Link to home
Start Free TrialLog in
Avatar of ged125
ged125Flag for United States of America

asked on

Unable to Login to SharePoint 2007 using IE7 with Kerberos

We have a client that uses IE7 and Windows XP on all their workstations.  We are developing an application for them based on SharePoint.  Due to the architecture of the solution, Kerberos constrained delegation is required for authentication.

I have created a site collection and extended it to a website with the following security configuration:

User generated image
From the SharePoint server itself (W2K8R1 with IE8), I can access the site just fine.  However, when I try to access it via FQDN using IE7 from a client workstation, I get prompted three times for my user account and then I get this:

User generated image
And at the same time, the server logs the following to the event log:

User generated image
The crazy thing about all of this is that if I run this same test from Firefox, I login just fine.  However, from looking at the event log, it appears that Firefox is using NTLM and not Kerberos.

This whole thing has me banging my head against the wall.  To my knowledge, I have all of the neccessary SPN's created, but I suppose I could have missed one.  I would give away 10,000 points for this one if I could, please help!

Thanks in advance.
Avatar of jessc7
jessc7
Flag of United States of America image

Create a new web site in IIS, set the authentication to Kerberos, use the same app pool, and deploy this utility web app to it:

http://www.iis.net/community/default.aspx?tabid=34&g=6&i=1887

Then walk through the wizard interface to see what might be set up incorrectly. It's a very helpful tool!
Avatar of ged125

ASKER

This says it's for IIS 6.0 and 7.0, the test box that I have access to tonight is IIS 7.5.   Do you know if it is supported?
Does this happen with every single user in the domain or is it just this one user?
I would try a utility like KerbTray to identify the kerberos ticket you get issued by the KDC in your environment. If you don't get issued a ticket, you can't authenticate to IIS because IIS is expecting a kerberos ticket. Kerbtray will give you an idea of what you get.
As for firefox, ntlm will work cause you probably don't have problems with contacting a DC - the issue is probably related to your KDC, the kerberos ticket being issued, your SPN setup and/or other related issue with Kerberos.
You want to make sure you setup kerberos correctly: http://technet.microsoft.com/en-us/library/cc263449(office.12).aspx
Yes, DelegConfig should run fine under IIS7.5.
Avatar of ged125

ASKER

UICE - Every user

Jessc7 - trying your suggestion this morning.
Avatar of ged125

ASKER

Jessc7 - I deployed the utility web app that you suggested using the same application pool.  When I try to browse to the default.aspx file I get the following exception:

 User generated image
I haven't encountered that error before, but you might have a look at this post:

http://dbvt.com/blog/post/AspNetHostingPermission-Security-Exception-Fix-with-Ajax-in-IIS7.aspx

Also, here is a post on using DelegConfig:

http://blogs.iis.net/bretb/archive/2008/03/27/How-to-Use-DelegConfig.aspx
Avatar of ged125

ASKER

We are soooo close!   I am now able to run the wizard, but when it completes it's stuck at "Please Wait" and I get the following script error when I click on the warning icon on the bottom left.

 User generated image
Try reseting the IE settings (Internet Options-> Advanced -> Reset) and check the issue again.

You are using a web browser from one of the XP workstations, correct?
Not to go against jessc7 which has awesome tools and comments, but a seperate tool to configure kerberos shouldn't be required to set up kerberos. You just need to make sure you setup your SPNs correctly. Once your SPNs are setup correctly your end users should be able to get tickets from your KDC server and authenticate into sharepoint.

The error message you are getting in your event log seems to be related to the fact that your users aren't getting good tickets from your KDC server, probably because you are missing SPNs.
Yes, DelegConfig is just a utility (an excellent one) to assist in determining if your SPNs are set up correctly, if trust delegation is set up correctly, and if the web browser is attempting to make an appropirate connection, among other things.

It's not needed, but it is definitely helpful.
ASKER CERTIFIED SOLUTION
Avatar of ged125
ged125
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ged125

ASKER

Issue was ultimately solved by Microsoft PSS