How to fix validating identity issue
Here we see that the website must require authentication to access the site because the web server responded back with a “401 Unauthorized”.
We can also see that the web server supports the authentication types of: “WWW-Authenticate: Negotiate”, and “WWW-Authenticate: NTLM”.
You can see in the detail pane that I have highlighted packet 79; where the Authorization data is provided; and NLTM credentials that are being passed are domain of FABRIKAM and user account of Administrator from Host XPPRO02.
So here is what we find when I use query searching for http/webapp* This is good; this tells us that there are no accounts that have that Service Principal Name in the forest.
However if it does not, it responds back to the client with a list of authentication protocols it supports in the HTTP header. Client attempts to get a Kerberos ticket for the website (from a domain controller) if the website supports Negotiate authentication. Client then connects to the website and passes its credentials in the HTTP header.
Remember, we did “IPConfig /Flush DNS” so that we can see name resolution on the wire.
We want to use Kerberos authentication with a web application. The web application is using a web application pool.
This web application pools Identity is running as a domain user account (FABRIKAM\Kerb Svc) because at a future time they will be front ending the web servers with a network load balancer.
In order for Kerberos authentication to work with IIS we must see Negotiate as an authentication method.