One of my customers observed that IE 8 is prompting for authentication every time he accesses his aspx page. He is using Single Sign On which takes the credentials of the currently logged in user and logs the application under this context. The issue is observed only on the Windows 2008 machine which had IE 8. Also the customer is trying to login to the SAP J2EE server.
Customer had already set the Login prompt to “login with current user name password” in intranet zone in IE.
1. I also confirmed that “Enable Integrated Windows Authentication” is enabled under Advanced tab.
2. From the fiddler logs, I was able to isolate that on the non-working machine Kerberos authentication was failing and the IE falls back on NTLM.
3. Which researching on this issue, I got an article that talk about an issue during logon to the SAP Enterprise Portal (SAP J2EE) server after installing MS09-054. They talk about configuring the SuppressExtendedProtection DWORD under the LSA registry key to 3.
A few articleshttp://forums.sdn.sap.com/message.jspa?messageID=8308489
Extended Protection for Authentication
4. I add the DWORD under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA registry hive.
5. From the netmon logs I was able to identify why the Kerberos authentication was failing. I realized that we are running into the issues mentioned in the following article,
The security principals and the services that use only DES encryption for Kerberos authentication are incompatible with the default settings on a computer that is running Windows 7 or Windows Server 2008 R2http://support.microsoft.com/kb/977321
6. Thus we modified the policies for “Network security: Configure encryption types allowed for Kerberos” option and selected all the six check boxes for the encryption types.
By default, the security settings for DES encryption for Kerberos are disabled on the following computers:
By default, Windows 7 uses Advance Encryption Standard (AES) or RC4 for "encryption types" and for "etypes." The services that are configured for only DES encryption fail unless:
The solution to this authentication issue is to follow these 2 steps,1. Set “SuppressExtendedProtection” to 32. Select all the six check boxes for the encryption types under Network security: Configure encryption types allowed for Kerberos option.
Please let me know if this information was useful. See ya!