Some questions on IIS on Windows 2008

Max (Weijun) Wang Weijun.Wang at Sun.COM
Tue Jan 19 02:03:41 PST 2010 

On Jan 19, 2010, at 5:45 PM, Michael McMahon wrote:

> Max (Weijun) Wang wrote:
>> Hi All
>>
>> I've just installed a Windows 2008 system with IIS, and find  
>> something confusing:
>>
>> 1. What does "Enable Kernel-mode authentication" mean?
>>
>> When it's turned on, I can successfully authenticate using NTLM.  
>> When it's off, the three NTLM packets looks fine, but the server  
>> does not return 200 OK. In fact, it simply restarts the  
>> authentication process with headers just like the initial response.
>>
> It seems to be something to do with the way they IIS gets hold of  
> the authentication credentials
> from the OS. There's a brief note on it here:
> http://technet.microsoft.com/en-us/library/cc771945.aspx

Don't quite understand the note: "One of the benefits of Negotiable 2  
protocol support in IIS is the ability to configure explicit Kerberos  
authentication that does not use NTLM if the client does not support  
Kerberos". Should the last word be "NTLM"?

I still see the 3 NTLM packets in the request/response headers, so  
this NegoEx still understand NTLM. Strange.

>
>> 2. Kerberos (or SPNEGO) does not work?
>>
>> I've configured the client to create a SPNEGO initial token and  
>> sent it to the server, the server returns neither OK nor an error  
>> token, again, it simply restarts the authentication process with  
>> headers just like the initial response.
>>
> They seem to have introduced a new extension of SPNEGO called  
> NEGOEX. Is it possible
> this mechanism is in use, instead of the old spnego?

Maybe not. the note says NEGOEX is only used in non kernel-mode auth.

I've just resolved this issue. The system *was* using a system- 
generated hostname that looks like WIN-7HBS7S7HSBA, after changing it  
into a normal human-friendly name, SPNEGO works for kernel-mode auth.

As for non kernel-mode auth, since MSDN says that another identity is  
running the IIS process and SPNEGO is mutual authentication, I guess  
I'll need to find out who this "another identity" is.

Thanks
Max

>
> - Michael

More information about the net-dev mailing list