Keberos / NTLM Bug Using Delegation?

  • Thread starter Thread starter Dave
  • Start date Start date
D

Dave

We have a 3 tier configuration. Win 2k web server using
delegation to win 2k sql server. SPN for the sql service
account is correct. Using .net framework. Users(win 2k
clients) can access the web front end and manipulate sql
data via forms. At random during any time period
authentication fails. A user can enter data with no
problems then all of a sudden
Login failed for user NT AUTHORITY\ANONYMOUS LOGON.

Being that they can actually enter data says that
deligation is working. We are running mixed mode and have
NT BDCS on the network.

Quoted from another source"

Watch out for NTLM
At one point during my experimentation I made a remote
authenticated request (which succeeded), and yet I
couldn't find the ticket that had been issued to make this
possible. On all the machines I use on a day-to-day basis
I've enabled auditing of logon and logoff events
(something I urge all developers to do in the lab), and so
when I checked the server's audit log, I discovered that
the client had been authenticated. I scratched my head
until I looked at the detailed information in the audit
record: the NTLM provider not the Kerberos provider had
authenticated the client.
I was really surprised at this behavior since the client
was using a domain account in a Windows 2000 domain and
both client and server were running Windows 2000. In fact,
the client was running on the same machine as her KDC. "


Is it possible for kerberos by some quirk to fall back to
NTLM at random? Or NT BDC's in the mix causing strange
problems. The same user has access then all of a sudden
authentication fails at random for no apparent reason.

Any thooughts appreciated..
 
NT BDCs don't support Kerberos, if the user authenticates against that DC,
they will use NTLM.
 
Back
Top