Step by Step: Kerberos Single Hop Scenario


Hello All,


I have been thinking on writing few Step-by-Step articles for Kerberos Setup and Troubleshooting. There are few basic things we should remember when configuring Kerberos authentication in Windows network.


Lets quickly get started with a very simple One Hop Scenario


ANJANEYA = Domain Controller
VIVEKKUMIIS = IIS Server
VIVEKKUMCLIENT = XP Client


We will configure IIS to use Windows Integrated Authentication on it’s Default Web Site and we will browse the iisstart.htm page which is a default page for IIS 6.0.


Configure IIS to use Windows Integrated Authentication



Now, lets request the page from VIVEKKUMCLIENT machine.
Lets check what the IIS log shows.. locate them at C:\WINDOWS\system32\LogFiles\W3SVC1 (Default Location).


2008-09-06 05:00:21 W3SVC1 192.168.0.3 GET / – 80 – 192.168.0.4 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) 401 2 2148074254
2008-09-06 05:00:21 W3SVC1 192.168.0.3 GET /iisstart.htm – 80 DC\client 192.168.0.4 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) 200 0 0

You will see sc-status and sc-substatus as 401 2 for cs-username –
where as sc-status and sc-substatus  shows 200 0 for cs-username DC\client


Lets look at a network capture and how authentication takes place and determines how the packet would look like..



That looks good.
So what is a bad request.. when can you say that the request was not good and it failed ? Any guesses !!


The above request was a success with status 200 in IIS log but this request falls back on NTLM.


2008-09-06 04:51:58 W3SVC1 192.168.0.3 GET / – 80 – 192.168.0.4 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) 401 2 2148074254
2008-09-06 04:51:58 W3SVC1 192.168.0.3 GET / – 80 – 192.168.0.4 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) 401 1 0
2008-09-06 04:51:58 W3SVC1 192.168.0.3 GET /iisstart.htm – 80 DC\client 192.168.0.4 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) 200 0 0

You will see sc-status and sc-substatus as 401 2 and 401 1 for cs-username –
where as sc-status and sc-substatus shows 200 0 for cs-username DC\client


I achieved the following by configuring IE..


Happy troubleshooting
See you soon with more scenarios..

Comments (0)