Daniel Doubrovkine bio photo

Daniel Doubrovkine

aka dB., @awscloud, former CTO @artsy, +@vestris, NYC

Email Twitter LinkedIn Github Strava
Creative Commons License


I’ve often faced puzzling integrated authentication failures on Windows with WAFFLE. The usual suspects are the logon attempt failed errors. Most of the time I’d try to run the server as a different user (localsystem, a domain user, etc.) and hope for the best. Things get quickly complicated with domain trusts, user accounts enabled for delegation, machine accounts enabled for delegation, plus the fact that the Negotiate protocol selects Kerberos vs. NTLM based on a clever client-server exchange amongst the three inseparable friends – the client, the server and one of the domain controllers distributed across five continents. The amount of possible combinations usually makes me sleepy and I realize that I easily give up.

Fortunately this is open-source software and where I fail others can pickup the ball. A thread had a Negotiate problem that smelled pretty bad, so I basically told @dorlov that he’s on his own and “good luck with that”. Russians don’t seem to give up, so he solved his problem and assembled a few nice links that will help you troubleshoot issues with Kerberos and NTLM.

Troubleshooting Kerberos

Troubleshooting NTLM

Useful KBs