Implement Kerberos authentication using C# on IIS

Question

I have configured the kerberos settings in IIS, still it fallback to NTLM authentication.

Can you tell me the proper troubleshooting method for kerberos.

Can you explain detail (Configuration and code implementation) about the kerberos implementation in c#.

Thanks in advance.

Answer 1

Kerberos is wide to troubleshot, if it fails to NTLM you'll have to brainstorm your configuration.

To test you can start by analysing the request/response header with a browser plugin (I use Httpfox for firefox), or by using the ASP.NET Authentication test page which might help you further http://blogs.msdn.com/b/friis/archive/2013/01/08/asp-net-authentication-test-page.aspx

Keep in mind that kerberos might fail if:

• try to login from the actual IIS server computer
• using an IP address instead of a name
• no SPN registered
• duplicate SPNs registered
• SPN registered against wrong account (KRB_ERR_AP_MODIFIED)
• no client DNS / DC connectivity
• client proxy setting / Local Intranet Zone not used for target site Also check your configuration for updates

About your next question:

Can you explain detail (Configuration and code implementation) about the kerberos implementation in c#.

It is even wider, I could not go shorter than the excellent article we find here: "Authentication in web services using C# and Kerberos (POC)" http://www.codeproject.com/Articles/27554/Authentication-in-web-services-using-C-and-Kerbero

Please update when you get more details about your error.