Re: Negotiate,NTLM. IE does not try NTLM after kerberos fails

We experienced same problem, when both sides (web server, client)
support kerberos and NTLM and Integrated Windows Authentication on
client is enabled, after Kerberos fail it will not fall back to NTLM.
When I use some type of proxy (eg. Fiddler) it works fine, in other
browser too (Firefox)

It seems that it is by (faulty) design.

With Windows 7 + IE 8 it works correctly as expected

On 13 �nc, 21:46, briend <bri...@discussions.microsoft.com> wrote:
> I'm not sure I understand, but both machines are bound to the AD server which
> also serves DNS. Â*The web server is a separate server also bound to AD. Â*All
> the kerberos settings and SPNs are configured correctly and everything works
> fine unless you introduce a firewall that blocks kerberos or DNS or CLDAPand
> you have expired tickets. Â*In this case only Firefox will work correctly, and
> IE will be broken with really no work-around other than VPN or log in as a
> local machine user instead of you domain account.
>
> Brien
>
>
>
> "Peter Foldes" wrote:
> > Quick question The XP and the OSX are connected and feeding Â*with which server.
>
> > --
> > Peter– Skrýt citovaný text –
>
> – Zobrazit citovaný text –

Did anyone find a solution to this issue in Windows XP other than unchecking
the "Enable Integrated Authentication"

It seems like a registry key somewhere that could be modified to enable it
to fail over, but having trouble finding anything - any "fix" for this?

"Arkady" wrote:

> We experienced same problem, when both sides (web server, client)
> support kerberos and NTLM and Integrated Windows Authentication on
> client is enabled, after Kerberos fail it will not fall back to NTLM.
> When I use some type of proxy (eg. Fiddler) it works fine, in other
> browser too (Firefox)
>
> It seems that it is by (faulty) design.
>
> With Windows 7 + IE 8 it works correctly as expected
>
> On 13 �nc, 21:46, briend <bri...@discussions.microsoft.com> wrote:
> > I'm not sure I understand, but both machines are bound to the AD server which
> > also serves DNS. The web server is a separate server also bound to AD. All
> > the kerberos settings and SPNs are configured correctly and everything works
> > fine unless you introduce a firewall that blocks kerberos or DNS or CLDAP and
> > you have expired tickets. In this case only Firefox will work correctly, and
> > IE will be broken with really no work-around other than VPN or log in as a
> > local machine user instead of you domain account.
> >
> > Brien
> >
> >
> >
> > "Peter Foldes" wrote:
> > > Quick question The XP and the OSX are connected and feeding with which server.
> >
> > > --
> > > Peter– Skrýt citovaný text –
> >
> > – Zobrazit citovaný text –
>
>

"Jason6787" wrote:

> Did anyone find a solution to this issue in Windows XP other than unchecking
> the "Enable Integrated Authentication"
>
> It seems like a registry key somewhere that could be modified to enable it
> to fail over, but having trouble finding anything - any "fix" for this?
>
> "Arkady" wrote:
>
> > We experienced same problem, when both sides (web server, client)
> > support kerberos and NTLM and Integrated Windows Authentication on
> > client is enabled, after Kerberos fail it will not fall back to NTLM.
> > When I use some type of proxy (eg. Fiddler) it works fine, in other
> > browser too (Firefox)
> >
> > It seems that it is by (faulty) design.
> >
> > With Windows 7 + IE 8 it works correctly as expected
> >
> > On 13 �nc, 21:46, briend <bri...@discussions.microsoft.com> wrote:
> > > I'm not sure I understand, but both machines are bound to the AD server which
> > > also serves DNS. The web server is a separate server also bound to AD. All
> > > the kerberos settings and SPNs are configured correctly and everything works
> > > fine unless you introduce a firewall that blocks kerberos or DNS or CLDAP and
> > > you have expired tickets. In this case only Firefox will work correctly, and
> > > IE will be broken with really no work-around other than VPN or log in as a
> > > local machine user instead of you domain account.
> > >
> > > Brien
> > >
> > >
> > >
> > > "Peter Foldes" wrote:
> > > > Quick question The XP and the OSX are connected and feeding with which server.
> > >
> > > > --
> > > > Peter– Skrýt citovaný text –
> > >
> > > – Zobrazit citovaný text –
> >
> >

This statement caught my attention. I believe the core of the issues that
to do with Microsoft’s Kerberos.dll and something that my be difficult for
them to change because their solution is really bad.

CAUSE
In Microsoft Security Bulletin MS04-011, which is also included in Windows
XP SP...
In Microsoft Security Bulletin MS04-011, which is also included in Windows
XP SP2, there is a change in the Kerberos authentication. It no longer allows
for a fallback to NTLM when a domain controller cannot be accessed. If you
cannot contact a Key Distribution Center (KDC), you cannot connect to
resources.
http://support.microsoft.com/kb/891559