none
Internet Explorer 11: No fallback to NTLM if KDC ist not acessible?

    Question

  • Hi,

    We have Laptops in a Domain using Kerberos Authentication when connected to the LAN. SharePoint Website opens fine.

    While travelling this users logon using cached credentials.

     -  no Kerberos Credential assigned in this session.

     - SharePoint site will not open. (site is in Intranet Zone)

    In this case users open the site with Firefox (using NTLM).

    Is IE11 configurable in a way to use NTLM if the user logged with cached credentials onto Windows and the KDC is not connectible?

    thanks

    Markus

    Tuesday, January 28, 2014 5:01 PM

All replies

  • If Kerberos authentication fail with an error, then you may experience that authentication does not fall back to NTLM at all. It simply fails.

    could you please share the complete error details?


    Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog


    Tuesday, January 28, 2014 5:24 PM
    Moderator
  • Internet Explorer 11 Shows an error template (cant Display site = "cantDisplayTasks") site with some advice: check web-addres, search the site, try again in a few minutes

    Tuesday, January 28, 2014 5:29 PM
  • I would run a NetMon trace while a fallback is attempted. That should give you more information as to what is going on.

    Trevor Seward

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Tuesday, January 28, 2014 5:33 PM
    Moderator
  • from users perspective the most convenient Settings:

    1. add SharePoint to trusted sites.

    2. check use current Windows user and Password for trusted sites

    3. uncheck "enable Integrated Windows Authentication"

    effect: NTLM forced, Password saved (vault), no security warnings

    http://blogs.msdn.com/b/ieinternals/archive/2011/07/06/integrated-windows-authentication-kerberos-ntlm-http-400-error-for-16kb-authorization-header.aspx

    Wednesday, January 29, 2014 3:54 PM
  • in this case, what if Kerberos having the issue? will you know about that or not?

    Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog

    Wednesday, January 29, 2014 4:15 PM
    Moderator
  • Kerberos is not working when Laptop users out-of-Office use Wlan. The KDC is not reachable.

    From security Perspective ist not good to force NTLM always. Also the Setting "use current Windows User an Password"  for trusted sites is problematic.

    This are the only the most convenient Settings from user perspective.

    This Discussion concludes IE will not fallback to NTLM:

    http://arstechnica.com/civis/viewtopic.php?f=17&t=1172692

    Wednesday, January 29, 2014 4:21 PM
  • we advise users to disable "Integrated Windows Authentication" which forces IE 11 to use NTLM and not try Negotiate. (The SP Site should stay in Intranet Zone anyway)

    IE 11 then uses Windows session credentials from the former Domain Login - not saved credentials from Password Vault.

    If the Users open Documents in Office 2010 there will be another Login Prompt they can save credentials which go to Password vault.

    Conclusion:

    Office 2010 does not use the Setting "EnableNegotiate=0"

    Instead Office 2010 still uses Negotiate and does fallback to NTLM what IE 11 doesnt do.

    IE 11 then authenticates to the Site with current Login credentials and Office 2010 with saved ones from the Vault.

    Thursday, February 6, 2014 2:41 PM
  • IWA is exactly that, Kerberos or NTLM. But using NTLM is a security risk as well as being less performant, so it is always better to fix the issue with Kerberos, if at all possible (and yes, I know it isn't available over the Internet, but there are other solutions there such as using the Web Application Proxy role on 2012 R2 to mediate connections).

    Trevor Seward

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Thursday, February 6, 2014 11:35 PM
    Moderator