Unable to Login to SharePoint 2007 using IE7 with Kerberos

We have a client that uses IE7 and Windows XP on all their workstations.  We are developing an application for them based on SharePoint.  Due to the architecture of the solution, Kerberos constrained delegation is required for authentication.

I have created a site collection and extended it to a website with the following security configuration:

Security Configuration
From the SharePoint server itself (W2K8R1 with IE8), I can access the site just fine.  However, when I try to access it via FQDN using IE7 from a client workstation, I get prompted three times for my user account and then I get this:

Unauthorized Message Recieved on Client Running IE7
And at the same time, the server logs the following to the event log:

Event Log Error
The crazy thing about all of this is that if I run this same test from Firefox, I login just fine.  However, from looking at the event log, it appears that Firefox is using NTLM and not Kerberos.

This whole thing has me banging my head against the wall.  To my knowledge, I have all of the neccessary SPN's created, but I suppose I could have missed one.  I would give away 10,000 points for this one if I could, please help!

Thanks in advance.
LVL 6
ged125Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jessc7Commented:
Create a new web site in IIS, set the authentication to Kerberos, use the same app pool, and deploy this utility web app to it:

http://www.iis.net/community/default.aspx?tabid=34&g=6&i=1887

Then walk through the wizard interface to see what might be set up incorrectly. It's a very helpful tool!
0
ged125Author Commented:
This says it's for IIS 6.0 and 7.0, the test box that I have access to tonight is IIS 7.5.   Do you know if it is supported?
0
Leandro IaconoSenior Premier Field EngineerCommented:
Does this happen with every single user in the domain or is it just this one user?
I would try a utility like KerbTray to identify the kerberos ticket you get issued by the KDC in your environment. If you don't get issued a ticket, you can't authenticate to IIS because IIS is expecting a kerberos ticket. Kerbtray will give you an idea of what you get.
As for firefox, ntlm will work cause you probably don't have problems with contacting a DC - the issue is probably related to your KDC, the kerberos ticket being issued, your SPN setup and/or other related issue with Kerberos.
You want to make sure you setup kerberos correctly: http://technet.microsoft.com/en-us/library/cc263449(office.12).aspx
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

jessc7Commented:
Yes, DelegConfig should run fine under IIS7.5.
0
ged125Author Commented:
UICE - Every user

Jessc7 - trying your suggestion this morning.
0
ged125Author Commented:
Jessc7 - I deployed the utility web app that you suggested using the same application pool.  When I try to browse to the default.aspx file I get the following exception:

 Exception
0
jessc7Commented:
I haven't encountered that error before, but you might have a look at this post:

http://dbvt.com/blog/post/AspNetHostingPermission-Security-Exception-Fix-with-Ajax-in-IIS7.aspx

Also, here is a post on using DelegConfig:

http://blogs.iis.net/bretb/archive/2008/03/27/How-to-Use-DelegConfig.aspx
0
ged125Author Commented:
We are soooo close!   I am now able to run the wizard, but when it completes it's stuck at "Please Wait" and I get the following script error when I click on the warning icon on the bottom left.

 Script Error
0
jessc7Commented:
Try reseting the IE settings (Internet Options-> Advanced -> Reset) and check the issue again.

You are using a web browser from one of the XP workstations, correct?
0
jessc7Commented:
0
Leandro IaconoSenior Premier Field EngineerCommented:
Not to go against jessc7 which has awesome tools and comments, but a seperate tool to configure kerberos shouldn't be required to set up kerberos. You just need to make sure you setup your SPNs correctly. Once your SPNs are setup correctly your end users should be able to get tickets from your KDC server and authenticate into sharepoint.

The error message you are getting in your event log seems to be related to the fact that your users aren't getting good tickets from your KDC server, probably because you are missing SPNs.
0
jessc7Commented:
Yes, DelegConfig is just a utility (an excellent one) to assist in determining if your SPNs are set up correctly, if trust delegation is set up correctly, and if the web browser is attempting to make an appropirate connection, among other things.

It's not needed, but it is definitely helpful.
0
ged125Author Commented:
I ended up opening a Support Incident with Microsoft PSS.  I had the correct SPN's, they had me add the following to the ApplicationHost.Config file:

<location path=”Default Website”>
<system.webserver>
    <security>
                <authentication>
                    <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true">
                        <providers>
                            <clear />
                            <add value="Negotiate" />
                            <add value="NTLM" />
                        </providers>
                    </windowsAuthentication>
                    <anonymousAuthentication enabled="false" />
                    <digestAuthentication enabled="false" />
                    <basicAuthentication enabled="false" />
                </authentication>
            </security>
  </system.webserver>
</location>


That fixed the problem.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ged125Author Commented:
Issue was ultimately solved by Microsoft PSS
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Browsers

From novice to tech pro — start learning today.