benjamin perkins, (aka @csharpguitar)

Why am I getting this challenge response popup?

Real quick, the reason for the credential pop-up is because the URL you are accessing is not in the Local Intranet trusted sites lists, as shown in Figure 6a and 6b!

I setup a domain and did some learning on Kerberos.

The first lessons I learned working towards a better understanding of Kerberos was some NTLM internals. This is because after configuring IIS as shown in Figure 1, to use Negotiate, when I accessed the IIS server from a client, the client and server negotiated NTLM instead of Kerberos. So I had to find out why. What I am confident was happening was caused by the account I was using. I was using an Administrator account which had a match in the SAM database on the client. I learned some good NTLM information here.

configure Kerberos (negotiate) on IIS

Figure 1, configure Kerberos (negotiate) on IIS

In my lab I had my own CONTOSO domain and created a new account. When I used this account, I was able to see that Kerberos was being used. Once I got Kerberos to be used, I got the issue where I had to login once per browser session. I.e. I would access the server URL, get prompted for my credentials, enter them and then I had access to the web site. So Kerberos wasn’t failing, I was just getting that credential popup which was not desired. See the following figures:

client request using fully qualified domain name (FQDM)

Figure 2, client request using fully qualified domain name (FQDM)

client request send back Authorization: Negotiate cookie

Network Monitor trace showing the SPN for my Kerberos request

Figure 4, Network Monitor trace showing the SPN for my Kerberos request

Kerberos challenge response pop-up, works after entering credentials

Figure 5, Kerberos challenge response pop-up, works after entering credentials

Once I added the FQDM to the client browser, as shown in Figure 6, I no longer had to enter the credentials for Kerberos authentication to work.

add the FQDM to the Local Intranet site, IE 10

Figure 6a, add the FQDM to the Local Intranet site, IE 10

add the FQDM to the Local Intranet site, IE 11

Figure 6b, add the FQDM to the Local Intranet site, IE 11

add the FQDM to the Local Intranet site, IE 11

Figure 6c, add the FQDM to the Local Intranet site, IE 11

add the FQDM to the Local Intranet site, IE 11

Figure 7, add the FQDM to the Local Intranet site, IE 11