• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1166
  • Last Modified:

Unable to Login to SharePoint 2007 using IE7 with Kerberos

We have a client that uses IE7 and Windows XP on all their workstations.  We are developing an application for them based on SharePoint.  Due to the architecture of the solution, Kerberos constrained delegation is required for authentication.

I have created a site collection and extended it to a website with the following security configuration:

Security Configuration
From the SharePoint server itself (W2K8R1 with IE8), I can access the site just fine.  However, when I try to access it via FQDN using IE7 from a client workstation, I get prompted three times for my user account and then I get this:

Unauthorized Message Recieved on Client Running IE7
And at the same time, the server logs the following to the event log:

Event Log Error
The crazy thing about all of this is that if I run this same test from Firefox, I login just fine.  However, from looking at the event log, it appears that Firefox is using NTLM and not Kerberos.

This whole thing has me banging my head against the wall.  To my knowledge, I have all of the neccessary SPN's created, but I suppose I could have missed one.  I would give away 10,000 points for this one if I could, please help!

Thanks in advance.
0
ged125
Asked:
ged125
  • 6
  • 6
  • 2
1 Solution
 
jessc7Commented:
Create a new web site in IIS, set the authentication to Kerberos, use the same app pool, and deploy this utility web app to it:

http://www.iis.net/community/default.aspx?tabid=34&g=6&i=1887

Then walk through the wizard interface to see what might be set up incorrectly. It's a very helpful tool!
0
 
ged125Author Commented:
This says it's for IIS 6.0 and 7.0, the test box that I have access to tonight is IIS 7.5.   Do you know if it is supported?
0
 
Leandro IaconoSenior Premier Field EngineerCommented:
Does this happen with every single user in the domain or is it just this one user?
I would try a utility like KerbTray to identify the kerberos ticket you get issued by the KDC in your environment. If you don't get issued a ticket, you can't authenticate to IIS because IIS is expecting a kerberos ticket. Kerbtray will give you an idea of what you get.
As for firefox, ntlm will work cause you probably don't have problems with contacting a DC - the issue is probably related to your KDC, the kerberos ticket being issued, your SPN setup and/or other related issue with Kerberos.
You want to make sure you setup kerberos correctly: http://technet.microsoft.com/en-us/library/cc263449(office.12).aspx
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
jessc7Commented:
Yes, DelegConfig should run fine under IIS7.5.
0
 
ged125Author Commented:
UICE - Every user

Jessc7 - trying your suggestion this morning.
0
 
ged125Author Commented:
Jessc7 - I deployed the utility web app that you suggested using the same application pool.  When I try to browse to the default.aspx file I get the following exception:

 Exception
0
 
jessc7Commented:
I haven't encountered that error before, but you might have a look at this post:

http://dbvt.com/blog/post/AspNetHostingPermission-Security-Exception-Fix-with-Ajax-in-IIS7.aspx

Also, here is a post on using DelegConfig:

http://blogs.iis.net/bretb/archive/2008/03/27/How-to-Use-DelegConfig.aspx
0
 
ged125Author Commented:
We are soooo close!   I am now able to run the wizard, but when it completes it's stuck at "Please Wait" and I get the following script error when I click on the warning icon on the bottom left.

 Script Error
0
 
jessc7Commented:
Try reseting the IE settings (Internet Options-> Advanced -> Reset) and check the issue again.

You are using a web browser from one of the XP workstations, correct?
0
 
jessc7Commented:
0
 
Leandro IaconoSenior Premier Field EngineerCommented:
Not to go against jessc7 which has awesome tools and comments, but a seperate tool to configure kerberos shouldn't be required to set up kerberos. You just need to make sure you setup your SPNs correctly. Once your SPNs are setup correctly your end users should be able to get tickets from your KDC server and authenticate into sharepoint.

The error message you are getting in your event log seems to be related to the fact that your users aren't getting good tickets from your KDC server, probably because you are missing SPNs.
0
 
jessc7Commented:
Yes, DelegConfig is just a utility (an excellent one) to assist in determining if your SPNs are set up correctly, if trust delegation is set up correctly, and if the web browser is attempting to make an appropirate connection, among other things.

It's not needed, but it is definitely helpful.
0
 
ged125Author Commented:
I ended up opening a Support Incident with Microsoft PSS.  I had the correct SPN's, they had me add the following to the ApplicationHost.Config file:

<location path=”Default Website”>
<system.webserver>
    <security>
                <authentication>
                    <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true">
                        <providers>
                            <clear />
                            <add value="Negotiate" />
                            <add value="NTLM" />
                        </providers>
                    </windowsAuthentication>
                    <anonymousAuthentication enabled="false" />
                    <digestAuthentication enabled="false" />
                    <basicAuthentication enabled="false" />
                </authentication>
            </security>
  </system.webserver>
</location>


That fixed the problem.
0
 
ged125Author Commented:
Issue was ultimately solved by Microsoft PSS
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

  • 6
  • 6
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now