Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Kerberos & NTLM Auth in IIS6

from [Ken Schaefer] Network Security [Permanent Link]
Subject: RE: Kerberos & NTLM Auth in IIS6
Date: Fri, 17 Jun 2005 14:11:19 +1000 
In your IIS metabase, what Authentication Providers do you have set? Both
NTLM and Kerberos (Negotiate)? Or just one or the other?

I'm struggling to think why IWA would stop working just because a client
changes from dynamic to static IP address (or visa versa). If the client is
having problems registering an entry in the DNS, and the DNS is AD-integrated
and only allows secure updates, then I think you have other authentication
issues which are then showing up as failures in, say, Kerberos authentication
to your web app.

But let's start by verifying what authentication mechanisms your server is
set to use. Then we can look at what tools we should be using to diagnose the
issue.

Cheers
Ken

--
IIS Stuff: www.adOpenStatic.com/cs/blogs/ken/ 

: -----Original Message-----
: From: Trevor [mailto:trevor@rottdog.com]
: Sent: Thursday, 16 June 2005 10:35 AM
: To: focus-ms@securityfocus.com
: Subject: RE: Kerberos & NTLM Auth in IIS6
: 
: Thanks, though currently we are not using NTLMv2 authentication for RPC
: applications (LMCompatibilty is set to Send LM & NTLM).  I'm still
: finding this is a hit and miss to get Integrated Auth to work properly
: with clients.  One client changed from DHCP which Integrated Auth worked
: fine, to a static IP and it no longer worked (even after removing DNS
: entries from the domain and forcing a registerdns).  All other settings
: look fine as to what was previously posted.
: 
: The question would be, why does it work for some but not others?  That
: is what I'm not understanding at this point.
: 
: Thanks,
: Trevor
: 
: -----Original Message-----
: From: nobody@nobody.com [mailto:nobody@nobody.com]
: Sent: Wednesday, June 15, 2005 3:53 AM
: To: focus-ms@securityfocus.com
: Subject: Re: Kerberos & NTLM Auth in IIS6
: 
: A little known fact regarding NTLMv2 is that only those applications
: that authenticate using the Local Security Authority (LSA) will be
: affected by the LMCompatibility mode setting. That includes file sharing
: and domain logons. A number of applications use the NTLM Security
: Support Provider Interface (NTLMSSP) to authenticate, and there is a
: separate setting to enable
: NTLMv2 for them. Examples of such applications include SQL Server (when
: using RPC) and many other (secure) RPC-based applications. NTLMv2 for
: NTLMSSP has to be enabled on a given machine, both for the machine's
: functionality as a server and as a client. The registry has to be edited
: to enable NTLMv2 for RPC .
: Edit the registry and set the appropriate keys. These keys do not exist
: by default or are set to 0.
: To set NTLMv2 Security on the server side add the following registry key
: To set NTLMv2 Security on the client (Windows 9x/NT/2000/XP) side add
: the following registry
: key:
: 
: Enable NTLMv2 Authentication for NTLM Security Support Provider
: Interface (NTLMSSP) mandatory Hive HKEY_LOCAL_MACHINE Key
: \System\CurrentControlSet\Control\Lsa\MSV1_0\
: Value
: Name
: NtlmMinServerSec
: Type REG_DWORD
: Value 0x00080000
: Hive HKEY_LOCAL_MACHINE
: Key \System\CurrentControlSet\Control\Lsa\MSV1_0\
: Value
: Name
: NtlmMinClientSec
: Explanation
: Measure
: Implementation
: NOTE:
: Both, the client and server side has to be set to work properly.
: When the
: "HKLM\System\CurrentControlSet\control\LSA\LMCompatibilityLevel" does
: not enable a machine to negotiate NTLMv2 authentication, then this
: setting will make certain remote features fail (e.g. mapping of shares).
: So the LMCompatibilityLevel must be set to allow
: NTLMv2 authentication at the same time.
: We were made aware that in cluster solutions the LMCompatibilityLevel
: must be set to "Send LM and NTLM responses only" (see also:
: <http://support.microsoft.com/default.aspx?scid=kb;ENUS;
: q272129> ) and that the registry settings above must not be made at all!
: You can find more information about s-RPC at:
: <http://support.microsoft.com/default.aspx?scid=kb;EN-US;q239869>
: and
: <http://support.microsoft.com/default.aspx?scid=kb;EN-US;q147706>
: 
: 
: ------------------------------------------------------------------------
: ---
: ------------------------------------------------------------------------
: ---
: 
: 
: --------------------------------------------------------------------------
: -
: --------------------------------------------------------------------------
: -


---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: IE in Kiosk mode, Depp, Dennis M.
Next by Date:  WSUS/Reboot, Ronald Balk
Previous by Thread:  RE: Kerberos & NTLM Auth in IIS6, Trevor
Next by Thread:  Restricting file server to access to domain computers only., Kevin Green
Indexes:  [Date] [Thread] [Top] [All Lists]