ged125
asked on
Unable to Login to SharePoint 2007 using IE7 with Kerberos
We have a client that uses IE7 and Windows XP on all their workstations. We are developing an application for them based on SharePoint. Due to the architecture of the solution, Kerberos constrained delegation is required for authentication.
I have created a site collection and extended it to a website with the following security configuration:
From the SharePoint server itself (W2K8R1 with IE8), I can access the site just fine. However, when I try to access it via FQDN using IE7 from a client workstation, I get prompted three times for my user account and then I get this:
And at the same time, the server logs the following to the event log:
The crazy thing about all of this is that if I run this same test from Firefox, I login just fine. However, from looking at the event log, it appears that Firefox is using NTLM and not Kerberos.
This whole thing has me banging my head against the wall. To my knowledge, I have all of the neccessary SPN's created, but I suppose I could have missed one. I would give away 10,000 points for this one if I could, please help!
Thanks in advance.
I have created a site collection and extended it to a website with the following security configuration:
From the SharePoint server itself (W2K8R1 with IE8), I can access the site just fine. However, when I try to access it via FQDN using IE7 from a client workstation, I get prompted three times for my user account and then I get this:
And at the same time, the server logs the following to the event log:
The crazy thing about all of this is that if I run this same test from Firefox, I login just fine. However, from looking at the event log, it appears that Firefox is using NTLM and not Kerberos.
This whole thing has me banging my head against the wall. To my knowledge, I have all of the neccessary SPN's created, but I suppose I could have missed one. I would give away 10,000 points for this one if I could, please help!
Thanks in advance.
ASKER
This says it's for IIS 6.0 and 7.0, the test box that I have access to tonight is IIS 7.5. Do you know if it is supported?
Does this happen with every single user in the domain or is it just this one user?
I would try a utility like KerbTray to identify the kerberos ticket you get issued by the KDC in your environment. If you don't get issued a ticket, you can't authenticate to IIS because IIS is expecting a kerberos ticket. Kerbtray will give you an idea of what you get.
As for firefox, ntlm will work cause you probably don't have problems with contacting a DC - the issue is probably related to your KDC, the kerberos ticket being issued, your SPN setup and/or other related issue with Kerberos.
You want to make sure you setup kerberos correctly: http://technet.microsoft.com/en-us/library/cc263449(office.12).aspx
I would try a utility like KerbTray to identify the kerberos ticket you get issued by the KDC in your environment. If you don't get issued a ticket, you can't authenticate to IIS because IIS is expecting a kerberos ticket. Kerbtray will give you an idea of what you get.
As for firefox, ntlm will work cause you probably don't have problems with contacting a DC - the issue is probably related to your KDC, the kerberos ticket being issued, your SPN setup and/or other related issue with Kerberos.
You want to make sure you setup kerberos correctly: http://technet.microsoft.com/en-us/library/cc263449(office.12).aspx
Yes, DelegConfig should run fine under IIS7.5.
ASKER
UICE - Every user
Jessc7 - trying your suggestion this morning.
Jessc7 - trying your suggestion this morning.
ASKER
I haven't encountered that error before, but you might have a look at this post:
http://dbvt.com/blog/post/AspNetHostingPermission-Security-Exception-Fix-with-Ajax-in-IIS7.aspx
Also, here is a post on using DelegConfig:
http://blogs.iis.net/bretb/archive/2008/03/27/How-to-Use-DelegConfig.aspx
http://dbvt.com/blog/post/AspNetHostingPermission-Security-Exception-Fix-with-Ajax-in-IIS7.aspx
Also, here is a post on using DelegConfig:
http://blogs.iis.net/bretb/archive/2008/03/27/How-to-Use-DelegConfig.aspx
ASKER
Try reseting the IE settings (Internet Options-> Advanced -> Reset) and check the issue again.
You are using a web browser from one of the XP workstations, correct?
You are using a web browser from one of the XP workstations, correct?
Not to go against jessc7 which has awesome tools and comments, but a seperate tool to configure kerberos shouldn't be required to set up kerberos. You just need to make sure you setup your SPNs correctly. Once your SPNs are setup correctly your end users should be able to get tickets from your KDC server and authenticate into sharepoint.
The error message you are getting in your event log seems to be related to the fact that your users aren't getting good tickets from your KDC server, probably because you are missing SPNs.
The error message you are getting in your event log seems to be related to the fact that your users aren't getting good tickets from your KDC server, probably because you are missing SPNs.
Yes, DelegConfig is just a utility (an excellent one) to assist in determining if your SPNs are set up correctly, if trust delegation is set up correctly, and if the web browser is attempting to make an appropirate connection, among other things.
It's not needed, but it is definitely helpful.
It's not needed, but it is definitely helpful.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Issue was ultimately solved by Microsoft PSS
http://www.iis.net/community/default.aspx?tabid=34&g=6&i=1887
Then walk through the wizard interface to see what might be set up incorrectly. It's a very helpful tool!