S
Wed Jun 25 02:12:55 PDT 2008
Not enough information. 401 what? What is in the Web server logs and
application/security logs on each server? There must be related entries, or
at least - authentication entries in the security log.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
*
http://sl.mvps.org *
http://msmvps.com/blogs/sp *
"jc" <jc@discussions.microsoft.com> wrote in message
news:81AAFB02-2D64-458E-BC6E-3D8F8BCB7B3C@microsoft.com...
> Has anyone found a solution to this for IE7. I am having the same issue.
> For
> IE6, authentication works. The Windows authentication is passed from
> Client,
> to WebServer (server1) and then from Web Server to Report server
> (Reporting
> Services, server2) and reports load. When trying this in IE7, it doesn't
> work
> (401 error). Configuration: Client: IE7, IIS: running on Windows 2K SP4
> using
> Integtrated Windows Authentication only. Report Server also uses
> Integrated
> Windows Athentication. WebServer (IIS) is on server1 and Reporting Server
> is
> on server2. Using ASP.Net 2.0 on Webserver. Active Directory and Web
> Server
> are configured correctly using Kerberos and the SPN has been setup. Works
> fine when calling ASP page on IIS in IE6, however, same user using IE7, it
> doesn't work. Trying to isolate if it is actually an IE issue or soem
> other
> security update that gets intalled as part of IE7. In both cases, both the
> IE6 and IE7 machines are updated through XP SP3.
>
>
> "filip" wrote:
>
>> IE is properly configured, by steps stated below.
>> I have setup an SPN as follows(my web server is on a machine named
>> "server"1, and url to access it is "server1.mydomain.com"
>> so i setup spn as follows (on my server runnung the kerberos service
>> named
>> "exchangeServer1", in my case a win2003 R2 server which is an exchange as
>> well as DC):
>>
>> setspn -A HTTP/srver1.mydomain.com server1
>>
>> i have krbtray on the machine doing the request with IE7, and on my
>> server,
>> after requesting the page, no ticket is issued as I see no ticket for
>> HTTP/server1,
>> allso from the request header Authorization i get the NTLM not KERBEROS.
>> Looked at logs on server, i couldn't find, don't know where to find a log
>> where it say's that it falls back to NTLM for any reason.
>>
>>
>>
>> "Joseph T Corey" <jcorey@andrew.cmu.edu> wrote in message
>> news:CF17988C-CA5D-4C3B-B6D1-F834FC0395AA@microsoft.com...
>> > First, download Kerbtray and have it running when you login to this
>> > website. If you neglect to see a HTTP/hostname (where hostname is your
>> > web
>> > site address) under the list of tickets, then you know you aren't using
>> > Kerberos.
>> >
>> > If IE and IIS are configured properly to do Kerberos, then the problem
>> > is
>> > probably SPN related. Make sure you have a valid HTTP SPN registered
>> > for
>> > the account running the IIS application pool. If the application pool
>> > is
>> > running as Network Service (which is the default configuration), then
>> > the
>> > SPN will need to be set on the computer account.
>> >
>> > To add an SPN, use the setspn tool. Something like: "setspn -a
>> > http/hostname computer" where hostname is the web address and computer
>> > is
>> > the computer account name in AD. Here are some useful links:
>> >
>> >
http://technet2.microsoft.com/WindowsServer/en/library/b3a029a1-7ff0-4f6f-87d2-f2e70294a5761033.mspx
>> >
http://support.microsoft.com/kb/326985
>> >
>> > --
>> > Joseph T. Corey MCSE, Security+
>> > Systems Administrator
>> > jcorey@cmu.edu
>> >
>> >
>> > "filip" <fmatosic@@inet.hr> wrote in message
>> > news:unDoVMvrIHA.4492@TK2MSFTNGP02.phx.gbl...
>> >> Is there a reason that IE(IE7) would send NTLM instead of KERBEROS
>> >> after
>> >> setting IE as follows?
>> >> Is thee something else i have to lok for?
>> >>
>> >> 1. put the requesting site in IE to local-network
>> >> 2. in the IE extended security option enable Integrated Windows
>> >> Authentication
>> >>
>> >>
>> >> To configure Intranet Authentication:
>> >> 1. Click the Security tab, click Local intranet, and then click Custom
>> >> Level.
>> >> 2. In the Security Settings dialog box, scroll down to the User
>> >> Authentication section of the list.
>> >> 3. Select Automatic logon only in Intranet zone. This setting prevents
>> >> users
>> >> from having to re-enter logon credentials; a key piece to this
>> >> solution.
>> >> 4. Click OK to close the Security Settings dialog box.
>> >>
>> >>
>> >> In addition to the previous settings, one additional setting is
>> >> required
>> >> if
>> >> you are running Internet Explorer 6.0.
>> >> 1. In Internet Explorer, click Tools, and then click Internet Options.
>> >> 2. Click the Advanced tab.
>> >> 3. Scroll down to the Security section.
>> >> 4. Make sure that Enable Integrated Windows Authentication (requires
>> >> restart) is checked, and then click OK.
>> >> 5. If this box was not checked, restart the browser.
>> >>
>> >>
>> >
>>
>>
>>