1

It is my understanding that authenticating to IIS with Kerberos will, by default, allow for the authentication to downgrade to NTLM v2 or NTLM v1 if the client cannot handle Kerberos. In my case I have a client that can only use NTLM v1 and I want to know before installing things that this will work in different environments. How can you tell if IIS allows for this to occur?

A few pertinent notes:

  1. These will all be web service requests from another server (not end-user browser-based requests).
  2. The web services are hosted in IIS / ASP.NET / SharePoint (both 2007 and 2010). I believe that IIS is in charge of authentication (assuming Windows Auth, not Forms or Claims), but if you know that ASP.NET or SharePoint can play a role here, please let me know.
  3. I need to know the answer for both IIS6 and II7.
  4. I have seen where group policies can have an effect on this. I believe that the Hardening Guide Configuration Templates may prevent NTLMv1, but am not certain.
  5. It looks like this article helps for IIS6, but something tells me that this could somehow be overridden by group policies (as mentioned immediately above).
  6. For IIS7 I found How to configure IIS 7.0 to support both the Kerberos protocol and the NTLM protocol for network authentication. However, I am either not understanding this or am missing something. I have a default IIS7 and my IIS_schema.xml file doesn't seem to explicitly allow for NTLM (see below). In addition, I care about IIS6 and group policy overrides so even if I understand this, it only gets me part of the way there.

.

  <sectionSchema name="system.webServer/security/authentication/windowsAuthentication">
    <attribute name="enabled" type="bool" defaultValue="false" />
    <element name="providers">
      <collection addElement="add" clearElement="clear" removeElement="remove">
        <attribute name="value" type="string" isUniqueKey="true" />
      </collection>
    </element>
    <attribute name="authPersistSingleRequest" type="bool" defaultValue="false" />
    <attribute name="authPersistNonNTLM" type="bool" defaultValue="false" />
    <attribute name="useKernelMode" type="bool" defaultValue="true" />
    <attribute name="useAppPoolCredentials" type="bool" defaultValue="false" />
    <element name="extendedProtection">
        <attribute name="tokenChecking" type="enum" defaultValue="None">
            <enum name="None" value="0" />
            <enum name="Allow" value="1" />
            <enum name="Require" value="2" />
        </attribute>
        <attribute name="flags" type="flags" defaultValue="None">
            <flag name="None" value="0" />
            <flag name="Proxy" value="1" />
            <flag name="NoServiceNameCheck" value="2"/>
            <flag name="AllowDotlessSpn" value="4" />
            <flag name="ProxyCohosting" value="32" />
        </attribute>
        <collection addElement="spn" clearElement="clearSpns" removeElement="removeSpn">
            <attribute name="name" type="string" isUniqueKey="true" validationType="nonEmptyString" />
        </collection>
    </element>
  </sectionSchema>
Kirk Liemohn
  • 593
  • 3
  • 8
  • 18

0 Answers0