"Joe" <j**@aol.com> wrote in message
news:%23uu$QCoNGHA.456@TK2MSFTNGP15.phx.gbl...
>I have a website using Windows Authentication and Delegation to access a
>backend SQL Server.
>
> Everything works when I am on the LAN.  When I try to access the website
> from home I get the Login failed for User NULL...
>
> I am using the same name to access when I am on the LAN as when I am at
> home and it resolves to the same IP address.
> http://server.domain.com
> I have put this into my trusted sites in IE (I have also tried Local
> Intranet).
> I can see in the event log on the web server that when I am at home it is
> using NTLM authentication wheras when I am on the network it is using
> Kerberos.
> I added the SPN for the FQDN with this:
>    setspn -A http/sever.domain.com NtDomain\ServerName
> (not sure if that is required)
> IIS is running under the local system account
> I have delegation set to Trust this computer for delegation to any service
> (Kerberos only)
> The server is Windows 2003
> IIS Security is set up for Integrated Windows Authention
>
>
> The only differences that I can think of are (1) my computer at home is
> not a memeber of the domain and (2) I only have port 80 open when I am at
> home.
>
> Anyone know how to get this to work?
>
>
>
>
>

"Joe" <j**@aol.com> wrote in message
news:%23weXsHoNGHA.2124@TK2MSFTNGP14.phx.gbl...
: As a follow up...
:
: I downloaded the Wfetch utility.  When I ran this and forced the Kerberos
: Authentication I got an error:
: 0x80090311 (No authority could be contacted for authentication.): Unable
to
: InitializeSecurityContext
:
: Leads me to believe that Kerberos needs to talk to the AD controller to
get
: the ticket???
: What would I have to open up to make this happen and where would I tell IE
: to be able to find my domain controller?
:
:
:
: "Joe" <j**@aol.com> wrote in message
: news:%23uu$QCoNGHA.456@TK2MSFTNGP15.phx.gbl...
: >I have a website using Windows Authentication and Delegation to access a
: >backend SQL Server.
: >
: > Everything works when I am on the LAN.  When I try to access the website
: > from home I get the Login failed for User NULL...
: >
: > I am using the same name to access when I am on the LAN as when I am at
: > home and it resolves to the same IP address.
: > http://server.domain.com
: > I have put this into my trusted sites in IE (I have also tried Local
: > Intranet).
: > I can see in the event log on the web server that when I am at home it
is
: > using NTLM authentication wheras when I am on the network it is using
: > Kerberos.
: > I added the SPN for the FQDN with this:
: >    setspn -A http/sever.domain.com NtDomain\ServerName
: > (not sure if that is required)
: > IIS is running under the local system account
: > I have delegation set to Trust this computer for delegation to any
service
: > (Kerberos only)
: > The server is Windows 2003
: > IIS Security is set up for Integrated Windows Authention
: >
: >
: > The only differences that I can think of are (1) my computer at home is
: > not a memeber of the domain and (2) I only have port 80 open when I am
at
: > home.
: >
: > Anyone know how to get this to work?
: >
: >
: >
: >
: >
:
:

"Ken Schaefer" <kenREM***@THISadOpenStatic.com> wrote in message
news:OXyC5NoNGHA.3936@TK2MSFTNGP10.phx.gbl...
> Hi,
>
> a) Kerberos requires the user to obtain a Kerberos Service Ticket for the
> remote service (namely IIS). This is obtained from the KDC (Key
> Distribution
> Centre). The KDC is hosted on Windows Domain Controllers. So, you'd need
> to
> be able to contact a DC
>
> b) IIRC, you'd need to open port 88. Additionally, your client at home
> would
> need to locate the DC in the first place via the msadc forward lookup zone
> hosted on your internal network's DNS servers
>
> c) Because of the restrictions required to get Kerberos working, IE
> doesn't
> even attempt Kerberos authentication for sites in the Internet zone.
>
> d) A much more secure way of doing this (if you really want to use
> Kerberos)
> would be to VPN into your network network from home, and then access the
> server the same way you do at the office
>
> Cheers
> Ken
>
>
>
> "Joe" <j**@aol.com> wrote in message
> news:%23weXsHoNGHA.2124@TK2MSFTNGP14.phx.gbl...
> : As a follow up...
> :
> : I downloaded the Wfetch utility.  When I ran this and forced the
> Kerberos
> : Authentication I got an error:
> : 0x80090311 (No authority could be contacted for authentication.): Unable
> to
> : InitializeSecurityContext
> :
> : Leads me to believe that Kerberos needs to talk to the AD controller to
> get
> : the ticket???
> : What would I have to open up to make this happen and where would I tell
> IE
> : to be able to find my domain controller?
> :
> :
> :
> : "Joe" <j**@aol.com> wrote in message
> : news:%23uu$QCoNGHA.456@TK2MSFTNGP15.phx.gbl...
> : >I have a website using Windows Authentication and Delegation to access
> a
> : >backend SQL Server.
> : >
> : > Everything works when I am on the LAN.  When I try to access the
> website
> : > from home I get the Login failed for User NULL...
> : >
> : > I am using the same name to access when I am on the LAN as when I am
> at
> : > home and it resolves to the same IP address.
> : > http://server.domain.com
> : > I have put this into my trusted sites in IE (I have also tried Local
> : > Intranet).
> : > I can see in the event log on the web server that when I am at home it
> is
> : > using NTLM authentication wheras when I am on the network it is using
> : > Kerberos.
> : > I added the SPN for the FQDN with this:
> : >    setspn -A http/sever.domain.com NtDomain\ServerName
> : > (not sure if that is required)
> : > IIS is running under the local system account
> : > I have delegation set to Trust this computer for delegation to any
> service
> : > (Kerberos only)
> : > The server is Windows 2003
> : > IIS Security is set up for Integrated Windows Authention
> : >
> : >
> : > The only differences that I can think of are (1) my computer at home
> is
> : > not a memeber of the domain and (2) I only have port 80 open when I am
> at
> : > home.
> : >
> : > Anyone know how to get this to work?
> : >
> : >
> : >
> : >
> : >
> :
> :
>
>

"Joe" <j**@aol.com> wrote in message
news:OnrbDaoNGHA.2624@TK2MSFTNGP12.phx.gbl...
: Thanks for your quick response!
:
: I would have to open port 88 to my Domain Controller?
: How would IE know which server is the Domain Controller (my home computer
is
: not on the domain) - I get the msadc DNS lookup, I going to
: server.domain.com where my domain is NTDomain.local - my domain controller
: does not know anything about domain.com.
:
:
:
:
: "Ken Schaefer" <kenREM***@THISadOpenStatic.com> wrote in message
: news:OXyC5NoNGHA.3936@TK2MSFTNGP10.phx.gbl...
: > Hi,
: >
: > a) Kerberos requires the user to obtain a Kerberos Service Ticket for
the
: > remote service (namely IIS). This is obtained from the KDC (Key
: > Distribution
: > Centre). The KDC is hosted on Windows Domain Controllers. So, you'd need
: > to
: > be able to contact a DC
: >
: > b) IIRC, you'd need to open port 88. Additionally, your client at home
: > would
: > need to locate the DC in the first place via the msadc forward lookup
zone
: > hosted on your internal network's DNS servers
: >
: > c) Because of the restrictions required to get Kerberos working, IE
: > doesn't
: > even attempt Kerberos authentication for sites in the Internet zone.
: >
: > d) A much more secure way of doing this (if you really want to use
: > Kerberos)
: > would be to VPN into your network network from home, and then access the
: > server the same way you do at the office
: >
: > Cheers
: > Ken
: >
: >
: >
: > "Joe" <j**@aol.com> wrote in message
: > news:%23weXsHoNGHA.2124@TK2MSFTNGP14.phx.gbl...
: > : As a follow up...
: > :
: > : I downloaded the Wfetch utility.  When I ran this and forced the
: > Kerberos
: > : Authentication I got an error:
: > : 0x80090311 (No authority could be contacted for authentication.):
Unable
: > to
: > : InitializeSecurityContext
: > :
: > : Leads me to believe that Kerberos needs to talk to the AD controller
to
: > get
: > : the ticket???
: > : What would I have to open up to make this happen and where would I
tell
: > IE
: > : to be able to find my domain controller?
: > :
: > :
: > :
: > : "Joe" <j**@aol.com> wrote in message
: > : news:%23uu$QCoNGHA.456@TK2MSFTNGP15.phx.gbl...
: > : >I have a website using Windows Authentication and Delegation to
access
: > a
: > : >backend SQL Server.
: > : >
: > : > Everything works when I am on the LAN.  When I try to access the
: > website
: > : > from home I get the Login failed for User NULL...
: > : >
: > : > I am using the same name to access when I am on the LAN as when I am
: > at
: > : > home and it resolves to the same IP address.
: > : > http://server.domain.com
: > : > I have put this into my trusted sites in IE (I have also tried Local
: > : > Intranet).
: > : > I can see in the event log on the web server that when I am at home
it
: > is
: > : > using NTLM authentication wheras when I am on the network it is
using
: > : > Kerberos.
: > : > I added the SPN for the FQDN with this:
: > : >    setspn -A http/sever.domain.com NtDomain\ServerName
: > : > (not sure if that is required)
: > : > IIS is running under the local system account
: > : > I have delegation set to Trust this computer for delegation to any
: > service
: > : > (Kerberos only)
: > : > The server is Windows 2003
: > : > IIS Security is set up for Integrated Windows Authention
: > : >
: > : >
: > : > The only differences that I can think of are (1) my computer at home
: > is
: > : > not a memeber of the domain and (2) I only have port 80 open when I
am
: > at
: > : > home.
: > : >
: > : > Anyone know how to get this to work?
: > : >
: > : >
: > : >
: > : >
: > : >
: > :
: > :
: >
: >
:
: