I have been thinking on writing few Step-by-Step articles for Kerberos Setup and Troubleshooting. There are few basic things we should remember when configuring Kerberos authentication in Windows network.
Lets quickly get started with a very simple One Hop Scenario
ANJANEYA = Domain ControllerVIVEKKUMIIS = IIS ServerVIVEKKUMCLIENT = XP Client
We will configure IIS to use Windows Integrated Authentication on it's Default Web Site and we will browse the iisstart.htm page which is a default page for IIS 6.0.
Configure IIS to use Windows Integrated Authentication
Now, lets request the page from VIVEKKUMCLIENT machine.Lets check what the IIS log shows.. locate them at C:\WINDOWS\system32\LogFiles\W3SVC1 (Default Location).
You will see sc-status and sc-substatus as 401 2 for cs-username -where as sc-status and sc-substatus shows 200 0 for cs-username DC\client
Lets look at a network capture and how authentication takes place and determines how the packet would look like..
That looks good.So what is a bad request.. when can you say that the request was not good and it failed ? Any guesses !!
The above request was a success with status 200 in IIS log but this request falls back on NTLM.
You will see sc-status and sc-substatus as 401 2 and 401 1 for cs-username - where as sc-status and sc-substatus shows 200 0 for cs-username DC\client
I achieved the following by configuring IE..
Happy troubleshootingSee you soon with more scenarios..