I am looking for help in setting up a test intranet environment to better understand kerberos and services available under Windows 2008 R2.
Presently, I have a Windows 2008 R2 trial set up with AD DS, AD RMS, DNS, DHCP and IIS roles installed (note: AD RMS. I have a small, isolated network consisting of the 2008 server (10.0.0.1), a Windows 7 client (10.0.0.2) and an Ubuntu 12.04 client (10.0.0.3). There's also a gateway for internet access (10.0.0.5), but that is there for convenience only.
Using IIS, I have created a simple test page that is accessible at 10.0.0.1/test. I am trying to secure the page so that a client can only access it via the intranet using a Kerberos enforced security protocol. Towards this end, I have installed the Windows Authentication service under IIS. I do not want NTLM to be used under any circumstances, so the providers list is restricted to "Negotiate" only on this setting. Anonymous Authentication is currently disabled.
Currently, my windows 7 client is able to connect and receive a ticket without issue. I have confirmed that a Kerberos ticket is being issued using the server's security log. The Ubuntu client, however, does not offer a security challenge when I navigate to the site. It immediately defaults to a 401 error, declaring that the system doesn't have sufficient security permissions to view the site. I very much want Linux clients to be able to connect over Kerberos, but I cannot seem to determine what other configuration is necessary on the server or if configuration is necessary on the Linux client to enable this.
Does anyone have any experience with setting up Kerberos security for intranet sites that might be able to explain what steps I'm missing? I've looked through a large number of technet articles, but none seem to describe the situation I'm working in. Any help or direction to guides is appreciated.
Presently, I have a Windows 2008 R2 trial set up with AD DS, AD RMS, DNS, DHCP and IIS roles installed (note: AD RMS. I have a small, isolated network consisting of the 2008 server (10.0.0.1), a Windows 7 client (10.0.0.2) and an Ubuntu 12.04 client (10.0.0.3). There's also a gateway for internet access (10.0.0.5), but that is there for convenience only.
Using IIS, I have created a simple test page that is accessible at 10.0.0.1/test. I am trying to secure the page so that a client can only access it via the intranet using a Kerberos enforced security protocol. Towards this end, I have installed the Windows Authentication service under IIS. I do not want NTLM to be used under any circumstances, so the providers list is restricted to "Negotiate" only on this setting. Anonymous Authentication is currently disabled.
Currently, my windows 7 client is able to connect and receive a ticket without issue. I have confirmed that a Kerberos ticket is being issued using the server's security log. The Ubuntu client, however, does not offer a security challenge when I navigate to the site. It immediately defaults to a 401 error, declaring that the system doesn't have sufficient security permissions to view the site. I very much want Linux clients to be able to connect over Kerberos, but I cannot seem to determine what other configuration is necessary on the server or if configuration is necessary on the Linux client to enable this.
Does anyone have any experience with setting up Kerberos security for intranet sites that might be able to explain what steps I'm missing? I've looked through a large number of technet articles, but none seem to describe the situation I'm working in. Any help or direction to guides is appreciated.