Step by Step: Kerberos Single Hop Scenario

  • Article

Hello All,

I have been thinking on writing few Step-by-Step articles for Kerberos Setup and Troubleshooting. There are few basic things we should remember when configuring Kerberos authentication in Windows network.

Lets quickly get started with a very simple One Hop Scenario

ANJANEYA = Domain Controller
VIVEKKUMIIS = IIS Server
VIVEKKUMCLIENT = XP Client

We will configure IIS to use Windows Integrated Authentication on it's Default Web Site and we will browse the iisstart.htm page which is a default page for IIS 6.0.

Configure IIS to use Windows Integrated Authentication

Now, lets request the page from VIVEKKUMCLIENT machine.
Lets check what the IIS log shows.. locate them at C:\WINDOWS\system32\LogFiles\W3SVC1 (Default Location).

2008-09-06 05:00:21 W3SVC1 192.168.0.3 GET / - 80 - 192.168.0.4 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) 401 2 2148074254
2008-09-06 05:00:21 W3SVC1 192.168.0.3 GET /iisstart.htm - 80 DC\client 192.168.0.4 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) 200 0 0

You will see sc-status and sc-substatus as 401 2 for cs-username -
where as sc-status and sc-substatus  shows 200 0 for cs-username DC\client

Lets look at a network capture and how authentication takes place and determines how the packet would look like..

That looks good.
So what is a bad request.. when can you say that the request was not good and it failed ? Any guesses !!

The above request was a success with status 200 in IIS log but this request falls back on NTLM.

2008-09-06 04:51:58 W3SVC1 192.168.0.3 GET / - 80 - 192.168.0.4 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) 401 2 2148074254
2008-09-06 04:51:58 W3SVC1 192.168.0.3 GET / - 80 - 192.168.0.4 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) 401 1 0
2008-09-06 04:51:58 W3SVC1 192.168.0.3 GET /iisstart.htm - 80 DC\client 192.168.0.4 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) 200 0 0

You will see sc-status and sc-substatus as 401 2 and 401 1 for cs-username -
where as sc-status and sc-substatus shows 200 0 for cs-username DC\client

I achieved the following by configuring IE..

Happy troubleshooting
See you soon with more scenarios..