Microsoft Windows Vista Community Forums - Vistaheads
Recommended Download



Welcome to the Microsoft Windows Vista Community Forums - Vistaheads, YOUR Largest Resource for Windows Vista related information.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so , join our community today!

If you have any problems with the registration process or your account login, please contact us.

Driver Scanner

Re: IE, Cached domain credentials, kerberos on the internet

microsoft.public.internetexplorer.general






Speedup My PC
Reply
  #1 (permalink)  
Old 07-28-2008
PSI IT
 

Posts: n/a
Re: IE, Cached domain credentials, kerberos on the internet
Did you ever find a resolution to this? We are having the same exact problem
with cached credentials and sites in the local intranet zone. We get a page
cannot be displayed error. Very frustrating!


"Brian Yuill" wrote:

> Thanks Robert,
>
> Our users will be accessing secure sites (ours and others) and so I don't
> want to fiddle with/reduce TLS/SSL capabilities.
>
> To disable kerberos I could uncheck the IE's advanced option 'Enable
> Integrated Windows Integration'. That would have IE authenticate to our IIS
> site via NTLM. I've tried it and that works. Down side of this is that when
> connected to our network, which is most of the time and where kerberos does
> work, kerberos would not be used.
>
> In most cases IE appears to revert to NTLM when kerberos is not possible.
> Using cached domain credentials appears to be one case where it does not.
>
> I don't see others describing this problem and so am wondering if there is
> something unique in our configuration that I may be missing.
>
> Any thoughts appreciated,
> Brian
>
> "Robert Aldwinckle" wrote:
>
> > "Brian Yuill" <BrianYuill@discussions.microsoft.com> wrote in message
> > news:E98AFECE-57C0-4960-92F2-E88D1826126D@microsoft.com...
> >
> > > I understand IE should revert to NTLM when it realizes it can't get a
> > > kerberos ticket. In my case is goes looking for the DC for my cached
> > > credentials domain. When it goes no response it reports an error.
> > >
> > > Any suggestions on something I can try?

> >
> >
> > Try changing the set of encryption standards that IE uses?
> > E.g. in Options, Advanced tab, Security section do you have TLS 1.0
> > checked? If you didn't have any of those 3 checked wouldn't it have to
> > revert to NTLM? ; )
> >
> >
> > ---
> >
> >
> >

Reply With Quote
Sponsored Links
  #2 (permalink)  
Old 07-30-2008
Joris van Antwerpen
 

Posts: n/a
Re: IE, Cached domain credentials, kerberos on the internet
As I mentioned, I removed the entry from the "Local Intanet Zone". Not the
best solution. Maybe it's possible to conigure IIS so that only NTLM is used?

"PSI IT" wrote:

> Did you ever find a resolution to this? We are having the same exact problem
> with cached credentials and sites in the local intranet zone. We get a page
> cannot be displayed error. Very frustrating!
>
>
> "Brian Yuill" wrote:
>
> > Thanks Robert,
> >
> > Our users will be accessing secure sites (ours and others) and so I don't
> > want to fiddle with/reduce TLS/SSL capabilities.
> >
> > To disable kerberos I could uncheck the IE's advanced option 'Enable
> > Integrated Windows Integration'. That would have IE authenticate to our IIS
> > site via NTLM. I've tried it and that works. Down side of this is that when
> > connected to our network, which is most of the time and where kerberos does
> > work, kerberos would not be used.
> >
> > In most cases IE appears to revert to NTLM when kerberos is not possible.
> > Using cached domain credentials appears to be one case where it does not.
> >
> > I don't see others describing this problem and so am wondering if there is
> > something unique in our configuration that I may be missing.
> >
> > Any thoughts appreciated,
> > Brian
> >
> > "Robert Aldwinckle" wrote:
> >
> > > "Brian Yuill" <BrianYuill@discussions.microsoft.com> wrote in message
> > > news:E98AFECE-57C0-4960-92F2-E88D1826126D@microsoft.com...
> > >
> > > > I understand IE should revert to NTLM when it realizes it can't get a
> > > > kerberos ticket. In my case is goes looking for the DC for my cached
> > > > credentials domain. When it goes no response it reports an error.
> > > >
> > > > Any suggestions on something I can try?
> > >
> > >
> > > Try changing the set of encryption standards that IE uses?
> > > E.g. in Options, Advanced tab, Security section do you have TLS 1.0
> > > checked? If you didn't have any of those 3 checked wouldn't it have to
> > > revert to NTLM? ; )
> > >
> > >
> > > ---
> > >
> > >
> > >

Reply With Quote
  #3 (permalink)  
Old 07-31-2008
Brian Yuill
 

Posts: n/a
Re: IE, Cached domain credentials, kerberos on the internet
Hi Joris,

I've found no perfect solution yet.

When you removed it from the local intranet zone, I believe you will now be
prompted for credentials both inside and outside your local network (no
automatic login with cached credentials). Is that the case?

Not really viable for us as the bulk of our connections are on our local
network.

I'm still considering reconfiguring iss to remove kerberos for integrated
security, which will force NTLM.

We're still running iis 5.0 (server 2000) and so I can't set it on a site by
site basis. When we move to iis 6 (server 2003) I may set NTLM on the subset
of sites that are accessed from the outside world.

Brian


"Joris van Antwerpen" wrote:

> As I mentioned, I removed the entry from the "Local Intanet Zone". Not the
> best solution. Maybe it's possible to conigure IIS so that only NTLM is used?
>
> "PSI IT" wrote:
>
> > Did you ever find a resolution to this? We are having the same exact problem
> > with cached credentials and sites in the local intranet zone. We get a page
> > cannot be displayed error. Very frustrating!
> >
> >
> > "Brian Yuill" wrote:
> >
> > > Thanks Robert,
> > >
> > > Our users will be accessing secure sites (ours and others) and so I don't
> > > want to fiddle with/reduce TLS/SSL capabilities.
> > >
> > > To disable kerberos I could uncheck the IE's advanced option 'Enable
> > > Integrated Windows Integration'. That would have IE authenticate to our IIS
> > > site via NTLM. I've tried it and that works. Down side of this is that when
> > > connected to our network, which is most of the time and where kerberos does
> > > work, kerberos would not be used.
> > >
> > > In most cases IE appears to revert to NTLM when kerberos is not possible.
> > > Using cached domain credentials appears to be one case where it does not.
> > >
> > > I don't see others describing this problem and so am wondering if there is
> > > something unique in our configuration that I may be missing.
> > >
> > > Any thoughts appreciated,
> > > Brian
> > >
> > > "Robert Aldwinckle" wrote:
> > >
> > > > "Brian Yuill" <BrianYuill@discussions.microsoft.com> wrote in message
> > > > news:E98AFECE-57C0-4960-92F2-E88D1826126D@microsoft.com...
> > > >
> > > > > I understand IE should revert to NTLM when it realizes it can't get a
> > > > > kerberos ticket. In my case is goes looking for the DC for my cached
> > > > > credentials domain. When it goes no response it reports an error.
> > > > >
> > > > > Any suggestions on something I can try?
> > > >
> > > >
> > > > Try changing the set of encryption standards that IE uses?
> > > > E.g. in Options, Advanced tab, Security section do you have TLS 1.0
> > > > checked? If you didn't have any of those 3 checked wouldn't it have to
> > > > revert to NTLM? ; )
> > > >
> > > >
> > > > ---
> > > >
> > > >
> > > >

Reply With Quote
  #4 (permalink)  
Old 08-20-2008
Eric
 

Posts: n/a
Re: IE, Cached domain credentials, kerberos on the internet
Have you considered creating multiple host headers/URLs to the same sites.
You could then have users use one set of favorites when local and put those
urls into the local intranet and have the other urls trusted.

"Brian Yuill" wrote:

> Hi Joris,
>
> I've found no perfect solution yet.
>
> When you removed it from the local intranet zone, I believe you will now be
> prompted for credentials both inside and outside your local network (no
> automatic login with cached credentials). Is that the case?
>
> Not really viable for us as the bulk of our connections are on our local
> network.
>
> I'm still considering reconfiguring iss to remove kerberos for integrated
> security, which will force NTLM.
>
> We're still running iis 5.0 (server 2000) and so I can't set it on a site by
> site basis. When we move to iis 6 (server 2003) I may set NTLM on the subset
> of sites that are accessed from the outside world.
>
> Brian
>
>
> "Joris van Antwerpen" wrote:
>
> > As I mentioned, I removed the entry from the "Local Intanet Zone". Not the
> > best solution. Maybe it's possible to conigure IIS so that only NTLM is used?
> >
> > "PSI IT" wrote:
> >
> > > Did you ever find a resolution to this? We are having the same exact problem
> > > with cached credentials and sites in the local intranet zone. We get a page
> > > cannot be displayed error. Very frustrating!
> > >
> > >
> > > "Brian Yuill" wrote:
> > >
> > > > Thanks Robert,
> > > >
> > > > Our users will be accessing secure sites (ours and others) and so I don't
> > > > want to fiddle with/reduce TLS/SSL capabilities.
> > > >
> > > > To disable kerberos I could uncheck the IE's advanced option 'Enable
> > > > Integrated Windows Integration'. That would have IE authenticate to our IIS
> > > > site via NTLM. I've tried it and that works. Down side of this is that when
> > > > connected to our network, which is most of the time and where kerberos does
> > > > work, kerberos would not be used.
> > > >
> > > > In most cases IE appears to revert to NTLM when kerberos is not possible.
> > > > Using cached domain credentials appears to be one case where it does not.
> > > >
> > > > I don't see others describing this problem and so am wondering if there is
> > > > something unique in our configuration that I may be missing.
> > > >
> > > > Any thoughts appreciated,
> > > > Brian
> > > >
> > > > "Robert Aldwinckle" wrote:
> > > >
> > > > > "Brian Yuill" <BrianYuill@discussions.microsoft.com> wrote in message
> > > > > news:E98AFECE-57C0-4960-92F2-E88D1826126D@microsoft.com...
> > > > >
> > > > > > I understand IE should revert to NTLM when it realizes it can't get a
> > > > > > kerberos ticket. In my case is goes looking for the DC for my cached
> > > > > > credentials domain. When it goes no response it reports an error.
> > > > > >
> > > > > > Any suggestions on something I can try?
> > > > >
> > > > >
> > > > > Try changing the set of encryption standards that IE uses?
> > > > > E.g. in Options, Advanced tab, Security section do you have TLS 1.0
> > > > > checked? If you didn't have any of those 3 checked wouldn't it have to
> > > > > revert to NTLM? ; )
> > > > >
> > > > >
> > > > > ---
> > > > >
> > > > >
> > > > >

Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Cached Credentials Problem MICHELE MARAN microsoft.public.windows.vista.general 0 08-26-2008 00:05
Re: IE, Cached domain credentials, kerberos on the internet Joris van Antwerpen microsoft.public.internetexplorer.general 0 07-18-2008 13:16
VPN with Vista - cached credentials Mrashruf microsoft.public.windows.vista.networking sharing 2 04-20-2008 13:29
cached credentials for mapped drives and elevation Pete Delgado microsoft.public.windows.vista.networking sharing 6 08-03-2007 16:45
Remote Desktop cached credentials Jeff Vandervoort microsoft.public.windows.vista.networking sharing 2 08-01-2007 16:04




All times are GMT +1. The time now is 16:09.




Driver Scanner - Free Scan Now

Vistaheads.com is part of the Heads Network. See also XPHeads.com , Win7Heads.com and Win8Heads.com.


Design by Vjacheslav Trushkin for phpBBStyles.com.
Powered by vBulletin® Version 3.6.7
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.6.0 RC 2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120