Kerberos / NTLM
Hello
I have a website that seems to configure to use Kerberos. I see this as negotiate is selected but I know that is not enough.
Regardless I would like to bypass Kerberos Auth ( to avoid any misconfigure SPN etc ) and connect with NTLM so that I can be sure that site is configured correctly.
I move the MTLM above the negotiate but I am still having the same error popping up credential window and after 3 attempts it gives no authorized access error that seems to me a Kerberos error behavior
I have been wondering if there is anything else I need to consider to bypass Kerberos and to force NTLM
and How do you figure out if a site is using Kerberos except checking for the Authentication setting to see negotiate is on top. I Know that you can use Wireshark etc but I need a simple way . I can check the security log and see Kerberos in security audit logs but there is more than one site on the server. So how would I know whether or not a particular site is using Kerberos but not NTLM ?
Thanks All
F.
I have a website that seems to configure to use Kerberos. I see this as negotiate is selected but I know that is not enough.
Regardless I would like to bypass Kerberos Auth ( to avoid any misconfigure SPN etc ) and connect with NTLM so that I can be sure that site is configured correctly.
I move the MTLM above the negotiate but I am still having the same error popping up credential window and after 3 attempts it gives no authorized access error that seems to me a Kerberos error behavior
I have been wondering if there is anything else I need to consider to bypass Kerberos and to force NTLM
and How do you figure out if a site is using Kerberos except checking for the Authentication setting to see negotiate is on top. I Know that you can use Wireshark etc but I need a simple way . I can check the security log and see Kerberos in security audit logs but there is more than one site on the server. So how would I know whether or not a particular site is using Kerberos but not NTLM ?
Thanks All
F.
ASKER
Thanks Dan,
Yes, I have checked those. I have also checked for duplicate SPN. The only thing seems to be missing SPN for File shares.
custom DNS names are being used so need fo SPNs. Our contents are located in UNC Share on aNAS ,WEBSITESCONTENT, which is DNS alias for CORPDATA.HERCULES.tor.on.
Do you know what SPN needs to be created in this case. I have checked web but found many different answers.
I think the problem is the missing SPN for NAS shares as I have been having security policy errors
Thanks
F.
Yes, I have checked those. I have also checked for duplicate SPN. The only thing seems to be missing SPN for File shares.
custom DNS names are being used so need fo SPNs. Our contents are located in UNC Share on aNAS ,WEBSITESCONTENT, which is DNS alias for CORPDATA.HERCULES.tor.on.
Do you know what SPN needs to be created in this case. I have checked web but found many different answers.
I think the problem is the missing SPN for NAS shares as I have been having security policy errors
Thanks
F.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
First thing is to make sure that if Windows Authentication is enabled, that you disable Anonymous Authentication. Anonymous will hit first if both are enabled.
I would read thru this blog post and verify your setup.
Link: https://blogs.msdn.microsoft.com/chiranth/2014/04/17/setting-up-kerberos-authentication-for-a-website-in-iis/
Unless you are using custom DNS names, you should not have the fiddle with SPNs.
Dan