I am trying to wrap my head around the complete Kerberos thing for a while now. :-)
In the beginning I tried to follow "Kerberos, The Ultimate Guide" from the "MWG Best Practices and Common Scenarios". I (think I) have Kerberos, fallback to NTLM and fallback to User Database authentications working. Additionally I do some LDAP lookups to gather information like the real user name and group memberships from AD. I also have the fallback from "Negotiate or NTLM" to "just NTLM" working.
There are two things that are bothering me:
- in the Authentication Statistics I see next to no Kerberos Authentication requests (mostly none at all, sometimes up to 40 per day) while I typically have 500,000 LDAP authentications (mostly cached) and 150,000 NTLM authentications per day
- my mwg-core.errors.log is flooded with
[Auth] [KerberosAuthentication] 'SPNEGOExtractNegotiateToken' 'SPNEGO' error : 'SPNEGOExtractNegotiateToken() failed'
(about 50,000 entries per day)
Our environment consists mostly of IE and Firefox users, most of them benefiting from Single Sign On. Some machines are not AD domain members, but authenticate with AD accounts. Some use the user database.
My questions are:
1.) what exactly do I need Kerberos authentication for? In which scenario does it become active? Can I simply switch it off without losing functionality?
2.) The fallback from "Negotiate or NTLM" to "just NTLM" with Authentication.ClearMethodList and Authentication.AddMethod("NTLM", "", true) is triggered on the condition that Authentication.RawCredentials matches "Negotiate TlRM*". From what I understand: "Negotiate" means "Kerberos Authentication" and "NTLM" means "NTLM authentication". "TlRM" is the start of an NTLM authentication. So what the browsers are doing is "I want to do a Kerberos authentication and here is my NTLM authentication data" which is apparently nonsense. So why do I ask for this nonsense ("Negotiate or NTLM") in the first place? Could I simply remove the condition (Authentication.RawCredentials matches "Negotiate TlRM*") and offer "just NTLM" all the time? It would sure safe me all the round trips ending up in 'SPNEGOExtractNegotiateToken() failed'