PROBLEM DESCRIPTION:

One of my customers observed that IE 8 is prompting for authentication every time he accesses his aspx page. He is using Single Sign On which takes the credentials of the currently logged in user and logs the application under this context. The issue is observed only on the Windows 2008 machine which had IE 8. Also the customer is trying to login to the SAP J2EE server.

Customer had already set the Login prompt to “login with current user name password” in intranet zone in IE.

FINDINGS:

1.    I also confirmed that “Enable Integrated Windows Authentication” is enabled under Advanced tab. 

2.    From the fiddler logs, I was able to isolate that on the non-working machine Kerberos authentication was failing and the IE falls back on NTLM.

3.    Which researching on this issue, I got an article that talk about an issue during logon to the SAP Enterprise Portal (SAP J2EE) server after installing MS09-054. They talk about configuring the SuppressExtendedProtection DWORD under the LSA registry key to 3.

 

A few articles
http://forums.sdn.sap.com/message.jspa?messageID=8308489

Extended Protection for Authentication

http://support.microsoft.com/kb/968389

 

4.    I add the DWORD under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA registry hive.

5.    From the netmon logs I was able to identify why the Kerberos authentication was failing. I realized that we are running into the issues mentioned in the following article,

 

The security principals and the services that use only DES encryption for Kerberos authentication are incompatible with the default settings on a computer that is running Windows 7 or Windows Server 2008 R2
http://support.microsoft.com/kb/977321

6.    Thus we modified the policies for “Network security: Configure encryption types allowed for Kerberos” option and selected all the six check boxes for the encryption types.

 

CAUSE

By default, the security settings for DES encryption for Kerberos are disabled on the following computers:

  • Computers that are running Windows 7
  • Computers that are running Windows Server 2008 R2
  • Domain controllers that are running Windows Server 2008 R2

By default, Windows 7 uses Advance Encryption Standard (AES) or RC4 for "encryption types" and for "etypes." The services that are configured for only DES encryption fail unless:

  • The service is reconfigured to support RC4 encryption or to support AES encryption.
  • All client computers, all servers, and all domain controllers for the domain of the service account are configured to support DES encryption.

SOLUTION:

The solution to this authentication issue is to follow these 2 steps,
1. Set “SuppressExtendedProtection” to 3
2. Select all the six check boxes for the encryption types under Network security: Configure encryption types allowed for Kerberos option.

 

Please let me know if this information was useful. See ya!