Wednesday, March 15, 2006
This one was really frustrating. The behavior seemed bizarre, some people could login, some people couldn't.
Here's the situation:
Two things break in this situation:
- Using Internet Explorer,
- on a Kerberos-enabled Windows domain,
- access a website that is
- specified in the trusted sites zone, and
- Enable Integrated Windows Authentication is checked.
Both problems are related to IE trying to authenticate using Kerberos.
- Trying to access the site over standard HTTP instead of HTTPS (i.e., not over SSL), results in a Server Not Found error - DNS error
- Once on an SSL connection, form data simply will not POST (The POST Method Does not Work if You are using Kerberos Authentication)
Turn off Enable Integrated Windows Authentication in Internet Explorer and both these problems go away. What happens is that IE and IIS authenticate with NTLM instead of Kerberos, and all is well. It's possible that disabling Kerberos in IIS could make this a moot point, too, but I haven't tested that. 1 Comment
- When not in SSL-mode, IE can't (or won't) connect to the Kerberos server, which is actually the server not found. The problem is that our solution needed to allow people to connect either way, and then be redirected to SSL. However, whether SSL or not, the user has to be authenticated first, which this bug prevented when not in SSL mode.
- Then the user gets an additional login form, which mind-bogglingly just does nothing!