locked
Kerberos - Client not requesting tickets RRS feed

  • Question

  • I'm trying to get my head around Kerberos authentication to troubleshoot some issues I'm having.  I've read several articles but haven't found anything useful.  As I understand, if IIS is configured for Negotiate,NTLM and a supported client (e.g. IE 6) tries to authenticate, it will try Negotiate to find the KDC first, if it can't then it uses NTLM.

    Inside the firewall, this seems to work fine.  I use NetMon to view the Kerberos traffic and all the SPNs and delegation are set up correctly.  I don't get any Kerberos errors and everything connects well, even multiple hops.

    My issue is outside the firewall, from home, through VPN.  When I esablish a VPN connection and connect to the IIS server, all traffic on the server side is using NTLM.  So I used Netmon on the client side and no Kerberos traffic at all.  Not even the initial Authenticantion request to the KDC.  The only authentication traffic I see is HTTP.  IE is set for Windows Authentication.  When I take this same laptop into work and attach to the LAN, everything works as expected.

    So, my confusion is what is stopping IE from contacting the KDC and requesting a ticket?  If I understand this right, HTTP authenticates with IIS (which is only set for Windows Authentication, and providers are set for Negotiate,NTLM) and the browser prompts for my credentials.  After typing my credentials, IIS passes back a header for WWW-Negotiate, which indicates to IE that it should try to search for the KDC to get a TGS ticket.  This would be the AS request I would see in NetMon.  However, I don't see that initial request.  I know IIS is sending the right header, because it works within the firewall.  So is IE not receiving this header?  I would think IE, once receiving this header, would at least try the initial AS request to the KDC, and perhaps fail because of the VPN, etc.  but why isn't IE sending this request at all?

    I tried forcing Kerberos to use TCP by setting a registry entry found in a KB article.  I did this on my client PC (article didn't specify which computer it should be applied on).  I rebooted.  That didn't make any difference.

    So, to summarize, even when I am at work, everything works.  When I fire up my VPN, the Kerberos ticket from the client doesn't get created, so NTLM is used instead.

    Sunday, October 4, 2009 4:45 AM