08-20-2008
|
|
|
|
Re: IE, Cached domain credentials, kerberos on the internet
Have you considered creating multiple host headers/URLs to the same sites.
You could then have users use one set of favorites when local and put those
urls into the local intranet and have the other urls trusted.
"Brian Yuill" wrote:
> Hi Joris,
>
> I've found no perfect solution yet.
>
> When you removed it from the local intranet zone, I believe you will now be
> prompted for credentials both inside and outside your local network (no
> automatic login with cached credentials). Is that the case?
>
> Not really viable for us as the bulk of our connections are on our local
> network.
>
> I'm still considering reconfiguring iss to remove kerberos for integrated
> security, which will force NTLM.
>
> We're still running iis 5.0 (server 2000) and so I can't set it on a site by
> site basis. When we move to iis 6 (server 2003) I may set NTLM on the subset
> of sites that are accessed from the outside world.
>
> Brian
>
>
> "Joris van Antwerpen" wrote:
>
> > As I mentioned, I removed the entry from the "Local Intanet Zone". Not the
> > best solution. Maybe it's possible to conigure IIS so that only NTLM is used?
> >
> > "PSI IT" wrote:
> >
> > > Did you ever find a resolution to this? We are having the same exact problem
> > > with cached credentials and sites in the local intranet zone. We get a page
> > > cannot be displayed error. Very frustrating!
> > >
> > >
> > > "Brian Yuill" wrote:
> > >
> > > > Thanks Robert,
> > > >
> > > > Our users will be accessing secure sites (ours and others) and so I don't
> > > > want to fiddle with/reduce TLS/SSL capabilities.
> > > >
> > > > To disable kerberos I could uncheck the IE's advanced option 'Enable
> > > > Integrated Windows Integration'. That would have IE authenticate to our IIS
> > > > site via NTLM. I've tried it and that works. Down side of this is that when
> > > > connected to our network, which is most of the time and where kerberos does
> > > > work, kerberos would not be used.
> > > >
> > > > In most cases IE appears to revert to NTLM when kerberos is not possible.
> > > > Using cached domain credentials appears to be one case where it does not.
> > > >
> > > > I don't see others describing this problem and so am wondering if there is
> > > > something unique in our configuration that I may be missing.
> > > >
> > > > Any thoughts appreciated,
> > > > Brian
> > > >
> > > > "Robert Aldwinckle" wrote:
> > > >
> > > > > "Brian Yuill" <BrianYuill@discussions.microsoft.com> wrote in message
> > > > > news:E98AFECE-57C0-4960-92F2-E88D1826126D@microsoft.com...
> > > > >
> > > > > > I understand IE should revert to NTLM when it realizes it can't get a
> > > > > > kerberos ticket. In my case is goes looking for the DC for my cached
> > > > > > credentials domain. When it goes no response it reports an error.
> > > > > >
> > > > > > Any suggestions on something I can try?
> > > > >
> > > > >
> > > > > Try changing the set of encryption standards that IE uses?
> > > > > E.g. in Options, Advanced tab, Security section do you have TLS 1.0
> > > > > checked? If you didn't have any of those 3 checked wouldn't it have to
> > > > > revert to NTLM? ; )
> > > > >
> > > > >
> > > > > ---
> > > > >
> > > > >
> > > > >
|
Linear Mode
