Hi,

Thank you for posting here.

According to your description, I understand that:

According to Wireshark, Vista doesn¡¯t use Kerberos when visiting resource
using IP address directly.

If I have misunderstood the problem, please don't hesitate to let me know.

As we know, DNS Server helps us to translate Host Name to IP address when
we visit any Network resource, including visiting KDC, services.

When you use SRV1.domain.local, your client has to query the DNS cache or
DNS server to find the IP address(10.10.0.11) and send Kerberos request to
KDC or service server.



It makes no difference whether you use IP or Host name. There may be
something wrong with Wireshark.

Please use the "klist" to verify if Kerberos was used. On client system,
click Start, type CMD, type "klist tickets", press Enter. Is there any HTTP
records?

You can also use the Microsoft Network Monitor 3.2 to analyze traffics.
http://www.microsoft.com/downloads/d...0af-1e08-4a21-
a26b-ec2f4dc4190d&displaylang=en

Install Microsoft Network Monitor 3.2, run it on server and clients to
monitor the traffic.

If necessary, use the capture filter to monitor only authentication
traffic. If anything unclear, you send the saved capture file and use
Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the files
and then give me the download address.

Sincerely,
Mervyn Zhang
Microsoft Online Community Support

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

I have used klist and also kerbtray (probably not supported but working :-))
to trace the problem and still, Vista seems to not use the kerberos for IP
addresses.

many thanks for your help.

o.


"Mervyn Zhang [MSFT]" <v-mervzh@xxxxxx> wrote in message
news:%23Bfc1cQhJHA.820@xxxxxx

> Hi,
>
> Thank you for posting here.
>
> According to your description, I understand that:
>
> According to Wireshark, Vista doesn¡¯t use Kerberos when visiting resource
> using IP address directly.
>
> If I have misunderstood the problem, please don't hesitate to let me know.
>
> As we know, DNS Server helps us to translate Host Name to IP address when
> we visit any Network resource, including visiting KDC, services.
>
> When you use SRV1.domain.local, your client has to query the DNS cache or
> DNS server to find the IP address(10.10.0.11) and send Kerberos request to
> KDC or service server.
>
> It makes no difference whether you use IP or Host name. There may be
> something wrong with Wireshark.
>
> Please use the "klist" to verify if Kerberos was used. On client system,
> click Start, type CMD, type "klist tickets", press Enter. Is there any
> HTTP
> records?
>
> You can also use the Microsoft Network Monitor 3.2 to analyze traffics.
> http://www.microsoft.com/downloads/d...0af-1e08-4a21-
> a26b-ec2f4dc4190d&displaylang=en
>
> Install Microsoft Network Monitor 3.2, run it on server and clients to
> monitor the traffic.
>
> If necessary, use the capture filter to monitor only authentication
> traffic. If anything unclear, you send the saved capture file and use
> Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the files
> and then give me the download address.
>
> Sincerely,
> Mervyn Zhang
> Microsoft Online Community Support
>
> ==================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>

Hi,

Thank you for your update.

As far as I know, Host name will be translated to IP address on client
before contacting KDC or Service server.

1. Please restart the server and use IP address to visit http://10.10.0.11.
After that, run "klist tickets >>c:\kerberos.log".

2. Run " klist purge", press Y to clear Kerberos tickets. Run "klist
tickets >>c:\kerberos1.log".

3. Visit http/intranet.domain.local and run "klist tickets

>>c:\kerberos2.log" again.

Send log files to tfwst@xxxxxx or upload to skydrive for research.

Please also try to collect the network Monitor capture files.

Sincerely,
Mervyn Zhang
Microsoft Online Community Support

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

look, this is unnecessary, it actually not even askes for TGT.

so the only thing I would like to know:
Vista (the same way as XP) should use kerberos even for IP addresses, right?


if it is so, I will investigate into the things myself. What I need is just
the confirmation that the things should really work the same way as with XP.
Because according to my long-taking tests, it doesn't use kerberos for IP
addresses and it seemed to me as "by design" feature change.


ondra.



"Mervyn Zhang [MSFT]" <v-mervzh@xxxxxx> wrote in message
news:wOWs6ARhJHA.1700@xxxxxx

> Hi,
>
> Thank you for your update.
>
> As far as I know, Host name will be translated to IP address on client
> before contacting KDC or Service server.
>
> 1. Please restart the server and use IP address to visit
> http://10.10.0.11.
> After that, run "klist tickets >>c:\kerberos.log".
>
> 2. Run " klist purge", press Y to clear Kerberos tickets. Run "klist
> tickets >>c:\kerberos1.log".
>
> 3. Visit http/intranet.domain.local and run "klist tickets

>>>c:\kerberos2.log" again.

>
> Send log files to tfwst@xxxxxx or upload to skydrive for research.
>
> Please also try to collect the network Monitor capture files.
>
> Sincerely,
> Mervyn Zhang
> Microsoft Online Community Support
>
> ==================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>

I have actually sent you the pictures.

ondra.


"Mervyn Zhang [MSFT]" <v-mervzh@xxxxxx> wrote in message
news:wOWs6ARhJHA.1700@xxxxxx

> Hi,
>
> Thank you for your update.
>
> As far as I know, Host name will be translated to IP address on client
> before contacting KDC or Service server.
>
> 1. Please restart the server and use IP address to visit
> http://10.10.0.11.
> After that, run "klist tickets >>c:\kerberos.log".
>
> 2. Run " klist purge", press Y to clear Kerberos tickets. Run "klist
> tickets >>c:\kerberos1.log".
>
> 3. Visit http/intranet.domain.local and run "klist tickets

>>>c:\kerberos2.log" again.

>
> Send log files to tfwst@xxxxxx or upload to skydrive for research.
>
> Please also try to collect the network Monitor capture files.
>
> Sincerely,
> Mervyn Zhang
> Microsoft Online Community Support
>
> ==================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>

Hi Ondra,

Thank you for your reply and information.

In my test machines, Windows XP did not use Kerberos when using IP address
to visit websites. The Vista has the same behave with your client, it
didn¡¯t use Kerberos when using IP address.

I have found a similar case about Kerberos not working with IP Address.
Below is summary of their conclusion:

"Indeed, in Win2003/XP/Vista, all systems use KerbIsIpAddress to check if
the target server name is one IP address. If it is, the function will
return true and System will deny to Kerberos in this situation with
SEC_E_TARGET_UNKNOWN.

The reason that IP address worked in Windows 2003/XP is that the old system
logic doesn¡¯t check this pattern ¡°http/ipaddress¡±. Because the SPN is
like ¡°http/ipaddress¡± in your situation, this implicitly workarounds the
limitation.

However, in Vista, the KerbIsIpAddress function has been improved and all
ip address used in SPN will be filtered out and denied before Kerberos
Negotiation. As key code logic, KerbIsIpAddress is not avoidable and it is
by design.

In fact, for previous system, the description of Kerberos behavior when
using IP
Address has been provided as below (although it doesn't mention
"http/ipaddress"
pattern):

322979 Kerberos is not used when you connect to SMB shares by using IP
address
http://support.microsoft.com/default...b;EN-US;322979
"

From the article "Improving Web Proxy Client Authentication Performance on
ISA Server 2006"
http://technet.microsoft.com/en-us/l.../bb984870.aspx

We can find:
"Although in the first scenario (see figure 1) we have a Windows Server
2003 Domain and the native support to use Kerberos, NTLM will still be
preferred authentication method for Internet Explorer 6 while browsing the
Internet through a Proxy."

Many application will control also control the authentication method.

There is also Group Policy for Kerberos.

Configure Kerberos policy
http://technet.microsoft.com/en-us/l.../cc776647.aspx

Sincerely,
Mervyn Zhang
Microsoft Online Community Support

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

eeeeeeeeeeexcelllllent!

thank you very much.

ondra.


"Mervyn Zhang [MSFT]" <v-mervzh@xxxxxx> wrote in message
news:z74v8sShJHA.1700@xxxxxx

> Hi Ondra,
>
> Thank you for your reply and information.
>
> In my test machines, Windows XP did not use Kerberos when using IP address
> to visit websites. The Vista has the same behave with your client, it
> didn¡¯t use Kerberos when using IP address.
>
> I have found a similar case about Kerberos not working with IP Address.
> Below is summary of their conclusion:
>
> "Indeed, in Win2003/XP/Vista, all systems use KerbIsIpAddress to check if
> the target server name is one IP address. If it is, the function will
> return true and System will deny to Kerberos in this situation with
> SEC_E_TARGET_UNKNOWN.
>
> The reason that IP address worked in Windows 2003/XP is that the old
> system
> logic doesn¡¯t check this pattern ¡°http/ipaddress¡±. Because the SPN is
> like ¡°http/ipaddress¡± in your situation, this implicitly workarounds the
> limitation.
>
> However, in Vista, the KerbIsIpAddress function has been improved and all
> ip address used in SPN will be filtered out and denied before Kerberos
> Negotiation. As key code logic, KerbIsIpAddress is not avoidable and it is
> by design.
>
> In fact, for previous system, the description of Kerberos behavior when
> using IP
> Address has been provided as below (although it doesn't mention
> "http/ipaddress"
> pattern):
>
> 322979 Kerberos is not used when you connect to SMB shares by using IP
> address
> http://support.microsoft.com/default...b;EN-US;322979
> "
>
> From the article "Improving Web Proxy Client Authentication Performance on
> ISA Server 2006"
> http://technet.microsoft.com/en-us/l.../bb984870.aspx
>
> We can find:
> "Although in the first scenario (see figure 1) we have a Windows Server
> 2003 Domain and the native support to use Kerberos, NTLM will still be
> preferred authentication method for Internet Explorer 6 while browsing the
> Internet through a Proxy."
>
> Many application will control also control the authentication method.
>
> There is also Group Policy for Kerberos.
>
> Configure Kerberos policy
> http://technet.microsoft.com/en-us/l.../cc776647.aspx
>
> Sincerely,
> Mervyn Zhang
> Microsoft Online Community Support
>
> ==================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>

Hi ondra,

I am glad to hear that the information is useful. If you have any other
questions or concerns, please do not hesitate to contact us. It is always
our pleasure to be of assistance.

Have a nice day!

Sincerely,
Mervyn Zhang
Microsoft Online Community Support

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.