0

I'm setting up an IIS application on a server within my domain. I configured SPN's and settings to allow windows authentication to work with kerberos and Single Sign On, and everything works fine on my local machine.

The problem is that whenever I try to access the website using a different machine, windows authentication keeps falling back to NTLM, and instead of single sign on, a credentials prompt pops on screen.

I even disabled the firewall on both the remote machine and the local machine with the IIS application running on it. The network tools just shows it falls back to use NTLM.

Even when I access the app remotely with the same admin account I use to run the IIS over it collapses to NTLM(on local machine it works fine).

When I use klist to see whether a kerberos ticket has been created, I find out that there is no ticket that was created to kerberos authenticate the IIS. Googling showed no help on the subject, any idea what might be the problem?

Lex Li
  • 912
  • 6
  • 10
עומר אנגי
  • 1
  • Is the client application sending a Kerberos authentication header? – Greg Askew Mar 21 '21 at 13:23
  • @GregAskew No, not that I can see... What problem can this indicate? – עומר אנגי Mar 21 '21 at 13:54
  • If the client isn't sending a Kerb auth header, that isn't a problem with IIS. And it would be dependent on which client application and how it is configured. – Greg Askew Mar 21 '21 at 14:24
  • 1
    Kerberos requires too many factors (browser settings, browser machine time sync up, AD settings and more), so don't waste your own time if you don't know much about AD, and escalate to your domain administrators. – Lex Li Mar 21 '21 at 23:05

0 Answers0