First, DON'T capitulate. He is not only an idiot but DANGEROUSLY wrong. In fact, releasing this information would violate the PCI standard (which is what I'm assuming the audit is for since it's a payment processor) along with every other standard out there and just plain common sense. It would also expose your company to all sorts of liabilities.
The next thing I would do is send an email to your boss saying he needs to get corporate counsel involved to determine the legal exposure the company would be facing by proceeding with this action.
This last bit is up to you, but I would contact VISA with this information and get his PCI auditor status pulled.
First, I would confirm that this is occurring from a client where IE shows that the site is in the Trusted Sites zone, and the Trusted Sites zone is configured for "Automatic logon with current username and password."
Next, I would suspect the http authorization header size may exceed the IIS limits. Integrated Kerberos authorization is quite susceptible to this issue due to the IIS limits are actually quite low, and it does not require that many group memberships to bloat the token over the limit.
Each and every request includes the user's Kerberos token in the http authorization header. Because the token is encoded, it is frequently much larger than the actual memory used.
You can increase the values using the following document:
Http.sys registry settings for Windows
http://support.microsoft.com/kb/820129
I would use the following values:
MaxRequestBytes - set to 1048576
MaxFieldLength - set to 65534
Another useful utility DelegConfig. You can drop this in as an application on any web site, and connect to get a nice useful report on how your Kerberos authentication is configured. This would need to be tested as the victim account (or a suitably configured test account taht is exhibiting the symptom in the victim's domain).
http://blogs.iis.net/brian-murphy-booth/archive/2007/03/09/delegconfig-delegation-configuration-reporting-tool.aspx
You may also need to review:
How to use SPNs when you configure Web applications that are hosted on Internet Information Services
http://support.microsoft.com/kb/929650
Specifically:
"In Active Directory, verify that the Account is sensitive and cannot be delegated check box is cleared for users who access the application."
"Verify that all computers that are part of the Kerberos process have consistent name resolution and are connected by Kerberos trust. For example, verify that the computers that are involved in the Kerberos process are in the same forest or are part of a cross-forest Kerberos trust."
"Verify that the token size does not exceed the value that is set for the MaxTokenSize property." (MaxTokenSize should be set to 65535).
Internet Explorer 6 cannot use the Kerberos authentication protocol to connect to a Web site that uses a non-standard port
http://support.microsoft.com/kb/908209
There are also some excellent tips in the following article.
https://blogs.msdn.com/b/friis/archive/2009/12/31/things-to-check-when-kerberos-authentication-fails-using-iis-ie.aspx
In particular, checking that the client is connect to the expected SPN, using NetMon or KerbSpy.
Best Answer
Change account B's password. This will derive new Kerberos keys for that account, and if the change was done on a non-ancient DC, it will result in AES keys being stored (alongside the rest).
Then log off and log on again, try to visit the webapp, and use
klist
to check whether you got tickets for that service that are using AES for both the service key and the session key.It sounds like account B had its last password change done very long ago, at a time when your KDCs only supported RC4 but not anything newer. Kerberos keys for an account are derived directly from its password – e.g. the RC4 key is literally the NT MD4 hash, whereas AES keys are PBKDF2 hashes – meaning, it is not possible to for Windows to "upgrade" them as it doesn't know the original password.
Getting rid of RC4 therefore requires changing the 'krbtgt' password, changing all user accounts' passwords, and even changing all service accounts' passwords (and re-issuing new keytabs for those services that use a keytab) so that all of them would have AES keys available.
This option is only relevant when the account is being used as a service (i.e. another account is requesting tickets for SPNs belonging to this account), as the KDC needs to know what tickets the actual service application is capable of receiving. (The KDC doesn't communicate with the service, so it has no other way to know whether the service can understand AES tickets or not.)
When the account is being used as a client, the option is irrelevant because the client system directly tells the KDC what encryption types it's capable of using (as part of the AS-REQ). And of course the KDC already knows what keys it has stored for that user.
So it should be checked for the service account corresponding to the web app, if there is one, but generally not required for normal user accounts.