In the past year I’ve become more and more interested and familiar with Kerberos authentication. While I’m not saying that you should “Kerberize” everything, I think everyone installing and configuring apps on the Windows platform should have a basic understanding of it.
Below is a decision-based workflow I created to counter some simple pitfalls. Although some of it might seem easy, it gets forgotten a lot. In the example a user is browsing a web-based application which is reachable at “webapp.contoso.com”. In fact this website is hosted on a server called web01.contoso.com.
Important to note that ending up in the orange field (“client uses NTLM”) isn’t necessarily bad, but it might be when your web app does some form of delegation afterwards. On the other hand, if you end up in the “authentication impossible”, you will never-ever get granted access to the application.
This example is based on a web-based application, but the reasoning is exactly the same when the IE browser is a SQL client and the application pool for the website is a SQL Server service.
Perhaps the most common one to be encountered is the one where someone uses a service account for an application pool instead of the network service. If you then try to access the website with the name of the machine, you will always end up in the “authentication impossible”.
Any feedback or comments is highly appreciated. The chart, click the picture for a clearer view:
2 Response to Kerberos: Troubleshooting Diagram
We are getting 400 errors for some scenarios; thrown by http.sys hosted PowerBI Report Server behind a simple https offloading loadbalancer. Users from one federated domain never get these errors. Users from the other mostly get them with IE11 and Chrome. Not with Edgium or Firefox. We see both ntlm flavored as well as kerberos negotiate headers passing. Any clue?
I'm sorry I've been out of the Kerberos troubleshooting for quite some years by now. This doesn't ring a bell.
Add Your Comment