tags:

views:

11

answers:

1
+1  Q: 

Can AD Membership Provider be configured to use Kerberos

I have a web app that uses the Active Directory Membership Provider and when a user changes their password, they can login with either the old password or the new password for a while.

This KB article (http://support.microsoft.com/kb/906305/en-us) leads me to believe that this behavior is caused by NTLM authentication.

Is there a way to configure the AD Membership Provider to only do Kerberos Authentication and not NTLM?

NOTE: My app configures the provider with a minimum set of parameters, so every configuration setting is set to its default.

A: 

It does not appear that you can change the method used. Its odd that both passwords would still work unless the credentials are being cached locally as if it were a disconnected machine (similar to what happens when you disconnect a machine from a domain and log into it). This doesnt sound like something the provider itself is doing, unless the provider is caching credentials. I didnt see anything for expiration of credentials which leads me to believe that it is not doing that.

Is sounds odd that they could log in with both passwords, I would expect one or the other to work, depending on GC replication lag between DCs or something along that lines.

GrayWizardx  2010-03-17 18:05:49
I believe from the KB article mentioned that this behavior is on the domain controller and has nothing to do with IIS/ASP.Net or the AD membership provider. But this behavior applies to NTLM authentication and not to Kerberos. So that is why I want the AD membership provider to use Kerberos.
Mark Arnott  2010-03-18 01:34:02

related questions

Querying Active Directory with "SQL"?
Can I get more than 1000 records from a DirectorySearcher in Asp.Net?
How to get AD User Groups for user in Asp.Net?
Attempting to update a user's "connect to:" home directory path in AD using C#
Monitoring group membership in Active Directory more efficiently (C# .NET)
How do I speed up data retrieval from .NET AD within ColdFusion
How do you authenticate against an Active Directory server using Spring Security?
Managing large user databases for single-signon.
Move Active Directory Group to Another OU using Powershell
How to move SharePoint sites from one active directory domain to another?
When did I last talk to my Domain Server?
Using ActiveDirectoryMembershipProvider with two domain controllers
I am having trouble getting phpBB to authenticate with our Active Directory
How do I use ADAM to run unit tests?
COMException "Library not registered." while using System.DirectoryServices
Caching Active Directory Data
Windows / Active Directory - User / Groups
Get a list of available domains (NT4 and Active Directory)
How do I use NTLM authentication with Active Directory
I/O permission settings using .net installer
quoting System.DirectoryServices.ResultPropertyCollection
How do you impersonate an Active Directory user in Powershell?
Setting Group Type for new Active Directory Entry in VB.NET
Is there a way for MS Access to grab the current Active Directory user?
Checklist for IIS 6/ASP.NET Windows Authentication?