Location: List Archives

List Archives

This forum is an archive of all posts to our mailing list over the past few years.  The forum is set read only therefore to contribute you will need to join our list community.  See more info about this here.

List Archives

Forums >ActiveDir Mail List Archive >List Archives
Subject: RE: [ActiveDir] IE refuses to do Kerberos for one particular user / workstation / web server combo
Prev Next
You are not authorized to post a reply.

AuthorMessages
kenUser is Offline

Posts:58

09/24/2008 2:40 PM  
I would try doing this first (recreate profile)

Then, I would get a packet capture from the client whilst the user attempts to auth to the webserver.

Then we can see whether (a) IIS is offering Negotiate (b) the client attempts to get a service ticket (c) the DC returns a service ticket and (d) the client attempts to send the service ticket.

Depending on whether the process breaks at (a), (b), (c) or (d) then we can troubleshoot further.

Cheers
Ken

> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-
> owner@mail.activedir.org] On Behalf Of Michael B. Smith
> Sent: Wednesday, 24 September 2008 8:19 AM
> To: ActiveDir@mail.activedir.org; activedir@activedir.org
> Subject: RE: [ActiveDir] IE refuses to do Kerberos for one particular user /
> workstation / web server combo
>
> Quick guess - have you tried recreating the user's profile on the
> workstation?
>
> Regards,
>
> Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP
> My blog: http://TheEssentialExchange.com/blogs/michael
> Link with me at: http://www.linkedin.com/in/theessentialexchange
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Michael B Allen
> Sent: Tuesday, September 23, 2008 5:14 PM
> To: activedir@activedir.org
> Subject: [ActiveDir] IE refuses to do Kerberos for one particular user /
> workstation / web server combo
>
> We have a web server product that depends on IE doing Kerberos and
> not NTLM. Every once in a very great while we find a customer with one
> account / machine / web server combination that simply refuses to do
> Kerberos and insists on doing NTLM instead.
>
> There are a few facts about my latest issue that quickly narrow down
> the possibilities:
>
> 1) Kerberos works using wfetch on the errant workstation with the
> credentials of the errant account. This rules out the server side and
> the client's ability to acquire a ticket through the LSA.
>
> 2) Kerberos works if the same user on the same workstation under the
> same session accesses another web server running the same product /
> configuration. Meaning the problem is specific to a particular web
> server that seems to differ only in hostname.
>
> 3) Kerberos works if the errant user logs onto a different
> workstation. Meaning the problem is specific to a particular workstation.
>
> 4) Kererbos works with all servers on all workstations for everyone
> else. Meaning the problem is specific to a particular user.
>
> 5) Rebooting the client or purging tickets with kerbtray has no effect.
>
> This points to browser settings but the customer is quite certain about
> the following:
>
> o IE > Tools > Internet Options > Security > Local intranet has the
> errant target 'http://server.domain.local'.
>
> o IE > Tools > Internet Options > Advanced > "Enabled Integrated Windows
> Authentication" is ON.
>
> o There are no passwords saved in Control Panel > User Accounts >
> Advanced > Manage Passwords.
>
> So, I'm stumpted.
>
> Has any ever encountered something like this?
>
> Could some local settings be corrupted such that the 'Local intranet'
> zone setting is being ignored?
>
> Does anyone know of any obsucure policy or security setting somewhere
> that could break Kerberos with a certain host?
>
> Is there some kind of GPO that can quietly override the setting in
> the browser?
>
> Does anyone know of a way to debug this further? Can I isolate a
> particular subsystem responsible?
>
> Does anyone know if the XP credential cache bugs described in KB885887
> or KB906524 still exist?
>
> Mike

List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
You are not authorized to post a reply.
Forums >ActiveDir Mail List Archive >List Archives > RE: [ActiveDir] IE refuses to do Kerberos for one particular user / workstation / web server combo



ActiveForums 3.7
AdventNet Banner
Friends

Friends

Namescape
Members

Members

MembershipMembership:
Latest New UserLatest:rwrabinowitz
New TodayNew Today:2
New YesterdayNew Yesterday:0
User CountOverall:4273
People OnlinePeople Online:
VisitorsVisitors:267
MembersMembers:0
TotalTotal:267
Online NowOnline Now:

Ads

Copyright 2008 ActiveDir.org
Terms Of Use