I'm running into a problem configuring my IIS 7.0 website in a test environment with Kerberos. I have a trial version of Windows Server 2008 R2 with AD DS, AD RMS, DHCP, DNS & IIS roles installed. I have gone into the IIS security settings for the site and set-up Windows Authentication to permit Kerberos login.
The problem I'm running into is that it is not routinely using Kerberos for the security protocol. When I set providers in IIS to "Negotiate", Fiddler2 indicates that the header will return an NTLM header 50% of the time and a Kerberos header the other 50% of the time. If I instead set the provider as "Negotiate:Kerberos" in IIS, I cannot access the site at all as it immediately reports a 401 error. Additionally, any attempt to connect to the site in either configuration using a Linux machine points immediately to a 401 security error.
Can anyone please provide some insights or guides into how to configure this? I specifically need to block any fallback to NTLM in addition to enabling Kerberos regardless of the machine I connect with. So far, I haven't found any technet or serverfault articles that fully address this issue.
Best Answer
In Firefox you will need to set it up to use Kerberos under about:config network.negotiate-auth.trusted-uris and network.negotiate-auth.delegation-uris.
For Chrome/chromium try chromium-browser –auth-server-whitelist=”company.com”