Is there a reason that IE(IE7) would send NTLM instead of KERBEROS after 
setting IE as follows?
Is thee something else i have to lok for?

1. put the requesting site in IE to local-network
2. in the IE extended security option enable Integrated Windows
Authentication


To configure Intranet Authentication:
1. Click the Security tab, click Local intranet, and then click Custom
Level.
2. In the Security Settings dialog box, scroll down to the User
Authentication section of the list.
3. Select Automatic logon only in Intranet zone. This setting prevents users
from having to re-enter logon credentials; a key piece to this solution.
4. Click OK to close the Security Settings dialog box.


In addition to the previous settings, one additional setting is required if
you are running Internet Explorer 6.0.
1. In Internet Explorer, click Tools, and then click Internet Options.
2. Click the Advanced tab.
3. Scroll down to the Security section.
4. Make sure that Enable Integrated Windows Authentication (requires
restart) is checked, and then click OK.
5. If this box was not checked, restart the browser.

Before going into technical details - what makes you think that Kerberos is 
not used?
And two basic questions - do you have the site configured as per the 
http://support.microsoft.com/kb/215383 (assuming IIS, let us know if it's 
not), and what's in the Kerberos ttticket cache before the auth request?

-- 
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"filip" <fmatosic@@inet.hr> wrote in message 
news:unDoVMvrIHA.4492@TK2MSFTNGP02.phx.gbl...
> Is there a reason that IE(IE7) would send NTLM instead of KERBEROS after 
> setting IE as follows?
> Is thee something else i have to lok for?
>
> 1. put the requesting site in IE to local-network
> 2. in the IE extended security option enable Integrated Windows
> Authentication
>
>
> To configure Intranet Authentication:
> 1. Click the Security tab, click Local intranet, and then click Custom
> Level.
> 2. In the Security Settings dialog box, scroll down to the User
> Authentication section of the list.
> 3. Select Automatic logon only in Intranet zone. This setting prevents 
> users
> from having to re-enter logon credentials; a key piece to this solution.
> 4. Click OK to close the Security Settings dialog box.
>
>
> In addition to the previous settings, one additional setting is required 
> if
> you are running Internet Explorer 6.0.
> 1. In Internet Explorer, click Tools, and then click Internet Options.
> 2. Click the Advanced tab.
> 3. Scroll down to the Security section.
> 4. Make sure that Enable Integrated Windows Authentication (requires
> restart) is checked, and then click OK.
> 5. If this box was not checked, restart the browser.
>
>

Kerberos token (as i have searched the web) starts like  YIll... but i 
receive
TlRMTVNTUAABAAAAB7IIogoACgAuAAAABgAGACgAAAAFASgKAAAAD0ZJTElQTUNSRURPQkFOS0E=
which is NTLM
No, this is not IIS.
the computer which is making the request to my web server is in a domain 
(win2003 RC2), allso the computer and logged user on which
the web server is on the domain. The requesting (IE7) computer allways sends 
NTLM. Allso i have setup my IE as stated below.
Is there anything else i should look for? Maybe on my DC (win2003 RC2)?

"S. Pidgorny <MVP>"  wrote in message 
news:uqsGJS1rIHA.4260@TK2MSFTNGP05.phx.gbl...
> Before going into technical details - what makes you think that Kerberos 
> is not used?
> And two basic questions - do you have the site configured as per the 
> http://support.microsoft.com/kb/215383 (assuming IIS, let us know if it's 
> not), and what's in the Kerberos ttticket cache before the auth request?
>
> -- 
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
> "filip" <fmatosic@@inet.hr> wrote in message 
> news:unDoVMvrIHA.4492@TK2MSFTNGP02.phx.gbl...
>> Is there a reason that IE(IE7) would send NTLM instead of KERBEROS after 
>> setting IE as follows?
>> Is thee something else i have to lok for?
>>
>> 1. put the requesting site in IE to local-network
>> 2. in the IE extended security option enable Integrated Windows
>> Authentication
>>
>>
>> To configure Intranet Authentication:
>> 1. Click the Security tab, click Local intranet, and then click Custom
>> Level.
>> 2. In the Security Settings dialog box, scroll down to the User
>> Authentication section of the list.
>> 3. Select Automatic logon only in Intranet zone. This setting prevents 
>> users
>> from having to re-enter logon credentials; a key piece to this solution.
>> 4. Click OK to close the Security Settings dialog box.
>>
>>
>> In addition to the previous settings, one additional setting is required 
>> if
>> you are running Internet Explorer 6.0.
>> 1. In Internet Explorer, click Tools, and then click Internet Options.
>> 2. Click the Advanced tab.
>> 3. Scroll down to the Security section.
>> 4. Make sure that Enable Integrated Windows Authentication (requires
>> restart) is checked, and then click OK.
>> 5. If this box was not checked, restart the browser.
>>
>>
>
>

Allso, all computers use the domain, get valid kerberos tickets from DC, and 
when i try to get valid kerberos ticket
using a local program, it works fine, i get the ticket and validate, my only 
problem is why IE7 is not sending valid Kerberos ticket.
"S. Pidgorny <MVP>"  wrote in message 
news:uqsGJS1rIHA.4260@TK2MSFTNGP05.phx.gbl...
> Before going into technical details - what makes you think that Kerberos 
> is not used?
> And two basic questions - do you have the site configured as per the 
> http://support.microsoft.com/kb/215383 (assuming IIS, let us know if it's 
> not), and what's in the Kerberos ttticket cache before the auth request?
>
> -- 
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
> "filip" <fmatosic@@inet.hr> wrote in message 
> news:unDoVMvrIHA.4492@TK2MSFTNGP02.phx.gbl...
>> Is there a reason that IE(IE7) would send NTLM instead of KERBEROS after 
>> setting IE as follows?
>> Is thee something else i have to lok for?
>>
>> 1. put the requesting site in IE to local-network
>> 2. in the IE extended security option enable Integrated Windows
>> Authentication
>>
>>
>> To configure Intranet Authentication:
>> 1. Click the Security tab, click Local intranet, and then click Custom
>> Level.
>> 2. In the Security Settings dialog box, scroll down to the User
>> Authentication section of the list.
>> 3. Select Automatic logon only in Intranet zone. This setting prevents 
>> users
>> from having to re-enter logon credentials; a key piece to this solution.
>> 4. Click OK to close the Security Settings dialog box.
>>
>>
>> In addition to the previous settings, one additional setting is required 
>> if
>> you are running Internet Explorer 6.0.
>> 1. In Internet Explorer, click Tools, and then click Internet Options.
>> 2. Click the Advanced tab.
>> 3. Scroll down to the Security section.
>> 4. Make sure that Enable Integrated Windows Authentication (requires
>> restart) is checked, and then click OK.
>> 5. If this box was not checked, restart the browser.
>>
>>
>
>

First, download Kerbtray and have it running when you login to this website. 
If you neglect to see a HTTP/hostname (where hostname is your web site 
address) under the list of tickets, then you know you aren't using Kerberos.

If IE and IIS are configured properly to do Kerberos, then the problem is 
probably SPN related. Make sure you have a valid HTTP SPN registered for the 
account running the IIS application pool. If the application pool is running 
as Network Service (which is the default configuration), then the SPN will 
need to be set on the computer account.

To add an SPN, use the setspn tool. Something like:  "setspn -a 
http/hostname computer" where hostname is the web address and computer is 
the computer account name in AD. Here are some useful links:

http://technet2.microsoft.com/WindowsServer/en/library/b3a029a1-7ff0-4f6f-87d2-f2e70294a5761033.mspx
http://support.microsoft.com/kb/326985

-- 
Joseph T. Corey  MCSE, Security+
Systems Administrator
jcorey@cmu.edu


"filip" <fmatosic@@inet.hr> wrote in message 
news:unDoVMvrIHA.4492@TK2MSFTNGP02.phx.gbl...
> Is there a reason that IE(IE7) would send NTLM instead of KERBEROS after 
> setting IE as follows?
> Is thee something else i have to lok for?
>
> 1. put the requesting site in IE to local-network
> 2. in the IE extended security option enable Integrated Windows
> Authentication
>
>
> To configure Intranet Authentication:
> 1. Click the Security tab, click Local intranet, and then click Custom
> Level.
> 2. In the Security Settings dialog box, scroll down to the User
> Authentication section of the list.
> 3. Select Automatic logon only in Intranet zone. This setting prevents 
> users
> from having to re-enter logon credentials; a key piece to this solution.
> 4. Click OK to close the Security Settings dialog box.
>
>
> In addition to the previous settings, one additional setting is required 
> if
> you are running Internet Explorer 6.0.
> 1. In Internet Explorer, click Tools, and then click Internet Options.
> 2. Click the Advanced tab.
> 3. Scroll down to the Security section.
> 4. Make sure that Enable Integrated Windows Authentication (requires
> restart) is checked, and then click OK.
> 5. If this box was not checked, restart the browser.
>
>

Thank you for the tips, I will try and tell you the outcome.


"Joseph T Corey"  wrote in message 
news:CF17988C-CA5D-4C3B-B6D1-F834FC0395AA@microsoft.com...
> First, download Kerbtray and have it running when you login to this 
> website. If you neglect to see a HTTP/hostname (where hostname is your web 
> site address) under the list of tickets, then you know you aren't using 
> Kerberos.
>
> If IE and IIS are configured properly to do Kerberos, then the problem is 
> probably SPN related. Make sure you have a valid HTTP SPN registered for 
> the account running the IIS application pool. If the application pool is 
> running as Network Service (which is the default configuration), then the 
> SPN will need to be set on the computer account.
>
> To add an SPN, use the setspn tool. Something like:  "setspn -a 
> http/hostname computer" where hostname is the web address and computer is 
> the computer account name in AD. Here are some useful links:
>
> http://technet2.microsoft.com/WindowsServer/en/library/b3a029a1-7ff0-4f6f-87d2-f2e70294a5761033.mspx
> http://support.microsoft.com/kb/326985
>
> -- 
> Joseph T. Corey  MCSE, Security+
> Systems Administrator
> jcorey@cmu.edu
>
>
> "filip" <fmatosic@@inet.hr> wrote in message 
> news:unDoVMvrIHA.4492@TK2MSFTNGP02.phx.gbl...
>> Is there a reason that IE(IE7) would send NTLM instead of KERBEROS after 
>> setting IE as follows?
>> Is thee something else i have to lok for?
>>
>> 1. put the requesting site in IE to local-network
>> 2. in the IE extended security option enable Integrated Windows
>> Authentication
>>
>>
>> To configure Intranet Authentication:
>> 1. Click the Security tab, click Local intranet, and then click Custom
>> Level.
>> 2. In the Security Settings dialog box, scroll down to the User
>> Authentication section of the list.
>> 3. Select Automatic logon only in Intranet zone. This setting prevents 
>> users
>> from having to re-enter logon credentials; a key piece to this solution.
>> 4. Click OK to close the Security Settings dialog box.
>>
>>
>> In addition to the previous settings, one additional setting is required 
>> if
>> you are running Internet Explorer 6.0.
>> 1. In Internet Explorer, click Tools, and then click Internet Options.
>> 2. Click the Advanced tab.
>> 3. Scroll down to the Security section.
>> 4. Make sure that Enable Integrated Windows Authentication (requires
>> restart) is checked, and then click OK.
>> 5. If this box was not checked, restart the browser.
>>
>>
>

IE is properly configured, by steps stated below.
I have setup an SPN as follows(my web server is on a machine named 
"server"1, and url to access it is "server1.mydomain.com"
so i setup spn as follows (on my server runnung the kerberos service named 
"exchangeServer1", in my case a win2003 R2 server which is an exchange as 
well as DC):

setspn -A HTTP/srver1.mydomain.com server1

i have krbtray on the machine doing the request with IE7, and on my server, 
after requesting the page, no ticket is issued as I see no ticket for 
HTTP/server1,
allso from the request header Authorization i get the NTLM not KERBEROS. 
Looked at logs on server, i couldn't find, don't know where to find a log 
where it say's that it falls back to NTLM for any reason.



"Joseph T Corey"  wrote in message 
news:CF17988C-CA5D-4C3B-B6D1-F834FC0395AA@microsoft.com...
> First, download Kerbtray and have it running when you login to this 
> website. If you neglect to see a HTTP/hostname (where hostname is your web 
> site address) under the list of tickets, then you know you aren't using 
> Kerberos.
>
> If IE and IIS are configured properly to do Kerberos, then the problem is 
> probably SPN related. Make sure you have a valid HTTP SPN registered for 
> the account running the IIS application pool. If the application pool is 
> running as Network Service (which is the default configuration), then the 
> SPN will need to be set on the computer account.
>
> To add an SPN, use the setspn tool. Something like:  "setspn -a 
> http/hostname computer" where hostname is the web address and computer is 
> the computer account name in AD. Here are some useful links:
>
> http://technet2.microsoft.com/WindowsServer/en/library/b3a029a1-7ff0-4f6f-87d2-f2e70294a5761033.mspx
> http://support.microsoft.com/kb/326985
>
> -- 
> Joseph T. Corey  MCSE, Security+
> Systems Administrator
> jcorey@cmu.edu
>
>
> "filip" <fmatosic@@inet.hr> wrote in message 
> news:unDoVMvrIHA.4492@TK2MSFTNGP02.phx.gbl...
>> Is there a reason that IE(IE7) would send NTLM instead of KERBEROS after 
>> setting IE as follows?
>> Is thee something else i have to lok for?
>>
>> 1. put the requesting site in IE to local-network
>> 2. in the IE extended security option enable Integrated Windows
>> Authentication
>>
>>
>> To configure Intranet Authentication:
>> 1. Click the Security tab, click Local intranet, and then click Custom
>> Level.
>> 2. In the Security Settings dialog box, scroll down to the User
>> Authentication section of the list.
>> 3. Select Automatic logon only in Intranet zone. This setting prevents 
>> users
>> from having to re-enter logon credentials; a key piece to this solution.
>> 4. Click OK to close the Security Settings dialog box.
>>
>>
>> In addition to the previous settings, one additional setting is required 
>> if
>> you are running Internet Explorer 6.0.
>> 1. In Internet Explorer, click Tools, and then click Internet Options.
>> 2. Click the Advanced tab.
>> 3. Scroll down to the Security section.
>> 4. Make sure that Enable Integrated Windows Authentication (requires
>> restart) is checked, and then click OK.
>> 5. If this box was not checked, restart the browser.
>>
>>
>

So, what is the Web server and how is it configured for Kerberos?

-- 
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"filip"  wrote in message 
news:eUeH1X1rIHA.4788@TK2MSFTNGP03.phx.gbl...
> Kerberos token (as i have searched the web) starts like  YIll... but i 
> receive
> TlRMTVNTUAABAAAAB7IIogoACgAuAAAABgAGACgAAAAFASgKAAAAD0ZJTElQTUNSRURPQkFOS0E=
> which is NTLM
> No, this is not IIS.
> the computer which is making the request to my web server is in a domain 
> (win2003 RC2), allso the computer and logged user on which
> the web server is on the domain. The requesting (IE7) computer allways 
> sends NTLM. Allso i have setup my IE as stated below.
> Is there anything else i should look for? Maybe on my DC (win2003 RC2)?
>
> "S. Pidgorny <MVP>"  wrote in message 
> news:uqsGJS1rIHA.4260@TK2MSFTNGP05.phx.gbl...
>> Before going into technical details - what makes you think that Kerberos 
>> is not used?
>> And two basic questions - do you have the site configured as per the 
>> http://support.microsoft.com/kb/215383 (assuming IIS, let us know if it's 
>> not), and what's in the Kerberos ttticket cache before the auth request?
>>
>> -- 
>> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>> -= F1 is the key =-
>>
>> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>>
>> "filip" <fmatosic@@inet.hr> wrote in message 
>> news:unDoVMvrIHA.4492@TK2MSFTNGP02.phx.gbl...
>>> Is there a reason that IE(IE7) would send NTLM instead of KERBEROS after 
>>> setting IE as follows?
>>> Is thee something else i have to lok for?
>>>
>>> 1. put the requesting site in IE to local-network
>>> 2. in the IE extended security option enable Integrated Windows
>>> Authentication
>>>
>>>
>>> To configure Intranet Authentication:
>>> 1. Click the Security tab, click Local intranet, and then click Custom
>>> Level.
>>> 2. In the Security Settings dialog box, scroll down to the User
>>> Authentication section of the list.
>>> 3. Select Automatic logon only in Intranet zone. This setting prevents 
>>> users
>>> from having to re-enter logon credentials; a key piece to this solution.
>>> 4. Click OK to close the Security Settings dialog box.
>>>
>>>
>>> In addition to the previous settings, one additional setting is required 
>>> if
>>> you are running Internet Explorer 6.0.
>>> 1. In Internet Explorer, click Tools, and then click Internet Options.
>>> 2. Click the Advanced tab.
>>> 3. Scroll down to the Security section.
>>> 4. Make sure that Enable Integrated Windows Authentication (requires
>>> restart) is checked, and then click OK.
>>> 5. If this box was not checked, restart the browser.
>>>
>>>
>>
>>
>
>

Has anyone found a solution to this for IE7.  I am having the same issue. For 
IE6, authentication works. The Windows authentication is passed from Client, 
to WebServer (server1) and then from Web Server to Report server (Reporting 
Services, server2) and reports load. When trying this in IE7, it doesn't work 
(401 error). Configuration: Client: IE7, IIS: running on Windows 2K SP4 using 
Integtrated Windows Authentication only. Report Server also uses Integrated 
Windows Athentication. WebServer  (IIS) is on server1 and Reporting Server is 
on server2. Using ASP.Net 2.0 on Webserver.  Active Directory and Web Server 
are configured correctly using Kerberos and the SPN has been setup. Works 
fine when calling ASP page on IIS in IE6, however, same user using IE7, it 
doesn't work. Trying to isolate if it is actually an IE issue or soem other 
security update that gets intalled as part of IE7. In both cases, both the 
IE6 and IE7 machines are updated through XP SP3.


"filip" wrote:

> IE is properly configured, by steps stated below.
> I have setup an SPN as follows(my web server is on a machine named 
> "server"1, and url to access it is "server1.mydomain.com"
> so i setup spn as follows (on my server runnung the kerberos service named 
> "exchangeServer1", in my case a win2003 R2 server which is an exchange as 
> well as DC):
> 
> setspn -A HTTP/srver1.mydomain.com server1
> 
> i have krbtray on the machine doing the request with IE7, and on my server, 
> after requesting the page, no ticket is issued as I see no ticket for 
> HTTP/server1,
> allso from the request header Authorization i get the NTLM not KERBEROS. 
> Looked at logs on server, i couldn't find, don't know where to find a log 
> where it say's that it falls back to NTLM for any reason.
> 
> 
> 
> "Joseph T Corey"  wrote in message 
> news:CF17988C-CA5D-4C3B-B6D1-F834FC0395AA@microsoft.com...
> > First, download Kerbtray and have it running when you login to this 
> > website. If you neglect to see a HTTP/hostname (where hostname is your web 
> > site address) under the list of tickets, then you know you aren't using 
> > Kerberos.
> >
> > If IE and IIS are configured properly to do Kerberos, then the problem is 
> > probably SPN related. Make sure you have a valid HTTP SPN registered for 
> > the account running the IIS application pool. If the application pool is 
> > running as Network Service (which is the default configuration), then the 
> > SPN will need to be set on the computer account.
> >
> > To add an SPN, use the setspn tool. Something like:  "setspn -a 
> > http/hostname computer" where hostname is the web address and computer is 
> > the computer account name in AD. Here are some useful links:
> >
> > http://technet2.microsoft.com/WindowsServer/en/library/b3a029a1-7ff0-4f6f-87d2-f2e70294a5761033.mspx
> > http://support.microsoft.com/kb/326985
> >
> > -- 
> > Joseph T. Corey  MCSE, Security+
> > Systems Administrator
> > jcorey@cmu.edu
> >
> >
> > "filip" <fmatosic@@inet.hr> wrote in message 
> > news:unDoVMvrIHA.4492@TK2MSFTNGP02.phx.gbl...
> >> Is there a reason that IE(IE7) would send NTLM instead of KERBEROS after 
> >> setting IE as follows?
> >> Is thee something else i have to lok for?
> >>
> >> 1. put the requesting site in IE to local-network
> >> 2. in the IE extended security option enable Integrated Windows
> >> Authentication
> >>
> >>
> >> To configure Intranet Authentication:
> >> 1. Click the Security tab, click Local intranet, and then click Custom
> >> Level.
> >> 2. In the Security Settings dialog box, scroll down to the User
> >> Authentication section of the list.
> >> 3. Select Automatic logon only in Intranet zone. This setting prevents 
> >> users
> >> from having to re-enter logon credentials; a key piece to this solution.
> >> 4. Click OK to close the Security Settings dialog box.
> >>
> >>
> >> In addition to the previous settings, one additional setting is required 
> >> if
> >> you are running Internet Explorer 6.0.
> >> 1. In Internet Explorer, click Tools, and then click Internet Options.
> >> 2. Click the Advanced tab.
> >> 3. Scroll down to the Security section.
> >> 4. Make sure that Enable Integrated Windows Authentication (requires
> >> restart) is checked, and then click OK.
> >> 5. If this box was not checked, restart the browser.
> >>
> >>
> > 
> 
> 
>

Not enough information. 401 what? What is in the Web server logs and 
application/security logs on each server? There must be related entries, or 
at least - authentication entries in the security log.

-- 
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"jc"  wrote in message 
news:81AAFB02-2D64-458E-BC6E-3D8F8BCB7B3C@microsoft.com...
> Has anyone found a solution to this for IE7.  I am having the same issue. 
> For
> IE6, authentication works. The Windows authentication is passed from 
> Client,
> to WebServer (server1) and then from Web Server to Report server 
> (Reporting
> Services, server2) and reports load. When trying this in IE7, it doesn't 
> work
> (401 error). Configuration: Client: IE7, IIS: running on Windows 2K SP4 
> using
> Integtrated Windows Authentication only. Report Server also uses 
> Integrated
> Windows Athentication. WebServer  (IIS) is on server1 and Reporting Server 
> is
> on server2. Using ASP.Net 2.0 on Webserver.  Active Directory and Web 
> Server
> are configured correctly using Kerberos and the SPN has been setup. Works
> fine when calling ASP page on IIS in IE6, however, same user using IE7, it
> doesn't work. Trying to isolate if it is actually an IE issue or soem 
> other
> security update that gets intalled as part of IE7. In both cases, both the
> IE6 and IE7 machines are updated through XP SP3.
>
>
> "filip" wrote:
>
>> IE is properly configured, by steps stated below.
>> I have setup an SPN as follows(my web server is on a machine named
>> "server"1, and url to access it is "server1.mydomain.com"
>> so i setup spn as follows (on my server runnung the kerberos service 
>> named
>> "exchangeServer1", in my case a win2003 R2 server which is an exchange as
>> well as DC):
>>
>> setspn -A HTTP/srver1.mydomain.com server1
>>
>> i have krbtray on the machine doing the request with IE7, and on my 
>> server,
>> after requesting the page, no ticket is issued as I see no ticket for
>> HTTP/server1,
>> allso from the request header Authorization i get the NTLM not KERBEROS.
>> Looked at logs on server, i couldn't find, don't know where to find a log
>> where it say's that it falls back to NTLM for any reason.
>>
>>
>>
>> "Joseph T Corey"  wrote in message
>> news:CF17988C-CA5D-4C3B-B6D1-F834FC0395AA@microsoft.com...
>> > First, download Kerbtray and have it running when you login to this
>> > website. If you neglect to see a HTTP/hostname (where hostname is your 
>> > web
>> > site address) under the list of tickets, then you know you aren't using
>> > Kerberos.
>> >
>> > If IE and IIS are configured properly to do Kerberos, then the problem 
>> > is
>> > probably SPN related. Make sure you have a valid HTTP SPN registered 
>> > for
>> > the account running the IIS application pool. If the application pool 
>> > is
>> > running as Network Service (which is the default configuration), then 
>> > the
>> > SPN will need to be set on the computer account.
>> >
>> > To add an SPN, use the setspn tool. Something like:  "setspn -a
>> > http/hostname computer" where hostname is the web address and computer 
>> > is
>> > the computer account name in AD. Here are some useful links:
>> >
>> > http://technet2.microsoft.com/WindowsServer/en/library/b3a029a1-7ff0-4f6f-87d2-f2e70294a5761033.mspx
>> > http://support.microsoft.com/kb/326985
>> >
>> > -- 
>> > Joseph T. Corey  MCSE, Security+
>> > Systems Administrator
>> > jcorey@cmu.edu
>> >
>> >
>> > "filip" <fmatosic@@inet.hr> wrote in message
>> > news:unDoVMvrIHA.4492@TK2MSFTNGP02.phx.gbl...
>> >> Is there a reason that IE(IE7) would send NTLM instead of KERBEROS 
>> >> after
>> >> setting IE as follows?
>> >> Is thee something else i have to lok for?
>> >>
>> >> 1. put the requesting site in IE to local-network
>> >> 2. in the IE extended security option enable Integrated Windows
>> >> Authentication
>> >>
>> >>
>> >> To configure Intranet Authentication:
>> >> 1. Click the Security tab, click Local intranet, and then click Custom
>> >> Level.
>> >> 2. In the Security Settings dialog box, scroll down to the User
>> >> Authentication section of the list.
>> >> 3. Select Automatic logon only in Intranet zone. This setting prevents
>> >> users
>> >> from having to re-enter logon credentials; a key piece to this 
>> >> solution.
>> >> 4. Click OK to close the Security Settings dialog box.
>> >>
>> >>
>> >> In addition to the previous settings, one additional setting is 
>> >> required
>> >> if
>> >> you are running Internet Explorer 6.0.
>> >> 1. In Internet Explorer, click Tools, and then click Internet Options.
>> >> 2. Click the Advanced tab.
>> >> 3. Scroll down to the Security section.
>> >> 4. Make sure that Enable Integrated Windows Authentication (requires
>> >> restart) is checked, and then click OK.
>> >> 5. If this box was not checked, restart the browser.
>> >>
>> >>
>> >
>>
>>
>>