5

I'm running into a problem configuring my IIS 7.0 website in a test environment with Kerberos. I have a trial version of Windows Server 2008 R2 with AD DS, AD RMS, DHCP, DNS & IIS roles installed. I have gone into the IIS security settings for the site and set-up Windows Authentication to permit Kerberos login.

The problem I'm running into is that it is not routinely using Kerberos for the security protocol. When I set providers in IIS to "Negotiate", Fiddler2 indicates that the header will return an NTLM header 50% of the time and a Kerberos header the other 50% of the time. If I instead set the provider as "Negotiate:Kerberos" in IIS, I cannot access the site at all as it immediately reports a 401 error. Additionally, any attempt to connect to the site in either configuration using a Linux machine points immediately to a 401 security error.

Can anyone please provide some insights or guides into how to configure this? I specifically need to block any fallback to NTLM in addition to enabling Kerberos regardless of the machine I connect with. So far, I haven't found any technet or serverfault articles that fully address this issue.

Lex Li
  • 912
  • 6
  • 10
D. G.
  • 151
  • 3

2 Answers2

1

In Firefox you will need to set it up to use Kerberos under about:config network.negotiate-auth.trusted-uris and network.negotiate-auth.delegation-uris.

For Chrome/chromium try chromium-browser –auth-server-whitelist=”company.com”

TheFiddlerWins
  • 2,973
  • 1
  • 14
  • 22
  • This doesn't seem to solve the problem. I believe there is a deeper problem with the configuration of my IIS or AD settings, but I'm not sure where to look for these. – D. G. Sep 03 '13 at 20:24
  • This doc shows you the IIS side settings but it's for pre-IIS7 http://blogs.technet.com/b/askds/archive/2008/11/25/fun-with-the-kerberos-delegation-web-site.aspx http://blogs.technet.com/b/askds/archive/2008/11/25/fun-with-the-kerberos-delegation-web-site.aspx is for Sharepoint but covers most of the same stuff and is for IIS 7 – TheFiddlerWins Sep 04 '13 at 15:22
1

If you want to set up a Linux service/application to authenticate to an IIS service endpoint, you can get the Linux box to authenticate to an IIS hosted windows site like this:

  1. Ensure your IIS Site windows authentication providers are set in this order for Windows Auth:
    • NTLM
    • Negotiate
  2. Create a Principal for the account you want to authenticate as:
    • Login to a windows server in the domain with kerberos tools (usually an AD server)
    • Register a Service Principal Name (SPN) against the account you want to authenticate as, and at the same time generate a Kerberos keytab file:
      • Use ktpass to generate a keytab for Linux
      • ktpass -princ HTTP/myiis.site.com@SITE.COM -ptype KRB5_NT_PRINCIPAL -mapuser myuser -pass mypassword -out c:\user.keytab
      • Note: it's important that the url myiis.site.com match your endpoint you'll hit; and that SITE.COM matches your Domain-Component.
    • You can check your SPN with setspn -L myuser
    • At this point you now have an SPN mapped to an AD user; and a Kerberos keytab file for Linux to get a kerberos ticket issued by the KDC (AD Server) for authentication using the Negotiate provider.
  3. Import your keytab into the linux box/application depending on flavour of Kerberos. To view the credential in the keytab:
    • MIT Kerberos
      • klist -c -k user.keytab
    • Heimdal Kerberos (assuming you copied the keytab to /etc/heimdal/krb5.keytab
      • ktutil list
lantrix
  • 239
  • 3
  • 7
  • Note: the order of the providers also seems to affect the 401 error. If Negotiate is before NTLM; you can get 401 unauthorised. With NTLM first, presumably it fails, and falls back to Negotiate, which then works with your Linux application using the keytab file loaded into the local Kerberos implementation. – lantrix Dec 10 '14 at 00:41