All Forums  HALP! Questions on Windows and Windows Server  Internet Information Server  Kerberos ticket

Note: You must be registered in order to post a reply.
To register, click here. Registration is FREE!

Screensize: 640 x 480 800 x 600 1024 x 768 1280 x 1024 UserName: Password: Format Mode: Basic  Help  Prompt  Format: Font Andale Mono Arial Arial Black Book Antiqua Century Gothic Comic Sans MS Courier New Georgia Impact Lucida Console Script MT Bold Stencil Tahoma Times New Roman Trebuchet MS Verdana   Size 1 2 3 4 5 6   Color Black Red Yellow Pink Green Orange Purple Blue Beige Brown Teal Navy Maroon LimeGreen Message: * HTML is OFF * Forum Code is ON Smilies [quote][i]Originally posted by dynek[/i] [br]Hello guys, I developed a web application that uses impersonation to query the AD and connect to SMS/SCCM. This application works fine on the server A on which it is currently hosted but we need to move it to a big infrastructure (server B). When I say it works fine I mean impersonation works, wireshark shows that a Kerberos ticket is negociated and klist displays it as well. Server A is trusted for delegation in AD so no SPN was required. Now on the second server (server B) the web app is throwing errors because impersonation doesn't work. The server is [b]not[/b] trusted for delegation in AD, the IIS App pool and website have been configured exactly the same as on server A (maybe there is an issue with NTAuthenticationProviders) but I don't see any Kerberos ticket negotiation. On server B we set an SPN on a CNAME (the one of the website). After having seen Mark's Cracking Open Kerberos video, I understand it will not work. There is an SPN for both the hostname of the server and the FQDN though. That should help. [b][edit1] The website's authenticated access on server A and B is only set to Integrated Windows authentication. [/edit1][/b] [b][edit2] Using Wireshark shows that the first GET on server A doesn't say anything about NTLM or Kerberos, then server sends back WWW-Authenticate: Negotiate. The first GET on server B shows NTLMSSP_NEGOTIATE in the header and packet from server says NTLM as well. [/edit2][/b] Anyone has an idea ? Thank you for your time, I appreciate it! [/quote]   Check here to include your profile signature. Note: please do not cross-post. Cross-postings will be deleted and ignored. Thanks for helping to keep this forum junk-free! Check here to subscribe to this topic.