Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Kerberos & NTLM Auth in IIS6

from [Trevor] Network Security [Permanent Link]
Subject: RE: Kerberos & NTLM Auth in IIS6
Date: Fri, 10 Jun 2005 08:18:44 -0700 
Figured this one out...

The client was not registering itself in DNS.  At least it works now. 

Thanks all!

Trevor

-----Original Message-----
From: Burak BAYOGLU [mailto:bayoglu@uekae.tubitak.gov.tr] 
Sent: Friday, June 10, 2005 5:13 AM
To: Trevor
Cc: focus-ms@securityfocus.com
Subject: Re: Kerberos & NTLM Auth in IIS6

If you are using Internet Explorer,

First make sure the site is displayed in

Tools -> Internet Options -> Security -> Local Intranet

Second make sure that the IE Security Seetings are appropriate.

It shall be:

Security Settings -> User Authenticatin -> Logon -> Automatically logon
only in Intranet Zone

"Prompt for user name and password" option may be active at the machine
which prompts for logon. If this does not work, you probably have
trouble with LMCompatibilityLevel which is located at:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa

If the value is "0", Clients use LM and NTLM authentication, but they
never use NTLMv2 session security. (See:
http://www.microsoft.com/resources/documentation/Windows/2000/server/res
kit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/r
eskit/en-us/regentry/76052.asp)

there may be other problems related to operation of NTLMv2
authentication.
(eg. lack of clock synchrnization, disabled computer account etc.)

I hope it helps,

Burak Bayoglu
TUBITAK UEKAE
Senior Researcher
CISA, CISSP


I have two machines, very similar patch level, both XP Pro SP1. They 
are accessing an internal site (the website is identified as "Local 
Intranet" by both machines) that is set up to use only Integrated 
Authentication.

One machine sends NTLM authentication, which fails, prompting the user



with a username/password dialog box. The same user can log onto a 
different machine and that machine uses Kerberos auth, which I get the



typical IE of attempting anon. access first, then using Integrated 
Auth and succeeding without a username/password dialog box.

What should I be looking for to find out why one machine is not using 
Kerberos while another machine is?

Thanks,

Trevor


----------------------------------------------------------------------
-----
----------------------------------------------------------------------
-----






------------------------------------------------------------------------
---
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Kerberos & NTLM Auth in IIS6, Trevor
Next by Date:  Re: Restricting file server to access to domain computers only., jkowall
Previous by Thread:  RE: Kerberos & NTLM Auth in IIS6, Trevor
Next by Thread:  Re: Kerberos & NTLM Auth in IIS6, nobody
Indexes:  [Date] [Thread] [Top] [All Lists]