Force Kerberos only authentication  [Answered]RSS

6 replies

Last post May 19, 2011 06:39 PM by vikomall

  • Force Kerberos only authentication

    Aug 25, 2008 11:48 AM|paulsh|LINK

    Hello!

    Is there any way to force IIS to accept Kerberos authentication only, no NTLM at all?

    Negotiate falls back to NTLM if Kerberos is not avaliable for some reason. And I'd like to make sure that Kerberos only is used.

    There was a similar question some time ago: http://forums.iis.net/p/1146084/1855864.aspx. But it has no answer on how to disable NTLM and force Kerberos.

    Thanks in advance,

    paul

    kerberos NTLM

  • Re: Force Kerberos only authentication

    Aug 27, 2008 08:47 AM|Zhao Ji Ma - MSFT|LINK

    Hi Paul,

    I think it did mention the method to use NTLM or Kerberos, another article you can try: http://support.microsoft.com/kb/215383/en-us

    Zhao Ji Ma
    Sincerely,
    Microsoft Online Community Support
  • Re: Force Kerberos only authentication

    Aug 27, 2008 10:58 AM|Paul Lynch|LINK

    Hi,

    No, I don't believe you can do this. You can force IIS to only accept NTLM and not accept Kerberos authentication by setting the NTAuthenticationProviders metabase property to NTLM only as per KB 215383 but you can't force Kerberos only.

    The reason is that the two possible settings for the above metabase property are Negotiate and/or NTLM. If you have Negotiate in the list then this tells IIS to try Kerberos first and then fall back to NTLM if Kerberos can't be used.

    However, if you have configured your environment correctly (SPN's, service accounts, etc) then you should always be authenticated via Kerberos by default.

    Regards,

    Paul Lynch
    MCSE
  • Re: Force Kerberos only authentication

    Aug 28, 2008 07:41 AM|paulsh|LINK

    Thanks for replies!

    Yes, Negotiate allows both Kerberos and NTLM. And unfortunately NTAuthenticationProviders does not accept "Kerberos".

    I think I found a solution - NTLM requests can be filtered out in custom HttpModule. HTTP_AUTHORIZATION server variable can be used to determine whether Kerberos or NTLM was used, and NTLM can be blocked.

    DelegConfig uses the same technique to identify protocol used for authentication.

    Thanks,

    paul

  • Re: Force Kerberos only authentication

    Mar 02, 2009 08:53 PM|kateroh|LINK

    According to this blog about IIS core changes in Windows Server 2008 R2, Kerberos can be turned on via Nego2 protocol, the protocol supported/implemented by IIS in R2. By editing Windows Authentication providers section and enabling only Kerberos via Nego2 and disabling NTLM, admins can ensure only Kerberos is attempted.
    Hold on to the new exciting feature!

  • Re: Force Kerberos only authentication

    May 19, 2011 05:22 PM|iisDonkey|LINK

    That blog link does not work.  Is Nego2 only in Win2008 R2 with IIS7.5?

    The behavior that I want to see is for IIS to serve the page if Kerberos works, but throw a 401 if Kerberos fails.  No basic auth pop-up, no NTLM, nothing.  Just fail.

    Is "Negotiate:Kerberos" sufficient for this?  Or are there other configurations, still generically called Nego2 that should be used?

    Can anyone elaborate on the decreased performance and "other problems" that this might cause?

     http://serverfault.com/questions/114779/iis7-windows-authentication-providers

  • Re: Force Kerberos only authentication

    May 19, 2011 06:39 PM|vikomall|LINK

    To force Kerberos only authentication "Negotiate:Kerberos" is sufficient.

    As mentioned in thread http://serverfault.com/questions/114779/iis7-windows-authentication-providers, there could be little performance decrease...  I am not aware any 'other problems'!