IIS 5 & IIS 6
Force Kerberos only authentication
Last post May 19, 2011 06:39 PM by vikomall
Aug 25, 2008 11:48 AM|paulsh|LINK
Is there any way to force IIS to accept Kerberos authentication only, no NTLM at all?
Negotiate falls back to NTLM if Kerberos is not avaliable for some reason. And I'd like to make sure that Kerberos only is used.
There was a similar question some time ago:
http://forums.iis.net/p/1146084/1855864.aspx. But it has no answer on how to disable NTLM and force Kerberos.
Thanks in advance,
Aug 27, 2008 08:47 AM|Zhao Ji Ma - MSFT|LINK
I think it did mention the method to use NTLM or Kerberos, another article you can try:
Aug 27, 2008 10:58 AM|Paul Lynch|LINK
No, I don't believe you can do this. You can force IIS to only accept NTLM and not accept Kerberos authentication by setting the
NTAuthenticationProviders metabase property to NTLM only as per KB 215383 but you can't force Kerberos only.
The reason is that the two possible settings for the above metabase property are Negotiate and/or NTLM. If you have Negotiate in the list then this tells IIS to try Kerberos first and then fall back to NTLM if Kerberos can't be used.
However, if you have configured your environment correctly (SPN's, service accounts, etc) then you should always be authenticated via Kerberos by default.
Aug 28, 2008 07:41 AM|paulsh|LINK
Thanks for replies!
Yes, Negotiate allows both Kerberos and NTLM. And unfortunately NTAuthenticationProviders does not accept "Kerberos".
I think I found a solution - NTLM requests can be filtered out in custom HttpModule. HTTP_AUTHORIZATION server variable can be used to determine whether Kerberos or NTLM was used, and NTLM can be blocked.
DelegConfig uses the same technique to identify protocol used for authentication.
Mar 02, 2009 08:53 PM|kateroh|LINK
this blog about IIS core changes in Windows Server 2008 R2, Kerberos can be turned on via Nego2 protocol, the protocol supported/implemented by IIS in R2. By editing Windows Authentication providers section and enabling only Kerberos via Nego2 and disabling
NTLM, admins can ensure only Kerberos is attempted.
Hold on to the new exciting feature!
May 19, 2011 05:22 PM|iisDonkey|LINK
That blog link does not work. Is Nego2 only in Win2008 R2 with IIS7.5?
The behavior that I want to see is for IIS to serve the page if Kerberos works, but throw a 401 if Kerberos fails. No basic auth pop-up, no NTLM, nothing. Just fail.
Is "Negotiate:Kerberos" sufficient for this? Or are there other configurations, still generically called Nego2 that should be used?
Can anyone elaborate on the decreased performance and "other problems" that this might cause?
May 19, 2011 06:39 PM|vikomall|LINK
To force Kerberos only authentication "Negotiate:Kerberos" is sufficient.
As mentioned in thread
http://serverfault.com/questions/114779/iis7-windows-authentication-providers, there could be little performance decrease... I am not aware any 'other problems'!