Improve company productivity with a Business Account.Sign Up

x
?
Solved

Kerberos / NTLM

Posted on 2016-07-26
3
Medium Priority
?
107 Views
Last Modified: 2016-08-05
Hello

I have a website that seems to configure to use Kerberos. I see this as negotiate is selected but I know that is not enough.

Regardless I would like to bypass Kerberos Auth ( to avoid any misconfigure SPN etc ) and connect with NTLM so that I can be sure that site is configured correctly.

I move the MTLM above the negotiate but I am still having the same error popping up credential window and after 3 attempts it gives no authorized access error that seems to me a Kerberos error behavior

I have been wondering if there is anything else I need to consider to bypass Kerberos and to force NTLM

and How do you figure out if a site is using Kerberos except checking for the Authentication setting to see negotiate is on top. I Know that you can use Wireshark etc but I need a simple way . I can check the security log and see Kerberos in security audit logs but there is more than one site on the server. So how would I know whether or not a particular site is using Kerberos but not NTLM ?

Thanks All

F.
0
Comment
Question by:toronto2456
  • 2
3 Comments
 
LVL 29

Expert Comment

by:Dan McFadden
ID: 41735494
Switching to NTLM will most likely not solve your issue.  Its probably a site config problem.

First thing is to make sure that if Windows Authentication is enabled, that you disable Anonymous Authentication.  Anonymous will hit first if both are enabled.

I would read thru this blog post and verify your setup.

Link:  https://blogs.msdn.microsoft.com/chiranth/2014/04/17/setting-up-kerberos-authentication-for-a-website-in-iis/

Unless you are using custom DNS names, you should not have the fiddle with SPNs.

Dan
0
 

Author Comment

by:toronto2456
ID: 41738958
Thanks Dan,

Yes, I have checked those. I have also checked for duplicate SPN. The only thing seems to be missing SPN for File shares.

custom DNS names are being used so need fo SPNs. Our contents are located in UNC Share on aNAS ,WEBSITESCONTENT, which is DNS alias for CORPDATA.HERCULES.tor.on.

Do you know what SPN needs to be created in this case.  I have checked web but found many different answers.

I think the problem is the missing SPN for NAS shares as I have been having security policy errors

Thanks

F.
0
 
LVL 29

Accepted Solution

by:
Dan McFadden earned 2000 total points
ID: 41742637
Yeah, but you are accessing the content on the NAS via IIS, therefore the URL to use is the URL of hte IIS server, not the FQDN of the NAS device.

You can configure a website to source its content from the UNC Share.

Link:  https://msdn.microsoft.com/en-us/library/cc768023.aspx?f=255&MSPPError=-2147217396

Dan
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

First of all, clustering IIS is something you should rarely consider doing. In almost all cases, Microsoft Network Load Balancing (NLB) (http://technet.microsoft.com/en-us/library/cc758834(WS.10).aspx) is a much better solution when you need to p…
What is an ISAPI filter?   •      It's an assembly (.dll file) that can add or change the way IIS works.   •      They can be enabled globally for your web server or on a site-by-site basis.   When the IIS server receives a request, enabling the ISAPI fi…
Free Data Recovery software is an advanced solution from Kernel Tools to recover data and files such as documents, emails, database, media and pictures, etc. It supports recovery from physical & logical drive after a hard disk crash, accidental/inte…
Watch the video to learn how one can deal with PST file corruption issue with an outstanding Kernel for Outlook PST Repair Tool easily. Using this tool, non-technical users can swiftly perform the repair process to restore their essential data witho…

595 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question