabled for this site and "Integrated Windows Authentication" is
checked/enabled. I can see all the files when I click on the website.
However, when the "NTAuthenticationProviders" is set to "Negotiate,NTLM", I
get prompted for a user name and passwor when I browse the site from within
IIS or any other machine. When I set "NTAuthenticationProviders" to "NTLM"
only, then I can browe the site. I would like to use "Negotiate,NTLM" to
take advantage of Kerberos protocol. Can anyone please help?!!

Many thanks!

Walid

Re: IIS Network authentication using "Negotiate,NTLM"

Here is a couple articles that discuss this in-depth. The MS article covers
this very in-depth.

http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/webapp/iis/remstorg.mspx

My article is just my personal experience.
http://www.iislogs.com/articles/23/

--

Best regards,

Steve Schofield
Windows Server MVP - IIS
http://weblogs.asp.net/steveschofield

"Walid" wrote in message
news:DC3378C1-59D9-40D8-9CB3-DA7A733A7B7B@microsoft.com...
> Hello:
> I hope someone here can help me with this situation:
>
> I have a website setup in IIS6.0 on a Windows Server 2003 SP2. The
> website
> has it's home directory located in a network share. A user account is
> specified in the network directory security credentials via the "connect
> as"
> tab. This user account has full access to the share. "Anonymous access"
> is
> disabled for this site and "Integrated Windows Authentication" is
> checked/enabled. I can see all the files when I click on the website.
> However, when the "NTAuthenticationProviders" is set to "Negotiate,NTLM",
> I
> get prompted for a user name and passwor when I browse the site from
> within
> IIS or any other machine. When I set "NTAuthenticationProviders" to
> "NTLM"
> only, then I can browe the site. I would like to use "Negotiate,NTLM" to
> take advantage of Kerberos protocol. Can anyone please help?!!
>
> Many thanks!
>
> Walid

Re: IIS Network authentication using "Negotiate,NTLM"

Steve,
Thanks for responding!
I believe my site is setup according to your article with the exception that
I am using AD domain user accounts. "Authenticated users" have full control
on the remote share. The issue I have is that when I use "Integrated
Authentication", I get prompted for a username and password while browsing
the site. The only way I get around this is if I force the
"NTAuthenticationProviders" to "NTLM" as opposed to "NTLM,Negotiate" using
the following command:

cscript adsutil.vbs set /site/siteID/NTAuthenticationProviders NTLM

Do you see anything incorrect in my site configuration or maybe this is an
SP2 issue???

Your help is much appreciated!!

Walid

"Steve Schofield" wrote:

> Here is a couple articles that discuss this in-depth. The MS article covers
> this very in-depth.
>
> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/webapp/iis/remstorg.mspx
>
> My article is just my personal experience.
> http://www.iislogs.com/articles/23/
>
> --
>
> Best regards,
>
> Steve Schofield
> Windows Server MVP - IIS
> http://weblogs.asp.net/steveschofield
>
> "Walid" wrote in message
> news:DC3378C1-59D9-40D8-9CB3-DA7A733A7B7B@microsoft.com...
> > Hello:
> > I hope someone here can help me with this situation:
> >
> > I have a website setup in IIS6.0 on a Windows Server 2003 SP2. The
> > website
> > has it's home directory located in a network share. A user account is
> > specified in the network directory security credentials via the "connect
> > as"
> > tab. This user account has full access to the share. "Anonymous access"
> > is
> > disabled for this site and "Integrated Windows Authentication" is
> > checked/enabled. I can see all the files when I click on the website.
> > However, when the "NTAuthenticationProviders" is set to "Negotiate,NTLM",
> > I
> > get prompted for a user name and passwor when I browse the site from
> > within
> > IIS or any other machine. When I set "NTAuthenticationProviders" to
> > "NTLM"
> > only, then I can browe the site. I would like to use "Negotiate,NTLM" to
> > take advantage of Kerberos protocol. Can anyone please help?!!
> >
> > Many thanks!
> >
> > Walid
>
>

Re: IIS Network authentication using "Negotiate,NTLM"

It sounds like you are running into the double hop rule. Try unchecking
windows authenticated and try basic. See if you get it to work. One
workaround is to fill-in the 'connect as' on the website so your request is
sent as other credentials.

Search for Double Hop Issue, this will provide some good information. here
is one blog that discusses this.

http://blogs.msdn.com/mjeelani/archive/2004/12/07/275921.asp x

--

Best regards,

Steve Schofield
Windows Server MVP - IIS
http://weblogs.asp.net/steveschofield

http://www.IISLogs.com
Log archival solution.
Install, Configure, Forget

"Walid" wrote in message
news:39B800AE-2EF4-407E-A7C6-162BDA3EDCCA@microsoft.com...
> Steve,
> Thanks for responding!
> I believe my site is setup according to your article with the exception
> that
> I am using AD domain user accounts. "Authenticated users" have full
> control
> on the remote share. The issue I have is that when I use "Integrated
> Authentication", I get prompted for a username and password while browsing
> the site. The only way I get around this is if I force the
> "NTAuthenticationProviders" to "NTLM" as opposed to "NTLM,Negotiate" using
> the following command:
>
> cscript adsutil.vbs set /site/siteID/NTAuthenticationProviders NTLM
>
> Do you see anything incorrect in my site configuration or maybe this is an
> SP2 issue???
>
> Your help is much appreciated!!
>
> Walid
>
> "Steve Schofield" wrote:
>
>> Here is a couple articles that discuss this in-depth. The MS article
>> covers
>> this very in-depth.
>>
>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/webapp/iis/remstorg.mspx
>>
>> My article is just my personal experience.
>> http://www.iislogs.com/articles/23/
>>
>> --
>>
>> Best regards,
>>
>> Steve Schofield
>> Windows Server MVP - IIS
>> http://weblogs.asp.net/steveschofield
>>
>> "Walid" wrote in message
>> news:DC3378C1-59D9-40D8-9CB3-DA7A733A7B7B@microsoft.com...
>> > Hello:
>> > I hope someone here can help me with this situation:
>> >
>> > I have a website setup in IIS6.0 on a Windows Server 2003 SP2. The
>> > website
>> > has it's home directory located in a network share. A user account is
>> > specified in the network directory security credentials via the
>> > "connect
>> > as"
>> > tab. This user account has full access to the share. "Anonymous
>> > access"
>> > is
>> > disabled for this site and "Integrated Windows Authentication" is
>> > checked/enabled. I can see all the files when I click on the website.
>> > However, when the "NTAuthenticationProviders" is set to
>> > "Negotiate,NTLM",
>> > I
>> > get prompted for a user name and passwor when I browse the site from
>> > within
>> > IIS or any other machine. When I set "NTAuthenticationProviders" to
>> > "NTLM"
>> > only, then I can browe the site. I would like to use "Negotiate,NTLM"
>> > to
>> > take advantage of Kerberos protocol. Can anyone please help?!!
>> >
>> > Many thanks!
>> >
>> > Walid
>>
>>

Re: IIS Network authentication using "Negotiate,NTLM"

It is very bizarre, Steve, but I did something and now it works. If I could
explain why it now works I would feel much better. Maybe you can explain why
:-) But here is what I did:

(By the way, the "connect as" is filled for a specific user. And the NTFS
permission for the remote share has the "Everyone" group full control)
So, when I forced NTAuthenticationProviders to "NTLM" only, it worked. But
then when I set it back to "NTLM,Negotiate", it wouldn't work. What I then
did was, eventhough the "everyone" group has full control on the remote
share, I gave the "connect as" user explicit RX permission on that share.
Now, when I set the NTAuthenticationProvider back to "NTLM,Negotiate", the
site worked. I then removed the "connect as" user from the NTFS permissions
and left only the "everyone" group. My site still works. I don't get it. I
hope you have an explanation for this.

Also, how would I know if Kerberos is used for authentication? If the
NTAuthenticationProvider is set to NTLM,Negotiate, how can I tell if Kerberos
is being used?

Thank-you very much for your time.

Walid

"Steve Schofield" wrote:

> It sounds like you are running into the double hop rule. Try unchecking
> windows authenticated and try basic. See if you get it to work. One
> workaround is to fill-in the 'connect as' on the website so your request is
> sent as other credentials.
>
> Search for Double Hop Issue, this will provide some good information. here
> is one blog that discusses this.
>
> http://blogs.msdn.com/mjeelani/archive/2004/12/07/275921.asp x
>
> --
>
> Best regards,
>
> Steve Schofield
> Windows Server MVP - IIS
> http://weblogs.asp.net/steveschofield
>
> http://www.IISLogs.com
> Log archival solution.
> Install, Configure, Forget
>
> "Walid" wrote in message
> news:39B800AE-2EF4-407E-A7C6-162BDA3EDCCA@microsoft.com...
> > Steve,
> > Thanks for responding!
> > I believe my site is setup according to your article with the exception
> > that
> > I am using AD domain user accounts. "Authenticated users" have full
> > control
> > on the remote share. The issue I have is that when I use "Integrated
> > Authentication", I get prompted for a username and password while browsing
> > the site. The only way I get around this is if I force the
> > "NTAuthenticationProviders" to "NTLM" as opposed to "NTLM,Negotiate" using
> > the following command:
> >
> > cscript adsutil.vbs set /site/siteID/NTAuthenticationProviders NTLM
> >
> > Do you see anything incorrect in my site configuration or maybe this is an
> > SP2 issue???
> >
> > Your help is much appreciated!!
> >
> > Walid
> >
> > "Steve Schofield" wrote:
> >
> >> Here is a couple articles that discuss this in-depth. The MS article
> >> covers
> >> this very in-depth.
> >>
> >> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/webapp/iis/remstorg.mspx
> >>
> >> My article is just my personal experience.
> >> http://www.iislogs.com/articles/23/
> >>
> >> --
> >>
> >> Best regards,
> >>
> >> Steve Schofield
> >> Windows Server MVP - IIS
> >> http://weblogs.asp.net/steveschofield
> >>
> >> "Walid" wrote in message
> >> news:DC3378C1-59D9-40D8-9CB3-DA7A733A7B7B@microsoft.com...
> >> > Hello:
> >> > I hope someone here can help me with this situation:
> >> >
> >> > I have a website setup in IIS6.0 on a Windows Server 2003 SP2. The
> >> > website
> >> > has it's home directory located in a network share. A user account is
> >> > specified in the network directory security credentials via the
> >> > "connect
> >> > as"
> >> > tab. This user account has full access to the share. "Anonymous
> >> > access"
> >> > is
> >> > disabled for this site and "Integrated Windows Authentication" is
> >> > checked/enabled. I can see all the files when I click on the website.
> >> > However, when the "NTAuthenticationProviders" is set to
> >> > "Negotiate,NTLM",
> >> > I
> >> > get prompted for a user name and passwor when I browse the site from
> >> > within
> >> > IIS or any other machine. When I set "NTAuthenticationProviders" to
> >> > "NTLM"
> >> > only, then I can browe the site. I would like to use "Negotiate,NTLM"
> >> > to
> >> > take advantage of Kerberos protocol. Can anyone please help?!!
> >> >
> >> > Many thanks!
> >> >
> >> > Walid
> >>
> >>
>
>

Re: IIS Network authentication using "Negotiate,NTLM"

Regarding your permissions, it appears the application pool or process could
have gotten the credentials cached. Did you try recycling the application
pool after each change to see if the permissions issue cropped up again?

Kerberos read, this might help.
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/19/ 512.aspx

--

Steve Schofield
Windows Server MVP - IIS
http://weblogs.asp.net/steveschofield


"Walid" wrote in message
news:BEF9FD49-5FEA-4572-8741-112162D12358@microsoft.com...
> It is very bizarre, Steve, but I did something and now it works. If I
> could
> explain why it now works I would feel much better. Maybe you can explain
> why
> :-) But here is what I did:
>
> (By the way, the "connect as" is filled for a specific user. And the NTFS
> permission for the remote share has the "Everyone" group full control)
> So, when I forced NTAuthenticationProviders to "NTLM" only, it worked.
> But
> then when I set it back to "NTLM,Negotiate", it wouldn't work. What I
> then
> did was, eventhough the "everyone" group has full control on the remote
> share, I gave the "connect as" user explicit RX permission on that share.
> Now, when I set the NTAuthenticationProvider back to "NTLM,Negotiate", the
> site worked. I then removed the "connect as" user from the NTFS
> permissions
> and left only the "everyone" group. My site still works. I don't get it.
> I
> hope you have an explanation for this.
>
> Also, how would I know if Kerberos is used for authentication? If the
> NTAuthenticationProvider is set to NTLM,Negotiate, how can I tell if
> Kerberos
> is being used?
>
> Thank-you very much for your time.
>
> Walid
>
> "Steve Schofield" wrote:
>
>> It sounds like you are running into the double hop rule. Try unchecking
>> windows authenticated and try basic. See if you get it to work. One
>> workaround is to fill-in the 'connect as' on the website so your request
>> is
>> sent as other credentials.
>>
>> Search for Double Hop Issue, this will provide some good information.
>> here
>> is one blog that discusses this.
>>
>> http://blogs.msdn.com/mjeelani/archive/2004/12/07/275921.asp x
>>
>> --
>>
>> Best regards,
>>
>> Steve Schofield
>> Windows Server MVP - IIS
>> http://weblogs.asp.net/steveschofield
>>
>> http://www.IISLogs.com
>> Log archival solution.
>> Install, Configure, Forget
>>
>> "Walid" wrote in message
>> news:39B800AE-2EF4-407E-A7C6-162BDA3EDCCA@microsoft.com...
>> > Steve,
>> > Thanks for responding!
>> > I believe my site is setup according to your article with the exception
>> > that
>> > I am using AD domain user accounts. "Authenticated users" have full
>> > control
>> > on the remote share. The issue I have is that when I use "Integrated
>> > Authentication", I get prompted for a username and password while
>> > browsing
>> > the site. The only way I get around this is if I force the
>> > "NTAuthenticationProviders" to "NTLM" as opposed to "NTLM,Negotiate"
>> > using
>> > the following command:
>> >
>> > cscript adsutil.vbs set /site/siteID/NTAuthenticationProviders NTLM
>> >
>> > Do you see anything incorrect in my site configuration or maybe this is
>> > an
>> > SP2 issue???
>> >
>> > Your help is much appreciated!!
>> >
>> > Walid
>> >
>> > "Steve Schofield" wrote:
>> >
>> >> Here is a couple articles that discuss this in-depth. The MS article
>> >> covers
>> >> this very in-depth.
>> >>
>> >> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/webapp/iis/remstorg.mspx
>> >>
>> >> My article is just my personal experience.
>> >> http://www.iislogs.com/articles/23/
>> >>
>> >> --
>> >>
>> >> Best regards,
>> >>
>> >> Steve Schofield
>> >> Windows Server MVP - IIS
>> >> http://weblogs.asp.net/steveschofield
>> >>
>> >> "Walid" wrote in message
>> >> news:DC3378C1-59D9-40D8-9CB3-DA7A733A7B7B@microsoft.com...
>> >> > Hello:
>> >> > I hope someone here can help me with this situation:
>> >> >
>> >> > I have a website setup in IIS6.0 on a Windows Server 2003 SP2. The
>> >> > website
>> >> > has it's home directory located in a network share. A user account
>> >> > is
>> >> > specified in the network directory security credentials via the
>> >> > "connect
>> >> > as"
>> >> > tab. This user account has full access to the share. "Anonymous
>> >> > access"
>> >> > is
>> >> > disabled for this site and "Integrated Windows Authentication" is
>> >> > checked/enabled. I can see all the files when I click on the
>> >> > website.
>> >> > However, when the "NTAuthenticationProviders" is set to
>> >> > "Negotiate,NTLM",
>> >> > I
>> >> > get prompted for a user name and passwor when I browse the site from
>> >> > within
>> >> > IIS or any other machine. When I set "NTAuthenticationProviders" to
>> >> > "NTLM"
>> >> > only, then I can browe the site. I would like to use
>> >> > "Negotiate,NTLM"
>> >> > to
>> >> > take advantage of Kerberos protocol. Can anyone please help?!!
>> >> >
>> >> > Many thanks!
>> >> >
>> >> > Walid
>> >>
>> >>
>>
>>