PLEASE NOTE: To remove the “route add” issue the command “route add <IP Address of the server that you are on>”
Note that each packet going from the server to itself will appear twice ... once exiting the server on its way to the router, once returning from the router on its way back to the server. You can ‘post-process’ the capture to eliminate the duplicate packets (i.e. don't display the packets where the source Ethernet address matches the router).
In Netmon 3.x you can use a Display Filter constructed similar to:
HTTP and Ethernet.SourceAddress == 0x010203040506
For Wireshark you can use the following display filter:
(tcp.port == 80) && (eth.src == 01:02:03:04:05:06)
You will need to replace the 0x0102030405 or the 01:02:03:04:05:06 with the MAC address of your web server.
4. Start the network capture.
5. Access the share on the test computer from the test computer (i.e. from itself, to itself).
6. Stop the network capture.
7. Review network trace.
You should see the following sequence in the trace:
i. A GET request
ii. A HTTP 401 Unauthorized response with:
WWW-Authenticate:Negotiate
…in the HTTP header
iii. A second GET request with NTLM authentication
Here is the workaround
In order to allow a client application to utilize Kerberos in this usage scenario; the following steps can be enacted.
1. Create an alias (CNAME) host record for the machine with a unique name for the forest. This can be accomplished using the DNS snap-in, expanding out he forward lookup zone for the domain which contains the web server, right clicking on the domain name and select New Alias (CNAME)…
2. Register SPNs for the alias on the computer object. You can use Setspn to register an SPN which would be formatted similar to “Setspn –A HTTP/<alias_ you _registered_in_DNS> <webservername>”
3. When accessing the machine with a browser use the alias. This will allow Kerberos to be utilized even if the client resides on the server.
References
http://msdn.microsoft.com/en-us/library/aa378748(VS.85).aspx
I hope this has been enlightening.
Best regards,
Todd Maxey
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.