Re: Delegation Problem by Ken
Ken
Wed Oct 12 21:39:00 CDT 2005
Some things to check:
a) Ensure that IIS is sending the WWW-Authenticate: Negotiate authN header
to the client. If IIS is sending WWW-Authenticate: NTLM only then IE will
never choose Kerberos. You can use WFetch from the IIS Res Kit Tools (or
HTTP Fiddler) to see the headers IIS is sending
b) Ensure that "Use Integrated Windows Authentication (Requires a Restart)"
is checked in Tools -> Options -> advanced in IE.
c) Ensure that the website is in the "Intranet" security zone. If the site
is in the INternet zone, IE will not attempt Kerberos authentication. If you
are using a FQDN or IP address to access the site, you will need to add that
FQDN or IP address to the Intranet security zone on your copy of IE.
Cheers
Ken
"Mike" <Mike@discussions.microsoft.com> wrote in message
news:679A9577-AE82-450E-82C0-5B9F2FC83CD5@microsoft.com...
: Yew, that is the whole error. Nothing else except "on index.asp" which is
: just the page name. I have enabled auditing and checked the events on the
IIS
: server. Funny thing, It did use NTLM and I'm not sure why. I'm using XP
with
: Server 2003 (IIS 6) I thought Kerberos was the default. I guess the first
: thing to do is troubleshoot the Kerberos issue. Any ideas on what might
cause
: it to negociate down to NTLM?
: --
: Mike
:
:
: "Ken Schaefer" wrote:
:
: > : error '80072020'
: >
: > Is that the entire error message you see on the screen? That error code
: > indicates that "errors occured" (as far as I can tell).
: >
: > One thing to check, if you think this is a delegation issue - have you
: > verified that the browsers are authenticated using Kerberos rather than
: > NTLM? You should see appropriate logon messages in the Security event
log of
: > the IIS server.
: >
: > Cheers
: > Ken
: >
: >
: > "Mike" <Mike@discussions.microsoft.com> wrote in message
: > news:253F6CCB-E348-4283-938C-6188E6C8C064@microsoft.com...
: > :I need some assistance with delegation.
: > : My Enviorment:
: > : 2003 (2003 Functionality mode) IIS 6
: > : This is an intranet enviorment
: > : Using classic asp
: > :
: > : My Goal
: > : I'm using integrated authentication to capture usernames (without
prompts)
: > : This is working fine.
: > : I want to compare the usernames with group membership in active
directory
: > to
: > : customize the intranet page for users who exist in certain "universal"
: > : groups. (Trusted domains)
: > :
: > : This is the code I'm using....
: > : strGroupDN = "cn=Intranet_group,cn=Users,dc=mydomain,dc=com"
: > : set objGroup = GetObject("LDAP://" & strGroupDN)
: > : for each objMember in objGroup.Members
: > : member = objMember.Name
: > : response.write "<br>" & member
: > : next
: > :
: > : What I have done so far:
: > : Setup delegation on the AD computer account for the IIS server (which
is
: > not
: > : a DC)
: > : Selected "Trust this computer for delegation to any service (Kerberos
: > Only)
: > :
: > : Getting the following error:
: > : error '80072020'
: > :
: > : What else needs to be done? I have checked the technet site and
nothing
: > : seems to work for my situation. Any help is much appreciated.
: > : --
: > : Mike
: >
: >
: >