On Jan 19, 2010, at 5:45 PM, Michael McMahon wrote:
Max (Weijun) Wang wrote:
Hi All
I've just installed a Windows 2008 system with IIS, and find
something confusing:
1. What does "Enable Kernel-mode authentication" mean?
When it's turned on, I can successfully authenticate using NTLM.
When it's off, the three NTLM packets looks fine, but the server
does not return 200 OK. In fact, it simply restarts the
authentication process with headers just like the initial response.
It seems to be something to do with the way they IIS gets hold of
the authentication credentials
from the OS. There's a brief note on it here:
http://technet.microsoft.com/en-us/library/cc771945.aspx
Don't quite understand the note: "One of the benefits of Negotiable 2
protocol support in IIS is the ability to configure explicit Kerberos
authentication that does not use NTLM if the client does not support
Kerberos". Should the last word be "NTLM"?
I still see the 3 NTLM packets in the request/response headers, so
this NegoEx still understand NTLM. Strange.
2. Kerberos (or SPNEGO) does not work?
I've configured the client to create a SPNEGO initial token and
sent it to the server, the server returns neither OK nor an error
token, again, it simply restarts the authentication process with
headers just like the initial response.
They seem to have introduced a new extension of SPNEGO called
NEGOEX. Is it possible
this mechanism is in use, instead of the old spnego?
Maybe not. the note says NEGOEX is only used in non kernel-mode auth.
I've just resolved this issue. The system *was* using a system-
generated hostname that looks like WIN-7HBS7S7HSBA, after changing it
into a normal human-friendly name, SPNEGO works for kernel-mode auth.
As for non kernel-mode auth, since MSDN says that another identity is
running the IIS process and SPNEGO is mutual authentication, I guess
I'll need to find out who this "another identity" is.
Thanks
Max
- Michael
