SQL Clone
SQLServerCentral is supported by Redgate
Log in  ::  Register  ::  Not logged in

Identifying NTLM vs. Kerberos authentication using Fiddler

I saw this post on using Fiddler to tell the difference between an NTLM and a Kerberos connection to a web server.

Two easy ways to pick Kerberos from NTLM in an HTTP capture

If you aren't aware of what Fiddler is, it's a web proxy that will allow you to see the communications between a web browser and a server. You point to is as a proxy server and then you can display the traffic in the Fiddler application itself. This kind of tool can help a lot when performing security analysis, such as penentration testing a web application (you can alter what's being sent back to a web server without having to code up a web page), but it can also be useful when troubleshooting why a given application isn't working.

One such application is SQL Server Reporting Services. If you're connecting via Windows authentication and the Reporting Services is installed on a different server than SQL Server, you have a double-hop situation (one hop between the client and the SSRS server and a second hop between the SSRS server and SQL Server). That leads to a failure when NTLM is used because it doesn't support a double hop. Kerberos does, when properly configured. When it's not, clients tend to drop back to NTLM... thereby leading to a failure. Fiddler can help you spot whether or not the initial connection to the web server is via NTLM or Kerberos. How does help troubleshoot a Reporting Services issue? Well, if the issue is because of security where you're seeing NT Authority\Anonymous Logon on the SQL Server side, understanding how the client the connecting to the web server can tell us where to start looking for issues.

If it's connecting via NTLM, you need to look at the client and SSRS server to determine what is misconfigured. The client may be set to only pass credentials automatically when the server is in the Intranet zone and the client doesn't recognize the server is in the Intranet zone. The client may be set up where it doesn't use integrated Windows Authentication (this is the default with IE 6 SP1, unfortunately). The NTAuthenticationProviders setting for the web site may not be set to use Negotatie, which is Kerberos. These are some of the more likely possibilities.

It's the connectiong is being made with Kerberos, than that means the connection between the SSRS and the SQL Server is likely where the issue is. In that case it could be the web server isn't setup to allow delegation in Active Directory, the application pool identity isn't set up to delegate within Active Directory (if Network Service is used, this is the computer account itself, which the first setting takes care of), if the application pool identity isn't Network Service it may not have a Service Principal Name (SPN) for HTTP, if you're using a common name that's differerent from the actual server name an SPN might be required, or it could mean the SQL Server doesn't have a properly registered (SPN).

Now, can you get the same information using a network sniffer? Yes. However, using Fiddler may be easier for those who aren't experienced with dealing with packet traces.

Technorati Tags: | | | | | |

K. Brian Kelley - Databases, Infrastructure, and Security

IT Security, MySQL, Perl, SQL Server, and Windows technologies.


No comments.

Leave a Comment

Please register or log in to leave a comment.