Microsoft Windows Vista Community Forums - Vistaheads
Recommended Download



Welcome to the Microsoft Windows Vista Community Forums - Vistaheads, YOUR Largest Resource for Windows Vista related information.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so , join our community today!

If you have any problems with the registration process or your account login, please contact us.

Driver Scanner

Re: Negotiate,NTLM. IE does not try NTLM after kerberos fails

microsoft.public.internetexplorer.general






Speedup My PC
Reply
  #1 (permalink)  
Old 07-29-2009
Arkady
 

Posts: n/a
Re: Negotiate,NTLM. IE does not try NTLM after kerberos fails
We experienced same problem, when both sides (web server, client)
support kerberos and NTLM and Integrated Windows Authentication on
client is enabled, after Kerberos fail it will not fall back to NTLM.
When I use some type of proxy (eg. Fiddler) it works fine, in other
browser too (Firefox)

It seems that it is by (faulty) design.

With Windows 7 + IE 8 it works correctly as expected

On 13 ÄŤnc, 21:46, briend <bri...@discussions.microsoft.com> wrote:
> I'm not sure I understand, but both machines are bound to the AD server which
> also serves DNS. Â*The web server is a separate server also bound to AD. Â*All
> the kerberos settings and SPNs are configured correctly and everything works
> fine unless you introduce a firewall that blocks kerberos or DNS or CLDAPand
> you have expired tickets. Â*In this case only Firefox will work correctly, and
> IE will be broken with really no work-around other than VPN or log in as a
> local machine user instead of you domain account.
>
> Brien
>
>
>
> "Peter Foldes" wrote:
> > Quick question The XP and the OSX are connected and feeding Â*with which server.

>
> > --
> > Peter– Skrýt citovaný text –

>
> – Zobrazit citovaný text –


Reply With Quote
Sponsored Links
  #2 (permalink)  
Old 10-27-2009
Jason6787
 

Posts: n/a
Re: Negotiate,NTLM. IE does not try NTLM after kerberos fails
Did anyone find a solution to this issue in Windows XP other than unchecking
the "Enable Integrated Authentication"

It seems like a registry key somewhere that could be modified to enable it
to fail over, but having trouble finding anything - any "fix" for this?

"Arkady" wrote:

> We experienced same problem, when both sides (web server, client)
> support kerberos and NTLM and Integrated Windows Authentication on
> client is enabled, after Kerberos fail it will not fall back to NTLM.
> When I use some type of proxy (eg. Fiddler) it works fine, in other
> browser too (Firefox)
>
> It seems that it is by (faulty) design.
>
> With Windows 7 + IE 8 it works correctly as expected
>
> On 13 ÄŤnc, 21:46, briend <bri...@discussions.microsoft.com> wrote:
> > I'm not sure I understand, but both machines are bound to the AD server which
> > also serves DNS. The web server is a separate server also bound to AD. All
> > the kerberos settings and SPNs are configured correctly and everything works
> > fine unless you introduce a firewall that blocks kerberos or DNS or CLDAP and
> > you have expired tickets. In this case only Firefox will work correctly, and
> > IE will be broken with really no work-around other than VPN or log in as a
> > local machine user instead of you domain account.
> >
> > Brien
> >
> >
> >
> > "Peter Foldes" wrote:
> > > Quick question The XP and the OSX are connected and feeding with which server.

> >
> > > --
> > > Peter– Skrýt citovaný text –

> >
> > – Zobrazit citovaný text –

>
>

Reply With Quote
  #3 (permalink)  
Old 04-24-2010
Glen Orenstein
 

Posts: n/a
Re: Negotiate,NTLM. IE does not try NTLM after kerberos fails


"Jason6787" wrote:

> Did anyone find a solution to this issue in Windows XP other than unchecking
> the "Enable Integrated Authentication"
>
> It seems like a registry key somewhere that could be modified to enable it
> to fail over, but having trouble finding anything - any "fix" for this?
>
> "Arkady" wrote:
>
> > We experienced same problem, when both sides (web server, client)
> > support kerberos and NTLM and Integrated Windows Authentication on
> > client is enabled, after Kerberos fail it will not fall back to NTLM.
> > When I use some type of proxy (eg. Fiddler) it works fine, in other
> > browser too (Firefox)
> >
> > It seems that it is by (faulty) design.
> >
> > With Windows 7 + IE 8 it works correctly as expected
> >
> > On 13 ÄŤnc, 21:46, briend <bri...@discussions.microsoft.com> wrote:
> > > I'm not sure I understand, but both machines are bound to the AD server which
> > > also serves DNS. The web server is a separate server also bound to AD. All
> > > the kerberos settings and SPNs are configured correctly and everything works
> > > fine unless you introduce a firewall that blocks kerberos or DNS or CLDAP and
> > > you have expired tickets. In this case only Firefox will work correctly, and
> > > IE will be broken with really no work-around other than VPN or log in as a
> > > local machine user instead of you domain account.
> > >
> > > Brien
> > >
> > >
> > >
> > > "Peter Foldes" wrote:
> > > > Quick question The XP and the OSX are connected and feeding with which server.
> > >
> > > > --
> > > > Peter– Skrýt citovaný text –
> > >
> > > – Zobrazit citovaný text –

> >
> >


This statement caught my attention. I believe the core of the issues that
to do with Microsoft’s Kerberos.dll and something that my be difficult for
them to change because their solution is really bad.

CAUSE
In Microsoft Security Bulletin MS04-011, which is also included in Windows
XP SP...
In Microsoft Security Bulletin MS04-011, which is also included in Windows
XP SP2, there is a change in the Kerberos authentication. It no longer allows
for a fallback to NTLM when a domain controller cannot be accessed. If you
cannot contact a Key Distribution Center (KDC), you cannot connect to
resources.
http://support.microsoft.com/kb/891559


Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Kerberos authentication occasionally fails on IE7 microsoft.public.internetexplorer microsoft.public.internetexplorer.general 4 09-11-2008 17:20
NTLM authentication login failure cathy microsoft.public.windows.vista.networking sharing 1 11-21-2007 05:19
Force NTLM on Vista Home Premium Roger microsoft.public.windows.vista.general 5 03-01-2007 13:43
Changing NTLM security level =?Utf-8?B?bWU=?= microsoft.public.windows.vista.networking sharing 8 02-11-2007 06:58
NTLM Passwords Linux NAS passwords =?Utf-8?B?U3RldmVL?= microsoft.public.windows.vista.networking sharing 5 02-02-2007 19:14




All times are GMT +1. The time now is 08:05.




Driver Scanner - Free Scan Now

Vistaheads.com is part of the Heads Network. See also XPHeads.com , Win7Heads.com and Win8Heads.com.


Design by Vjacheslav Trushkin for phpBBStyles.com.
Powered by vBulletin® Version 3.6.7
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.6.0 RC 2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120