ASP.NET kerberos drops to NTLM sporadically
Background (relevant snippets only): We have a large asp.net 2.0 / 3.5 intranet application.
Web servers are Windows Server 2003 in an AD domain.
Clients are on Windows IE 6-8. Windows authentication with a custom principal created with Windows Identity. The web servers are behind F5 NLB, which redirects the user to a specific web server. (The reason for this is a limitation with our F5 company related to kerberos). No systemic issues like disconnected sessions or timeouts or overloaded servers, everything works fine.
One piece of functionality requires delegation - we connect to the shared network file as an authenticated user using the Kerberos token provided to us by the domain / web server.
SPN, ACL, etc. seem to be configured correctly.
99.% as a percentage of the time, everything works. The problem we see is updated from time to time, tokens from keberos to ntlm. I see login in the web server event log showing one call:
Login process: Kerberos Authentication package: Kerberos
And the subsequent call (usually after loading 10 or 20 pages):
Logon process: NtLmSsp Authentication package: NTLM
Anyone have an idea of ββwhat the subsequent postback might do sometimes NTLM?
Thank!
source to share
All the tools and techniques needed to identify the problem are found in Troubleshooting Kerberos Errors . This document has never let me down.
NTLM Feedback
You may find that the security log logged an event that happened using NTLM when it should have happened using Kerberos authentication.Problem
There are two situations in which this can happen:
- In the first situation, the system tries to authenticate with the Kerberos protocol, but it does not work. As a result, the system tries to authenticate using NTLM. Windows Server 2003, Windows XP, and Windows 2000 use an algorithm called Negotiate (SPNEGO) to negotiate which authentication protocol. Although Kerberos is the default, if the default is not running, Negotiation will try NTLM.
- The second situation is that the call for Negotiate returns NTLM as the only protocol available.Confirming the
first situation will result in a Kerberos authentication failure, you can investigate by investigating errors in the event log or packet data captured by Network Monitor. Both research methods are discussed later in this document ...
source to share