Thanks Max. You're explanation was very clear and helped make sense of
something that has been bothering me for a long time. (i've been having a
similar problem using Windows Authentication with sql server residing on
different box then web server which I will try to resolve using this
Unfortunately, I must still be missing something as the problem still
Here are the details of my set up, Client is IE 6 on Win2K pro with Windows
Authentication (requires restart) is checked. Server is Win2K member server
running IIS 5 allowing only Windows authentication for the Web App in
question. In ADU&C, "Trust computer for delegation" is checked. Anything
seem awry here?
> Here is the deal with double-hop (or at least my understanding of it).
> If you want to use Kerberos ALL of the machines in the equation need to be
Win2k or above. The client needs to have I.E. Enabled to use Windows
Quote:> authentication (Tool>>Options>>Advanced), and the IIS machine needs to be
listed in the ADU&C on a DC, where it should have the 'trusted for
Quote:> checkbox checked in its properties. IIS needs to have the site set-up to
use Windows Integrated Authentication for its security.
> What happens in this scenario, is the client makes a request to IIS for
the ASP. If the ASP needs info from a network resource (i.e. the DC), it
will ask the client
Quote:> for credentials. The client should respond with its network token, the IIS
machine will go find a kerberos server, and get a ticket for this user that
lasts about 10
Quote:> minutes. From that point on, the IIS server can request information from a
network resource on behalf of that user.
> Prior to Kerberos, IIS only had NTLM, Basic Auth, and Anonymous to work
with. When you had the site setup for NTLM, the client would make a request
Quote:> IIS machine. The client would have permissions to access anything on the
IIS machine, but if it needed to access a network resource, it couldn't,
Quote:> was no way for IIS to create a network token based on an NTLM
authenticated user. To get around this problem, people would use Basic
Quote:> would prompt the user for credentials. IIS would then take the users plain
text username and password, and plug it into the LogonUser, and
Quote:> ImpersonateLogonUser APIs which creates a network token that can be passed
to a network resource.
> Obviously Anonymous wouldn't work set-up as the IUSR account, so people
would change this to a domain user with rights to do what they needed. In
Quote:> scenario, IIS executes code as an interactive user (i.e. someone sitting
at the machine logged in), as if it were the domain user listed as the
> In order for Kerberos to be used by IE 6, each IE client must be setup to
enable windows integrated authentication on the "Advanced" tab of the
Quote:> Propitious". Its at the very bottom under "Security" section ("Enable
Integrated Windows Authentication ( requires restart)").
> IIS will not use Kerberos on a virtual directory with a "." in its names.
It a small problem that they are working on.
> I don't know if you will be MORE confused after reading this, but I hope
> Max Vaughn [MS]
> Microsoft Developer Support
> Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights. You assume all risk for your use.