IIS and Kerberos. Part 3 - A simple scenario

IIS and Kerberos. Part 4 - A simple delegation scenario

Ken Schaefer — Sun, 28 Jan 2007 06:04:26 GMT

Delegation is a feature of Kerberos authentication that allows a server to obtain a Kerberos ticket on

re: IIS and Kerberos. Part 3 - A simple scenario

ralph emerson — Wed, 25 Apr 2007 08:43:56 GMT

I actually managed to find your articles on Friday afternoon and they

explained everything to me quite nicely. Thank you

IIS and Kerberos Part 5 - Procotol Transition, Constrained Delegation, S4U2S and S4U2P

Ken Schaefer — Thu, 19 Jul 2007 12:55:43 GMT

Protocol Transition is a new feature in Windows Server 2003. The Kerberos implementation in Windows Active

re: IIS and Kerberos. Part 3 - A simple scenario

Kedar — Wed, 25 Jul 2007 14:57:27 GMT

This post overall is pretty good, but I'd like to point out a minor correction that's led to confusion in the past. Internet Explorer does not support the "WWW-Authenticate: Kerberos" header. It does support "WWW-Authenticate: Negotiate". The setting "Enable Integrated Windows Authentication" controls whether IE responds to the Negotiate headeror not. This is particularly important because of one shortcoming of IE's authentication. Since the Negotiate SSPI supports both Kerberos and NTLM, IE has the choice when presented with the Negotiate header of which authentication protocol to use. If you've set up your server and client correctly to enable Kerberos auth, it will use Kerberos over Negotiate; if you haven't, you'll get NTLM over Negotiate. The shortcoming is that there's no mechanism to restrict the Negotiate package to use only Kerberos, never NTLM.

re: IIS and Kerberos. Part 3 - A simple scenario

Ken — Thu, 26 Jul 2007 03:44:49 GMT

Hi Kedar,

Thanks for your comments. I only included the WWW-Authenticate: Kerberos header because ISA Server 2006 returns this header (from memory - I will need to verify this). Perhaps there are other browsers out in the world other than IE that support such a header? :-)

re: IIS and Kerberos. Part 3 - A simple scenario

Kedar — Thu, 26 Jul 2007 06:34:31 GMT

Certainly there may be other browsers that support the actual Kerberos header (I don't know any offhand, but at least theoretically they could). I see that you've modified the post not to mention IE specifically with it. Thanks. I got asked a question about this at work that referenced this blog post, so I thought I'd comment here. If my memory serves, ISA server doesn't do WWW-Authenticate: Kerberos, but instead Proxy-Authenticate: Kerberos. Furthermore, again if I remember correctly, that header is used for authentication between two proxies (not between a client and the proxy).

re: IIS and Kerberos. Part 3 - A simple scenario

Ken — Wed, 01 Aug 2007 07:17:21 GMT

Hi Kedar,

I didn't modify my blog post - all I did was respond to your comment. Not sure what you think I may have been doing here :-) If I modify a post (other than spelling mistakes) I put some "Edit:" text in as a change log.

In terms of ISA Server 2006, I have a packet capture here that shows it is definately sending back a WWW-Authenticate: Kerberos header.

The three WWW-Authenticate headers that it is sending back in this packet capture are (in order):

WWW-Authenticate: Negotiate/r/n

WWW-Authenticate: Kerberos/r/n

WWW-Authenticate: NTLM/r/n

I am happy to send your the .cap file if you can send me your contact details. Use the Email link up the top of the page to send me your preferred contact address.

Cheers

Ken

More from that 3 headed dog we know and love - Kerberos « Jeftek’s Weblog

More from that 3 headed dog we know and love - Kerberos « Jeftek’s Weblog — Thu, 31 Jan 2008 06:25:39 GMT

PingBack from http://jeftek.wordpress.com/2007/09/06/more-from-that-3-headed-dog-we-know-and-love-kerberos/

Kerberos przyjacielem mym

.neting in the free world — Fri, 11 Jul 2008 12:49:47 GMT

Coraz częściej w pracy stykam się z koniecznością ustawienia autentykacji poprzez protokół Kerberos ,

Kerberos przyjacielem twym

.neting in the free world — Fri, 11 Jul 2008 13:21:31 GMT

Coraz częściej w pracy stykam się z koniecznością ustawienia autentykacji poprzez protokół Kerberos ,

IIS, Kerberos and anonymous login error | keyongtech

IIS, Kerberos and anonymous login error | keyongtech — Thu, 22 Jan 2009 06:12:57 GMT

PingBack from http://www.keyongtech.com/4369361-iis-kerberos-and-anonymous-login

IIS and Kerberos Part 9 - Cross Forest Delegation scenario with UPN suffix routing

Ken Schaefer — Thu, 26 Feb 2009 12:24:35 GMT

As an extension of the previous article on Cross Forest (or Cross Domain) Kerberos Authentication this

Vidar's Musings ?? The mother lode for IIS, Kerberos and IWA information

Vidar's Musings ?? The mother lode for IIS, Kerberos and IWA information — Fri, 06 Mar 2009 09:54:48 GMT

PingBack from http://www.kongsli.net/nblog/2009/03/06/the-mother-lode-for-iis-kerberos-and-iwa-information/

Constrained Kerberos Delegation & BlueCoat ProxySG « Dvas0004's Blog

Constrained Kerberos Delegation & BlueCoat ProxySG « Dvas0004's Blog — Thu, 22 Jul 2010 07:37:43 GMT

PingBack from http://dvas0004.wordpress.com/2010/07/22/constrained-kerberos-delegation-bluecoat-proxysg-2/