We have a customer with an Active Directory environment that's using SmartCards for login. An win2003 IIS 6 server has a virtualDirectory with only Integrated Authetication enabled (no anonymous). People can connect to the virtualDir, but it uses NTLM authentication instead of Kerberos (which we need for delegation). The server in question has in the client's "Local Sites" in their IE security configuration. IIS does have "Negotiate" enabled[1]. We installed AuthDiag on the server and the "Kerberos Config" section showed everything was set up properly. "Check URL" for the virtualdir said it was all ok for NTLM and made no mention of Kerberos. (these logs can be provided if desired). What else can we check to see why kerberos isn't being used for the transaction? I'm requesting that he enable kerberos event logging[2] on both the client and the server in hopes that it will give some kind of information, but I'm really not sure. Where else can we look? Thanks Jason [1] As determined by http://support.microsoft.com/kb/215383 [2] http://support.microsoft.com/kb/q262177/
This is really strange: in my tests with IIS, and according to Microsoft (http://www.microsoft.com/technet/security/guidance/identitymanagement/scard.mspx), NTLM isn't available for smart card users. But I suspect something is incomplete or incorrect in that because some of resources configured for NTLM authentication worked. You have to go through the entire troubleshooting routine - see http://support.microsoft.com/kb/326985 -- Svyatoslav Pidgorny, MS MVP - Security, MCSE -= F1 is the key =- * http://sl.mvps.org * http://msmvps.com/blogs/sp * "Jason Viers" wrote in message news:%23rGdCqL6HHA.4476@TK2MSFTNGP06.phx.gbl... > We have a customer with an Active Directory environment that's using > SmartCards for login. An win2003 IIS 6 server has a virtualDirectory > with only Integrated Authetication enabled (no anonymous). People can > connect to the virtualDir, but it uses NTLM authentication instead of > Kerberos (which we need for delegation). > > The server in question has in the client's "Local Sites" in their IE > security configuration. IIS does have "Negotiate" enabled[1]. We > installed AuthDiag on the server and the "Kerberos Config" section > showed everything was set up properly. "Check URL" for the virtualdir > said it was all ok for NTLM and made no mention of Kerberos. (these > logs can be provided if desired). > > > What else can we check to see why kerberos isn't being used for the > transaction? I'm requesting that he enable kerberos event logging[2] > on both the client and the server in hopes that it will give some kind > of information, but I'm really not sure. Where else can we look? > > Thanks > Jason > > > [1] As determined by http://support.microsoft.com/kb/215383 > [2] http://support.microsoft.com/kb/q262177/
Another thing to consider would be protocol transition (Kerberos S4U). That way, the front end IIS can authenticate the user with any protocol but delegation can still be used. You have to use constrained delegation with this feature, but you should really be using that anyway. :) Joe K. -- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "S. Pidgorny <MVP>" wrote in message news:OzqdvqV6HHA.3716@TK2MSFTNGP03.phx.gbl... > This is really strange: in my tests with IIS, and according to Microsoft > (http://www.microsoft.com/technet/security/guidance/identitymanagement/scard.mspx), > NTLM isn't available for smart card users. But I suspect something is > incomplete or incorrect in that because some of resources configured for > NTLM authentication worked. > > You have to go through the entire troubleshooting routine - see > http://support.microsoft.com/kb/326985 > > -- > Svyatoslav Pidgorny, MS MVP - Security, MCSE > -= F1 is the key =- > > * http://sl.mvps.org * http://msmvps.com/blogs/sp * > > > > "Jason Viers" wrote in message > news:%23rGdCqL6HHA.4476@TK2MSFTNGP06.phx.gbl... >> We have a customer with an Active Directory environment that's using >> SmartCards for login. An win2003 IIS 6 server has a virtualDirectory >> with only Integrated Authetication enabled (no anonymous). People can >> connect to the virtualDir, but it uses NTLM authentication instead of >> Kerberos (which we need for delegation). >> >> The server in question has in the client's "Local Sites" in their IE >> security configuration. IIS does have "Negotiate" enabled[1]. We >> installed AuthDiag on the server and the "Kerberos Config" section >> showed everything was set up properly. "Check URL" for the virtualdir >> said it was all ok for NTLM and made no mention of Kerberos. (these >> logs can be provided if desired). >> >> >> What else can we check to see why kerberos isn't being used for the >> transaction? I'm requesting that he enable kerberos event logging[2] >> on both the client and the server in hopes that it will give some kind >> of information, but I'm really not sure. Where else can we look? >> >> Thanks >> Jason >> >> >> [1] As determined by http://support.microsoft.com/kb/215383 >> [2] http://support.microsoft.com/kb/q262177/ > >
S. Pidgorny <MVP> wrote: > This is really strange: in my tests with IIS, and according to Microsoft > (http://www.microsoft.com/technet/security/guidance/identitymanagement/scard.mspx), > NTLM isn't available for smart card users. But I suspect something is > incomplete or incorrect in that because some of resources configured for > NTLM authentication worked. > > You have to go through the entire troubleshooting routine - see > http://support.microsoft.com/kb/326985 Found the problem. Their host was "machine.foo.bar.baz.quux.com", so it had default SPNs of "HOST/machine" and "HOST/machine.foo.bar.baz.quux.com". They were accessing the machine via "http://machine.baz.quux.com". Using one of the former worked, so I'm having them register HOST/machine.baz.quux.com. This doesn't explain how or why they were using NTLM in the first place though (they confirmed this is all smartcard login with no password entered anywhere), and I doubt customer has the desire to indulge curiosity of the oddity. :-/ Thanks once again all! Jason
