We are trying to configure an IIS 6.0 server for Kerberos but are recieving
the error:
KDC_ERR_BADOPTION. We followed this link
http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/ to help with
the initial setup.



Our environment is as such:

- Windows 2000 domain

- Server set up in AD to trust delegation

- App pool ID set up in AD to trust delegation

- Enabled Kerberos logging: http://support.microsoft.com/?id=262177

- Forced Kerberos to use TCP: http://support.microsoft.com/kb/244474

- Forced precedence of Kerberos over NTML:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/kerbnlb.mspx



Any assistance would be greatly appreciated.



-Tim

Hi Tim,

Please make sure the client connects to the server has 'enable integrated
authentication' selected in IE internet options->advanced. Otherwise the
authentication protocol will be NTLM instead of Kerberos.

Another point is that you should change the site's application pool's
identity to Local System since you've enable the computer to be trusted for
delegation in AD.

Best regards,

WenJun Zhang
Microsoft Online Partner Support

This posting is provided "AS IS" with no warranties, and confers no rights.

Still no luck. The clients were already configured with integrated
authentication and the site was added to the Local Intranet zone but the
client still looks to be authenticating through NTLM.  Both IIS on the web
and SQL 2000 are set to run under local system.

From the web server:
Successful Network Logon:
  User Name: userName
  Domain:  domainName
  Logon ID:  (0x0,0x1B8804)
  Logon Type: 3
  Logon Process: NtLmSsp
  Authentication Package: NTLM
  Workstation Name: workstationName
  Logon GUID: -
  Caller User Name: -
  Caller Domain: -
  Caller Logon ID: -
  Caller Process ID: -
  Transited Services: -
  Source Network Address: 10.1.1.105
  Source Port: 1327



""WenJun Zhang[msft]"" <wjzh***@online.microsoft.com> wrote in message
Show quoteHide quote

Hi Tim,

I suggest you use webfetch to perform a test and trace the rawdata of http
request/response. It will ensure Kerberos token can be properly sent to the
server-side.

HOW TO: Use Wfetch.exe to Troubleshoot HTTP Connections
http://support.microsoft.com/default.aspx?scid=kb;en-us;284285

To use, please input:

Host: (Your servername)
Path: (The relative path of your page. e.g: /simple.htm)
Auth: (Select Kerberos and input the proper username/password)

Press Go! to issue a http request to the server and check what response is
returned. You can paste the whole log data here for me to take a look.

Best regards,

WenJun Zhang
Microsoft Online Partner Support

This posting is provided "AS IS" with no warranties, and confers no rights.

Here is the output from the log:


started....
WWWConnect::Connect("http://vmdynamics.labtsc.com","80")\n
0x2af9 (No such host is known.): getaddrinfo()
finished.


""WenJun Zhang[msft]"" <wjzh***@online.microsoft.com> wrote in message
Show quoteHide quote

Sorry about that, I didn't run the test correctly. I re-ran it and this was
the output:

started....
Reusing existing connection (source port 4210)\n
ISC_REQ_MUTUAL_AUTH | ISC_REQ_DELEGATE set\n
0x80090303 (The specified target is unknown or unreachable): Unable to
InitializeSecurityContext
finished.
WWWConnect::Close("vmdynamics","80")\n
closed source port: 4210\r\n


""WenJun Zhang[msft]"" <wjzh***@online.microsoft.com> wrote in message
Show quoteHide quote

Ran the same test again using the IP instead of the host name and got this:

started....
Reusing existing connection (source port 4291)\n
ISC_REQ_MUTUAL_AUTH | ISC_REQ_DELEGATE set\n
SEC_I_CONTINUE_NEEDED\n
REQUEST: **************\n
GET /loader.aspx HTTP/1.1\r\n
Host: 10.1.1.201\r\n
Accept: */*\r\n
Connection: Keep-Alive\r\n
Authorization: Kerberos
YIIKcQYJKoZIhvcSAQICAQBuggpgMIIKXKADAgEFoQMCAQ6iBwMFACAAAACjggSFYYIEgTCCBH2gAwIBBaEMGwpMQUJUU0MuQ09Noh0wG6ADAgECoRQwEhsESFRUUBs
KMTAuMS4xLjIwMaOCBEcwggRDoAMCARehAwIBAqKCBDUEggQxt6zAFegMXInTTftiqMGwWeBjqX7oCPMF667YyohsBpV+rcX2sd25wbZ1dRwl6FlMBBSY/w2xinvSeBJIaaRpueEab9BKcNiZTPVZnI
OjUnye3/xSi4MvdWtLWJlplz4r7tJuEvKCB2X/pRbVMsxAZT3ou/GILSrR3sKiROXfIzFuasL+5gmfnOD5IbsrAC3fjBnIZ+OOeu4mMgC5s3ikLZ0GeqHlhYWdpcNsd0PmfrD+AuRJuJvH0djB1Xpav
49d0HwQvWZFSnXp2bW1hJOljnHgZdAt5V0fpAqyxCMYyPMAbrk3PmmQTa0GTs+beCk44HrAnG/OheRd72gk/AwVZkkA0YmChmhYHEUQPakRnPRFLUMrJRwb2BkKZkawzuM8eKmmG1eVNPcAYvKgiWFi
jl+YCi0l1VVk/zTJMj/03K1KNAPgevIfl32ln72ttoaVE+1XktmF9zLRzkaxpqAIssHqoTNhkkFsffQbrn7E+22pOf8rakty0rJ8yk3aS3EpXBA5044jN6OQpYfDwDlDkv82V1owUlDQVZcxp6Snupv
aJ2RCJtpMLYV1F3XFed9M4kT9s220D9RV0JJ6FNzw1mIn4l1oBUr/6wxV4Sku9H1TOnG9AYRylquvGzrsnPJncyvYoguW2geQe0kJIXuBAU/z4HCAFMAEzXpfeyl0TswnZ7cdzkEeOioMe76/1eBFdV
4T56UvF9Rcd/eR1ljXeJp69QZaVhJyDjJqEisCLtXGqO+7V/XHIEmWkzu7wRHcXl/b6sHWNVDaGdPMs/MGcNR7/jzL4sBOM0Wp88AzqtqBmQWO6MiwdPeFWmEaSj6A3oy3ijPz0mJC3vCG4MZN+zKIY
nwiUbgx68qcsllL7sYiEyzZcQmg7npCyt5IvIEzGLVCDB8PdSjv61ktPF5fAJF4EHQg23DrbIRnUbdGtB+C/9lu9zwxQgPsRrHg5QxjYcyrWoURlvtwdX9NGpq6I8sWJ7OlBXI8N52pTXJbKEGxUabl
asgcmk/EfymL9ZidkD1wm8s0ckUK40HEdmkljbA9Ced2ewViwNM8mJKhjmJSwPddO+reE5zcYmKV8vCXX4amSgILLmwcoruVjBEqYHbCGPjFsommkTafLTU47ZD8wScZJu5niRUCtBUyVzlF58bgBiP
eJQlPUnJyewp6Lay7XQTHPpEZj6SRUHzwfzpQrwiN9tK3cJrxbIQsnuu94RmJBT18UdQqxjVKVBe+m1a0dhy34vwMUL75fGnwzK03VPf/HAHaCI5k7oKu0WdCqbDQGZgaRLAFmPPahQH7A1KZDG2gsY
LOARb2r40MjosUOkvAT1+/RnKThA3/u6zOBJiO2oJSdrCUTwbItmIa785DSFxnUHKvwlJa7KJEk4OxOJHLRG3af6vfutWmnamaDlYV7VsC1K/IrsLRbYpbKsOkggW8MIIFuKADAgEXooIFrwSCBatPL
j5oEXvE1vTTQQw9lxsQDkCIZ6OyXlaK4UrLtQe32kI6yWrAI4NVqweXThOITBE7gzUQFGTF6og8XW4t8bwXiOq70+d7LNq6Y6UT00234KcKigg/osZEb/hOtTuBeU8GQByQNCw+FPeLduvQ13+UssdO
VEp+vSVWh/Ao6GkcWkq/QTU4G9xwwSh05wR8sjwjMLwuf/JDdDQz4bxNCpHZ7qpXCiRmh8dSiqjgtf6STtJFmF8r+D1RP1wy3Tl2xC0eAQ48IJiC/IOQLRoioQlQjkqXqhaXcgEXrtz/+cqYcpxAD3/
MuXC3oq1Tnz0kB1AxXgEYuWiGRVBNcXBpj0PZz9mF0nkDiTNLlIVJQoWxox4oiqVK9xAftYUiYdK34NAF6AsyybZuf2toWwz47lu2Pm4Bm5NhiP/ZR/z8ogdmQFRH0/2mBjtTxvKZ2pQE/5x1p9tVJC
nxEGTLiTF/Q3Li56tdK0rAhsLzavH3uk3mBbOHgsiUPgCf4DouZMDL3Dr6m9JauJ2Ux2BygrTlW8HvkeHmtOChrxbt2yosy16v420EeSmJGgI9pdvPJCOEO5Q1r2gO9Y8Lwq1c1EeKropI9jGS1/0rz
WJH6B/cfu2X+MIkJFV7Pw+hPhEZ8PAIS7IlKN424v3Rl8TSWtKveC9Pu/8wWz6IV1UokUHc3yAzGqIImuaXU6Uvw7Ix0NsIOsxws8EiDE2fIJ2PvXSPLDsyjmnZ3dth6P9xCMkJj5vM/d7kchrDKoOq
NkecJiwOgfpnsw57EYZfiykNlm/gib0aDsYAwD29qjwdAwg5sX84kYzxMFNYe0po5dktueWWXpQYbhHJPsp0XNZrq6Q7vgeQeuU5qJ4w9/ZjLh38V6tqx5JeFT82oZ5ZV185sTHGlPTHk86zDsUC6Qo
sTj49uEe15i/xnL6kSykeElkuyMsab0xaHai/ZLkfrAREH/RS7nOxERTdFG5QJJVKcJ7O66zLVtKr6lqYilkuzyt5zC/WR1zLTvVOYqLNamjX4rCJ2hTz8dHHQQQxqWqeE7lfncELLnO5UoSA9gaYV1
eD8Zk8DtpA/iy5TNDiuj5OS5t2y/P/liJ6R4C6Cm6Kl0+HhS06ActJe2lxHaBHGHJTyEvkyyhtAzeJqa8cMfvCqJUiRJ60hudevd1ocxISE2SwWNU913Kg6Jb3VtSRxiorWpcWFpyzZFq7Dns967DgR
ggDUXOXKHBLm1feEDvt+kfEitvR0LVp48YYcDZziKCNQhwoaMpFF7KVs5lE58SJTo+5EzdNzBFT5WSPuTluGVLnlLJeW3D9WPHnbg+C0EvJVMM3an2dKCABr41MXUecLwgf/Yj+r/xGWfPRKOwqu7rZ
5wNx6Rr2akc0Dv+0gijQJyUwQXCWA/OSBcdXGQA+W6mzoETCq09GRyr5apwKH6qaklfBa9vkJSccW1ugovFb4PaNVjAQ34kjrXCwjiMadgTO2LLM6PQyEnH3gsoAjWQcQvQzHxM8+A+TiSArD0q5XBw
1m3mPCWYDiaAF6iqbQ51PShc/PNY+KlPEDuXE2IyJ1Y89gJM2uVuPxgqdtZ+zvmWHJUD+1/9O750RlKBZpMw5ygacQqlWP2+k+l4Ghw6c5U1N6fuUcB82GRem+GGrpWEZ1ZXOXi0Pzw48PyIpCZT2hN
tx3edc82zap9XjvY82lQQ4oxsUd+frFIC2rVDwHNc8CnyI0J8BRz4M25SWhyGMVf5OsTL73wSFco5PhtSBnPYifDSA2TI37Hq+sbWrOtt32/JtQyRUkEsoLv1LW15/8WmupSd0b9G9cL8iY4GvCkYMS
C9InnIVyU33ZXLdymkSWa6cGzsAE+vzI0YhvG+zFKpE2+CwlQMS/QBnKXZs9XSV5dIrPqV4TS8E+xfScwgDGJTPb8H48I3vOrQw5i21fs8brKvf3/tfBf+2hA==\r\n
\r\n
RESPONSE: **************\n
HTTP/1.1 401 Unauthorized\r\n
Content-Length: 1656\r\n
Content-Type: text/html\r\n
Server: Microsoft-IIS/6.0\r\n
WWW-Authenticate: Negotiate\r\n
X-Powered-By: ASP.NET\r\n
Date: Fri, 09 Jun 2006 19:37:58 GMT\r\n
\r\n
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">\r\n
<HTML><HEAD><TITLE>You are not authorized to view this page</TITLE>\r\n
<META HTTP-EQUIV="Content-Type" Content="text/html;
charset=Windows-1252">\r\n
<STYLE type="text/css">\r\n
  BODY { font: 8pt/12pt verdana }\r\n
  H1 { font: 13pt/15pt verdana }\r\n
  H2 { font: 8pt/12pt verdana }\r\n
  A:link { color: red }\r\n
  A:visited { color: maroon }\r\n
</STYLE>\r\n
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>\r\n
\r\n
<h1>You are not authorized to view this page</h1>\r\n
You do not have permission to view this directory or page using the
credentials that you supplied because your Web browser is sending a
WWW-Authenticat
e header field that the Web server is not configured to accept.\r\n
<hr>\r\n
<p>Please try the following:</p>\r\n
<ul>\r\n
<li>Contact the Web site administrator if you believe you should be able to
view this directory or page.</li>\r\n
<li>Click the <a href="javascript:location.reload()">Refresh</a> button to
try again with different credentials.</li>\r\n
</ul>\r\n
<h2>HTTP Error 401.2 - Unauthorized: Access is denied due to server
configuration.<br>Internet Information Services (IIS)</h2>\r\n
<hr>\r\n
<p>Technical Information (for support personnel)</p>\r\n
<ul>\r\n
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft
Product Support Services</a> and perform a title search for the words
<b>HTTP
</b> and <b>401</b>.</li>\r\n
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),\r\n
and search for topics titled <b>About Security</b>, <b>Authentication</b>,
and <b>About Custom Error Messages</b>.</li>\r\n
</ul>\r\n
\r\n
</TD></TR></TABLE></BODY></HTML>\r\n
finished.





""WenJun Zhang[msft]"" <wjzh***@online.microsoft.com> wrote in message
Show quoteHide quote

Hi Tim,

This indicates Kerberos auth actually didn't work on your server. Please
make sure your KDC is correctly configured and also check if integrated
windows auth is enabled in IIS.

Also by default, both Kerberos and NTLM are enabled in
NTAuthenticationProviders metabase entry. You may have to verify this to
see if Kerberos is removed.

215383    How to configure IIS to support both the Kerberos protocol and the
NTLM protocol for network authentication
http://support.microsoft.com/default.aspx?scid=kb;EN-US;215383

Best regards,

WenJun Zhang
Microsoft Online Partner Support

This posting is provided "AS IS" with no warranties, and confers no rights.

I verified that the IIS server is running integrated authentication and that
the metabase is set to Negotiate,NTLM as described in the article. Do you
have any suggestions on what areas we might look into on the KDC?

-Tim


""WenJun Zhang[msft]"" <wjzh***@online.microsoft.com> wrote in message
Show quoteHide quote

Hi Tim,

If so, what's the result in webfetch with Kerberos auth? Could you provide
me with the trace to take a look?

If Kerberos auth actually fails on the server-side, you will have to post a
new thread to our Windows 2003 security or AD newsgroup to troubleshoot the
Kerberos auth part.

Best regards,

WenJun Zhang
Microsoft Online Partner Support

This posting is provided "AS IS" with no warranties, and confers no rights.

Here is the result:

started....
WWWConnect::Connect("vmdynamics","80")\n
IP = "10.1.1.201:80"\n
source port: 2022\r\n
ISC_REQ_MUTUAL_AUTH | ISC_REQ_DELEGATE set\n
0x80090303 (The specified target is unknown or unreachable): Unable to
InitializeSecurityContext
finished.
WWWConnect::Close("vmdynamics","80")\n
closed source port: 2022\r\n



""WenJun Zhang[msft]"" <wjzh***@online.microsoft.com> wrote in message
Show quoteHide quote

Hi Tim,

I'm not sure why it would fail with servername but worked with IP address
but I believe this should be related to the root cause. Looks like the
problem client has some problem on communicating with your domain
controller? Otherwise there shouldn't be such kind of name resolution
issue. You may try to remove the client machine from your domain and then
add it back to have a test.

If it's still no success, please post the issue to our Windows AD or
security newsgroup for suggestions. Thanks.

Best regards,

WenJun Zhang
Microsoft Online Partner Support

This posting is provided "AS IS" with no warranties, and confers no rights.

No luck there either. I'll try the other NG. Thank you very much for your
help.

-Tim


""WenJun Zhang[msft]"" <wjzh***@online.microsoft.com> wrote in message
Show quoteHide quote

Private & Public Key storage location
Help with password prompt
Access problems on "Windows Server 2003 Web Edition". using IIS 6.0
IP Address and Domain Name Restrictions button greyed out - Help !
SSL problem
recovering password stored with reversible encryption?
IIS HTTPS + Windows XP
Require Client Certificates and blank page
Windows Certificate Server
Multiple SSL Certificates on 1 IIS Website