Hi, I have Kerberos authentication turned on for one of our internal web sites. I have fulfilled all of the prerequisites (SPN, IE integrated authentication, and correct security zone) When I try to authenticate to the site from a widows server 2003 machine the authentication works fine. I have also found some XP workstations that work fine. I can see in the wireshark dumps that Kerberos is being used. I have tried to access the site from 3 other windows xp workstations and it generates an internal server error. I used the monitoring tool in the Authentication & Access Control Diagnostics tool and I can see the error happening: Successful login: <AuthMonRow Number="64" tid="0xae4" Date="09/29/2009 23:15:19.294" Name="AcceptSecurityContext" Result="0x0" ContextAttr="0x802" Package="Kerberos" UserName="REMOVED" ClientName="REMOVED" ServerName="REMOVED" time_taken="63 ms" /> Failed login: <AuthMonRow Number="53" tid="0x254" Date="09/29/2009 23:15:15.872" Name="AcceptSecurityContext" Result="0x80090300" ContextAttr="0x0" Package="" UserName="" ClientName="" ServerName="" time_taken="0 ms" /> I looked up the AcceptSecurityContext function and found that the error result is "SEC_E_INSUFFICIENT_MEMORY - The function failed. There is not enough memory available to complete the requested action." http://msdn.microsoft.com/en-us/library/aa374703%28VS.85%29.aspx I know that can't be the case, the same user was used on both attempts, and the authentication header was smaller on the failed login. Any one have some insight\help? Thanks, Dwayne.

Anyone?

Hi, This question is more related to IIS settings. In order to solve this issue in a timely manner, I suggest you initial a new post in the IIS forum, they are the best resource for this kind of issue. The Official Microsoft IIS Site http://forums.iis.net/ Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.

Hi, I know it's been a while. This issue still hasn't been resolved, and I don't believe that it's related to any IIS settings. It turns out that authentication fails if the user is a member of too many groups, but this failure only happens on select machines. For example my domain admin account can authenticate via negotiate: kerberos fine from one computer but not from another one with identical hardware. I've verified that the problem isn't with MaxTokenSize or the field length restrictions in IIS. This problem also occurs when authenticating from the same problematic clients to IIS 7 on Server 2008, the original server was 2003 std. running IIS 6. Another symptom that should be mentioned is that if I use wfetch on a client computer that cannot authenticate it works. In the process of troubleshooting this issue I enabled trace logging in Internet Explorer to see if it would shed any light on the problem as per http://support.microsoft.com/default.aspx/kb/884931 I compared the data that was sent by internet explorer in this log to the tcp data that I can see in wireshark and it looks like there is missing data. I don't know what else to look at. Any help would be appreciated. Dwayne.