Negotiate,NTLM. IE does not try NTLM after kerberos fails

Discussion in 'Internet Explorer' started by briend, Jul 13, 2009.

  1. briend

    briend Guest

    If a firewall prevents CLDAP or DNS or Kerberos traffic, the www-authenticate
    mechanism Negotiate will fail. Internet Explorer will present a "Internet
    Explorer cannot display the webpage" error after the kerberos method fails.

    Desired behavior: Internet Explorer should continue down the auth chain,
    and try NTLM after deciding kerberos is not available for whatever reason.
    Tested Firefox on Windows XP and Macintosh OSX (both bound to AD), which
    behaves as expected after configuring these two config options:

    network.negotiate-auth.trusted-uris
    network.automatic-ntlm-auth.trusted-uris

    with your domain (company.com)-- not trolling just pointing out that it is
    NOT an OS problem but specifically the IE browser that is failing.

    Brian Yuil has had this problem for quite a while. Se
    http://www.eggheadcafe.com/software/aspnet/32408965/iis-51-internet-explore.aspx for example.

    This is a surprisingly huge issue since anyone that takes a company laptop
    home (AD environment) will likely have an expired kerberos ticket after 10
    hours... So they simply will not be able to use Internet Explorer unless
    they VPN in (inconvenient) or we open the firewall for CLDAP and Kerberos
    traffic (bad idea).

    The alternative of disabling Negotiate on IIS and using pure NTLM (which
    seems popular) is also distasteful because it would prevent other operating
    systems from enjoying the benefits of true Single SignOn-- namely Macintosh
    clients.

    Tested with IE7 and IE8 (newest version as of this writing) on a Windows XP
    client.

    To reproduce you can use a firewall or manipulate your
    routing table to provide an invalid route to your domain controllers, then
    then using kerbtray flush your ticket cache, then refresh the webpage that
    uses negotiate,ntlm. Wireshark is handy too. Make sure you are logged in as
    a domain user on a machine that is bound to AD.

    Thank you for any response!

    Thanks!

    ----------------
    This post is a suggestion for Microsoft, and Microsoft responds to the
    suggestions with the most votes. To vote for this suggestion, click the "I
    Agree" button in the message pane. If you do not see the button, follow this
    link to open the suggestion in the Microsoft Web-based Newsreader and then
    click "I Agree" in the message pane.

    http://www.microsoft.com/communitie...&dg=microsoft.public.internetexplorer.general
     
    briend, Jul 13, 2009
    #1
    1. Advertisements

  2. briend

    Peter Foldes Guest

    Quick question The XP and the OSX are connected and feeding with which server.
     
    Peter Foldes, Jul 13, 2009
    #2
    1. Advertisements

  3. briend

    briend Guest

    I'm not sure I understand, but both machines are bound to the AD server which
    also serves DNS. The web server is a separate server also bound to AD. All
    the kerberos settings and SPNs are configured correctly and everything works
    fine unless you introduce a firewall that blocks kerberos or DNS or CLDAP and
    you have expired tickets. In this case only Firefox will work correctly, and
    IE will be broken with really no work-around other than VPN or log in as a
    local machine user instead of you domain account.

    Brien
     
    briend, Jul 13, 2009
    #3
  4. briend

    Jason6787 Guest

    Did anyone find a solution to this issue in Windows XP other than unchecking
    the "Enable Integrated Authentication"

    It seems like a registry key somewhere that could be modified to enable it
    to fail over, but having trouble finding anything - any "fix" for this?
     
    Jason6787, Oct 27, 2009
    #4
  5.  
    Glen Orenstein, Apr 24, 2010
    #5
  6. Hello All,

    Did anyone ever find a fix for this issue? We are currently having it with some users on our network but not all users.
    Some will continue down the chain and try NTLM when Kerberos does not work, but some will just give up and not keep trying.
    If we uncheck the "Enable Windows Integrated Authentication" box in IE Advanced settings then it will work, but only because it's not even trying Kerberos at that point.

    It doesn't seem to matter which version of IE (8 or 9) it seems to be dependent on the machine itself, but we can't isolate what setting or registry setting might be causing this.

    I'm trying to avoid opening a Microsoft Support ticket if possible, but at this point I'm at a loss.

    Thanks
     
    crystalcfitzgerald, Jan 9, 2013
    #6
  7. briend

    jethromorais

    Joined:
    Apr 29, 2013
    Messages:
    1
    Likes Received:
    0
    I've discover that if you change the settings on IE and uncheck the option to "Enable Integrated Windows Authentication" you force IE to negotiate, and this solved my problem. IE Setings - Advanced - Security
     
    jethromorais, Apr 29, 2013
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.