0

My problem :

  • Calling an URL from a Windows Server 2012 with IE 11 fails on a IIS Application (with Windows Authentication and Kerberos activated) : After 3 captures of the correct password, I get a 401 error (not authorized) and I can see the following log in the security Event Viewer :

    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server servername$. The target name used was HTTP/url.xxx.yyy.zzz. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (xxx.yyy.zzz) is different from the client domain (xxx.yyy.zzz), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

  • Calling the same URL from another Windows Server 2012 brings the same error message
  • Calling the same URL from a console under Win7 runs perfectly

It looks like, I miss a security setting on my server but I would like to know which one ?

Some context information

My web application is automatically deployed on 2 different servers (WS 2012 R2). At the end of the installation of each server, a script is automatically launched to checks all Urls are available using http and https. So I really would like the URL check to execute on the server itself and not on a different console.

Other researches done

  • I've checked the SPN and it seems correctly configured
  • The target domain and client domain are the same
  • Using Wireshark, it seems that I'm using NTLM authentication when calling the URLs from my console :

    621 24.297697 IpSrc IpDest HTTP 1014 HTTP/1.1 401 Unauthorized , NTLMSSP_CHALLENGE (text/html)

  • Using Wireshark from my server :

    1216 18.322929 IpSrc IpDest KRB5 250 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED

yagmoth555
  • 16,300
  • 4
  • 26
  • 48
nmariot
  • 51
  • 3

1 Answers1

0

After some investigations, the problem was really a configuration problem : following the guide here I managed to authenticate using Kerberos.

To sum up all the actions, you need to :

  • Enable windows authentication on IIS
  • Create an account service
  • Create SPN for the hosts address you're gonna use
  • associate this service to the application pool used to execute your application
  • Modify the delegation parameter in the AD for the account service (Trust this computer for delegation for any service)
  • Modify IIS enabling UseKernelMode and useAppPoolCredentials

And the last thing that took me some time : I don't know if there are cache or replication mechanisms but the change of these parameters is not immediate...

nmariot
  • 51
  • 3