If an IIS hosted site is secured using Kerberos, can Linux machines connect to it?

iis-7 active-directory windows-server-2008-r2 kerberos

I'm running into a problem configuring my IIS 7.0 website in a test environment with Kerberos. I have a trial version of Windows Server 2008 R2 with AD DS, AD RMS, DHCP, DNS & IIS roles installed. I have gone into the IIS security settings for the site and set-up Windows Authentication to permit Kerberos login.

The problem I'm running into is that it is not routinely using Kerberos for the security protocol. When I set providers in IIS to "Negotiate", Fiddler2 indicates that the header will return an NTLM header 50% of the time and a Kerberos header the other 50% of the time. If I instead set the provider as "Negotiate:Kerberos" in IIS, I cannot access the site at all as it immediately reports a 401 error. Additionally, any attempt to connect to the site in either configuration using a Linux machine points immediately to a 401 security error.

Can anyone please provide some insights or guides into how to configure this? I specifically need to block any fallback to NTLM in addition to enabling Kerberos regardless of the machine I connect with. So far, I haven't found any technet or serverfault articles that fully address this issue.


In Firefox you will need to set it up to use Kerberos under about:config network.negotiate-auth.trusted-uris and network.negotiate-auth.delegation-uris.

For Chrome/chromium try chromium-browser –auth-server-whitelist=”company.com”


If you want to set up a Linux service/application to authenticate to an IIS service endpoint, you can get the Linux box to authenticate to an IIS hosted windows site like this:

  1. Ensure your IIS Site windows authentication providers are set in this order for Windows Auth:
    • NTLM
    • Negotiate
  2. Create a Principal for the account you want to authenticate as:
    • Login to a windows server in the domain with kerberos tools (usually an AD server)
    • Register a Service Principal Name (SPN) against the account you want to authenticate as, and at the same time generate a Kerberos keytab file:
      • Use ktpass to generate a keytab for Linux
      • ktpass -princ HTTP/[email protected] -ptype KRB5_NT_PRINCIPAL -mapuser myuser -pass mypassword -out c:\user.keytab
      • Note: it's important that the url myiis.site.com match your endpoint you'll hit; and that SITE.COM matches your Domain-Component.
    • You can check your SPN with setspn -L myuser
    • At this point you now have an SPN mapped to an AD user; and a Kerberos keytab file for Linux to get a kerberos ticket issued by the KDC (AD Server) for authentication using the Negotiate provider.
  3. Import your keytab into the linux box/application depending on flavour of Kerberos. To view the credential in the keytab:
    • MIT Kerberos
      • klist -c -k user.keytab
    • Heimdal Kerberos (assuming you copied the keytab to /etc/heimdal/krb5.keytab
      • ktutil list

Related

Finding NIC firmware version
DFS-R: how to offline re-sync, large amount of data deleted
How to get email alert if one of raid 1 disks fails?
Store multiple versions of large binary file with minimal data duplication (preferably Linux)
ESXi: Can linked clones be on a different datastore than the parent?
mklink to network share or UNC path or Mapped Drive?
Can't get virtual desktops to show up on RDWeb for Server 2012 R2
Is there a way to limit the network bandwidth / filesystem use per user over NFS on a Solaris 10 file server?
Strange Recurrent Excessive I/O Wait
hiera data source in using puppet syntax?
grep is inconsistently defaulting to grep -P?
How to minimise effect of mischievous, persistent POST requests