Click here to get back home

Enabling Kerberos in Active Directory / smart card domain?
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Enabling Kerberos in Active Directory / smart card domain? Jason Viers 08-27-2007
Posted by Jason Viers on August 27, 2007, 10:56 am
Please log in for more thread options
 We have a customer with an Active Directory environment that's using
SmartCards for login. An win2003 IIS 6 server has a virtualDirectory
with only Integrated Authetication enabled (no anonymous). People can
connect to the virtualDir, but it uses NTLM authentication instead of
Kerberos (which we need for delegation).

The server in question has in the client's "Local Sites" in their IE
security configuration. IIS does have "Negotiate" enabled[1]. We
installed AuthDiag on the server and the "Kerberos Config" section
showed everything was set up properly. "Check URL" for the virtualdir
said it was all ok for NTLM and made no mention of Kerberos. (these
logs can be provided if desired).


What else can we check to see why kerberos isn't being used for the
transaction? I'm requesting that he enable kerberos event logging[2]
on both the client and the server in hopes that it will give some kind
of information, but I'm really not sure. Where else can we look?

Thanks
Jason


[1] As determined by http://support.microsoft.com/kb/215383
[2] http://support.microsoft.com/kb/q262177/

Posted by S. Pidgorny on August 28, 2007, 6:03 am
Please log in for more thread options
 This is really strange: in my tests with IIS, and according to Microsoft
(http://www.microsoft.com/technet/security/guidance/identitymanagement/scard.mspx),
NTLM isn't available for smart card users. But I suspect something is
incomplete or incorrect in that because some of resources configured for
NTLM authentication worked.

You have to go through the entire troubleshooting routine - see
http://support.microsoft.com/kb/326985

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *



> We have a customer with an Active Directory environment that's using
> SmartCards for login. An win2003 IIS 6 server has a virtualDirectory
> with only Integrated Authetication enabled (no anonymous). People can
> connect to the virtualDir, but it uses NTLM authentication instead of
> Kerberos (which we need for delegation).
>
> The server in question has in the client's "Local Sites" in their IE
> security configuration. IIS does have "Negotiate" enabled[1]. We
> installed AuthDiag on the server and the "Kerberos Config" section
> showed everything was set up properly. "Check URL" for the virtualdir
> said it was all ok for NTLM and made no mention of Kerberos. (these
> logs can be provided if desired).
>
>
> What else can we check to see why kerberos isn't being used for the
> transaction? I'm requesting that he enable kerberos event logging[2]
> on both the client and the server in hopes that it will give some kind
> of information, but I'm really not sure. Where else can we look?
>
> Thanks
> Jason
>
>
> [1] As determined by http://support.microsoft.com/kb/215383
> [2] http://support.microsoft.com/kb/q262177/



Posted by Joe Kaplan on August 28, 2007, 10:08 am
Please log in for more thread options
Another thing to consider would be protocol transition (Kerberos S4U). That
way, the front end IIS can authenticate the user with any protocol but
delegation can still be used. You have to use constrained delegation with
this feature, but you should really be using that anyway. :)

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
> This is really strange: in my tests with IIS, and according to Microsoft
>
(http://www.microsoft.com/technet/security/guidance/identitymanagement/scard.mspx),
> NTLM isn't available for smart card users. But I suspect something is
> incomplete or incorrect in that because some of resources configured for
> NTLM authentication worked.
>
> You have to go through the entire troubleshooting routine - see
> http://support.microsoft.com/kb/326985
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
>
>
>> We have a customer with an Active Directory environment that's using
>> SmartCards for login. An win2003 IIS 6 server has a virtualDirectory
>> with only Integrated Authetication enabled (no anonymous). People can
>> connect to the virtualDir, but it uses NTLM authentication instead of
>> Kerberos (which we need for delegation).
>>
>> The server in question has in the client's "Local Sites" in their IE
>> security configuration. IIS does have "Negotiate" enabled[1]. We
>> installed AuthDiag on the server and the "Kerberos Config" section
>> showed everything was set up properly. "Check URL" for the virtualdir
>> said it was all ok for NTLM and made no mention of Kerberos. (these
>> logs can be provided if desired).
>>
>>
>> What else can we check to see why kerberos isn't being used for the
>> transaction? I'm requesting that he enable kerberos event logging[2]
>> on both the client and the server in hopes that it will give some kind
>> of information, but I'm really not sure. Where else can we look?
>>
>> Thanks
>> Jason
>>
>>
>> [1] As determined by http://support.microsoft.com/kb/215383
>> [2] http://support.microsoft.com/kb/q262177/
>
>



Posted by Jason Viers on August 29, 2007, 3:12 pm
Please log in for more thread options
S. Pidgorny <MVP> wrote:
> This is really strange: in my tests with IIS, and according to Microsoft
>
(http://www.microsoft.com/technet/security/guidance/identitymanagement/scard.mspx),
> NTLM isn't available for smart card users. But I suspect something is
> incomplete or incorrect in that because some of resources configured for
> NTLM authentication worked.
>
> You have to go through the entire troubleshooting routine - see
> http://support.microsoft.com/kb/326985


Found the problem. Their host was "machine.foo.bar.baz.quux.com", so it
had default SPNs of "HOST/machine" and
"HOST/machine.foo.bar.baz.quux.com". They were accessing the machine
via "http://machine.baz.quux.com". Using one of the former worked, so
I'm having them register HOST/machine.baz.quux.com.

This doesn't explain how or why they were using NTLM in the first place
though (they confirmed this is all smartcard login with no password
entered anywhere), and I doubt customer has the desire to indulge
curiosity of the oddity. :-/

Thanks once again all!
Jason

Similar ThreadsPosted
Smart Card Login + Certificate Login to AD -> Lost smart card December 15, 2005, 10:03 pm
Smart card reader and card supplier in Australia May 5, 2008, 10:37 pm
auditing active directory not working properly directory serviceaccess October 21, 2005, 7:47 pm
Linking PKI directory accounts with Active Directory? February 11, 2007, 5:29 am
Re-initialize smart card June 3, 2005, 8:34 am
Smart Card - two readers December 8, 2006, 8:28 am
Smart Card and VPN in Vista. May 26, 2008, 3:36 am
smart card offline logon July 7, 2005, 9:02 am
Base Smart Card CSP Update December 7, 2005, 3:12 pm
Q: Seconary certificate on a smart card August 5, 2006, 6:24 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap