tags:

views:

362

answers:

1
+2  Q: 

ASP.net kerberos dropping down to NTLM sporadically

Background (just the relevant pieces): We have a large intranet asp.net 2.0/3.5 app.
Web servers are Windows Server 2003 on an AD domain.
Clients are on Windows, IE 6-8. Windows Authentication, with a custom principal created from the Windows Identity. Web servers sit behind an F5 NLB which forwards the user to a specific web server. (The reason for this is a limitation w/ our company's F5 dealing w/ kerberos). There are no system wide problems like dropping sessions, or timeouts, or overloaded servers, everything's running fine in general.

One piece of functionality requires delegation - we are connecting to a network file share as the authenticated user, using the Kerberos token given to us by the domain/web server.

SPNs, ACLs, etc, seem to be set up properly.

99.x percent of the time, it all works. The problem we're seeing is every now and again, on a refresh, the token drops from kerberos down to ntlm. I can see the login on the web server's event log showing one call getting this:

Logon Process: Kerberos Authentication Package: Kerberos

And a subsequent call (usually after 10 or 20 page loads) getting this:

Logon Process: NtLmSsp Authentication Package: NTLM

Anyone have any insight as to what might be making a subsequent postback sometimes go NTLM?

Thanks!

+2  A: 

All the tools and techniques you need to identify the issue are in Troubleshooting Kerberos Errors. That document never failed me.

NTLM Fallback
You might find that the security log recorded an event in which logon occurred using NTLM when it should have occurred using Kerberos authentication.

Problem
There are two situations in which this might happen:
- The first situation is where the system attempts authentication using the Kerberos protocol but it fails. As a result, the system attempts to authenticate using NTLM. Windows Server 2003, Windows XP, and Windows 2000 use an algorithm called Negotiate (SPNEGO) to negotiate which authentication protocol is used. Although the Kerberos protocol is the default, if the default fails, Negotiate will try NTLM.
- The second situation is one in which a call to Negotiate returns NTLM as the only protocol available.

Confirmation
The first situation will result in a failed Kerberos authentication that you can investigate by examining errors in the event log or data packets captured by Network Monitor. Both investigation methods are discussed later in this document...

Remus Rusanu  2009-10-21 17:03:24
Nice, haven't seen that before. Thanks!
Tom DAurizio  2009-10-21 17:20:54

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps