PROBLEMS with AuthenticationType being NTLM and Negotiate

Discussion in 'ASP .Net Security' started by tepe.hughes, Aug 25, 2005.

  1. tepe.hughes

    tepe.hughes Guest

    I have two webservers running the same aspx pages. (The webpage allows
    Active Directory Editing).

    These pages run fine on the 1st server but not on the second server (it
    errors with Logon failure: unknown user name or bad password).

    The web.config file (on both servers) have these options set

    authentication mode="Windows"
    deny users="?"
    identity impersonate="true"

    After some looking around the only difference I can see between the two
    server is that the 1st server reports that
    Page.User.Identity.AuthenticationType is "NTLM" while the 2nd
    server reports "Negotiate".

    Both servers are in the same domain, as far as I can tell both iis
    setting are the same.

    Can only one help me out?
     
    tepe.hughes, Aug 25, 2005
    #1
    1. Advertisements

  2. Hello ,

    to access remote Active Directory using impersonated credentials, delegation
    has to be enabled for both web server. this is done in Active Directoy Users
    and Computers. Select the "Trust this Computer for Delegation" check box.

    Another important part is, that the authentication between browser and web
    server has to be done via Kerberos. Have a look in the security event log
    on your servers, you should see logon events for the client running the browser.
    The authentication package has to be Kerberos. If you see NTLM, this can
    have various reasons.

    also check out keiths new article in msdnmag:
    http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/default.aspx
     
    Dominick Baier [DevelopMentor], Aug 25, 2005
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.