My ASP.NET page (windows authentication, impersonation) uses UserPrincipal.Current to get information about the active user.
Getting this property executes an LDAP query to Active Directory.
Now with some browsers I get an error message “The specified directory service attribute or value does not exist”.
Using WireShark I figured out that Kerberos authentication did not work between the web server and AD, which is a sign that the browser did not pass a Kerberos ticket in the first place.
I pinned this down to two reasons:
Internet Explorer
in IE the problem was that the site was not in the “Intranet” zone. Adding it to this zone fixed the problem.
Firefox
There are two essential settings:
• network.negotiate-auth.delegation-uris
• network.negotiate-auth.trusted-uris
If you set both to the domain (or full name) of your server, Kerberos authentication will work.
I hope this saves someone else the two days that it took me to figure out where the problem was.
No comments:
Post a Comment