Here is what I have so far. I have WIndows Server 2003 SP2 with IIS 6 installed. I have a one page site with only Integrated Authentication enabled. The SPNs are set correctly in Active Directory. I can log in all day long in IE if I use
http://<NEtBIOS> . I can log in fine if I put *.domain.com in my Local Intranet Zone or my Trusted Sites Zone. If I browse to the site with a non-domain machine and attempt to login with my user account which now has a Kerberos
ticket on the IIS server because of my Authentication session earlier in the day, I can attempt to login with my UPN even though my current machine does not have a Kerberos ticket (I have used KerbTray to purge my Kerberos cache to make sure) and I can log
in successfully if I give the correct password. Shouldn't Kerberos fail if I don't have a ticket on the client? If I type in a valid domain UPN that does not have a Kerberos ticket on the server I receive a 500 error and not a 401 error as I would expect.
If I type in an NTLM username then I am fine, I am either logged in , re-prompted or shown a 401.X error. If I type in a non-valid domain UPN such as
userdoesntexist@domain.com , or a non-valid username - anything@invaliddomain.com I am re-prompted or a 401.X page is served.
The documentation I have read states that if Kerberos authentication fails it will fall back to NTLM. It does not appear to be falling back to NTLM and prompting me for credentials or presenting a 401 error. It just errors out with a 500 page. Well, it appears
that NTLM does not know what to do with a UPN so the server displays a 500 error and hopes I will get it right the next time I browse to the site. Maybe I should edit the 500 page to state, "please enter in your username as domain\username."
Failing back to NTLM would be happening not on the IIS level bug rather inside the Negotiate SSPI package that handles Kerberos and NTLM. In your case it appears that calling into the SSPI package is returning an error. You should check W3 log file what
is the status code (sc-win32-status) written with the failed request. That would be good place to start your investigation.
What makes you think that what you call successful Kerberos logons are not actually NTLM logons?
I actually had a case open with Microsoft. The issue is a known problem, but it is only known by very few. :) It turns out the problem was that we had SP2 on our IIS server and we had SP1 on our domain controllers. I set up an environment to test and sure
enough the hotfix support sent (which is included in SP2) fixed the issue. The file in questions was MSV1_0.dll . The article that the support agent referenced was kb921063. Althought the article didn't explicitly apply to us we were experiencing a similar
issue. The bad password count was incrementing so we knew it was contacting the domain controller, plus we had seen successful Kerberos communications, but it would still throw a 500 error if you used an UPN at the prompt. An NTLM formed username worked fine.(which
is the workaround in the article) Thank you to everyone who answered.
Marked as answer by sealy on Jun 24, 2008 12:56 PM
sealy
16 Posts
Integrated Authentication issue - 500 error, NTLM doesn't know what to do with UPN?
Jun 19, 2008 08:19 PM|LINK
Here is what I have so far. I have WIndows Server 2003 SP2 with IIS 6 installed. I have a one page site with only Integrated Authentication enabled. The SPNs are set correctly in Active Directory. I can log in all day long in IE if I use http://<NEtBIOS> . I can log in fine if I put *.domain.com in my Local Intranet Zone or my Trusted Sites Zone. If I browse to the site with a non-domain machine and attempt to login with my user account which now has a Kerberos ticket on the IIS server because of my Authentication session earlier in the day, I can attempt to login with my UPN even though my current machine does not have a Kerberos ticket (I have used KerbTray to purge my Kerberos cache to make sure) and I can log in successfully if I give the correct password. Shouldn't Kerberos fail if I don't have a ticket on the client? If I type in a valid domain UPN that does not have a Kerberos ticket on the server I receive a 500 error and not a 401 error as I would expect. If I type in an NTLM username then I am fine, I am either logged in , re-prompted or shown a 401.X error. If I type in a non-valid domain UPN such as userdoesntexist@domain.com , or a non-valid username - anything@invaliddomain.com I am re-prompted or a 401.X page is served.
The documentation I have read states that if Kerberos authentication fails it will fall back to NTLM. It does not appear to be falling back to NTLM and prompting me for credentials or presenting a 401 error. It just errors out with a 500 page. Well, it appears that NTLM does not know what to do with a UPN so the server displays a 500 error and hopes I will get it right the next time I browse to the site. Maybe I should edit the 500 page to state, "please enter in your username as domain\username."
Does anyone know why this is happening?
authentication IIS 6.0 401 kerberos 500
JaroDunajsky
194 Posts
Microsoft
Re: Integrated Authentication issue - 500 error, NTLM doesn't know what to do with UPN?
Jun 24, 2008 12:48 AM|LINK
Failing back to NTLM would be happening not on the IIS level bug rather inside the Negotiate SSPI package that handles Kerberos and NTLM. In your case it appears that calling into the SSPI package is returning an error. You should check W3 log file what is the status code (sc-win32-status) written with the failed request. That would be good place to start your investigation.
What makes you think that what you call successful Kerberos logons are not actually NTLM logons?
You could use ETW tracing for IIS6 that actually contains informationa about what actual authentication protocol was used (NTLM vs. Kerberos). http://technet2.microsoft.com/windowsserver/en/library/a6a54692-56e2-4bc3-96c9-df30cdb3bb421033.mspx?mfr=true
sealy
16 Posts
Re: Integrated Authentication issue - 500 error, NTLM doesn't know what to do with UPN?
Jun 24, 2008 12:54 PM|LINK
I actually had a case open with Microsoft. The issue is a known problem, but it is only known by very few. :) It turns out the problem was that we had SP2 on our IIS server and we had SP1 on our domain controllers. I set up an environment to test and sure enough the hotfix support sent (which is included in SP2) fixed the issue. The file in questions was MSV1_0.dll . The article that the support agent referenced was kb921063. Althought the article didn't explicitly apply to us we were experiencing a similar issue. The bad password count was incrementing so we knew it was contacting the domain controller, plus we had seen successful Kerberos communications, but it would still throw a 500 error if you used an UPN at the prompt. An NTLM formed username worked fine.(which is the workaround in the article) Thank you to everyone who answered.