When you are using the latest version of Windows 7 or Windows Server 2008 R2 based systems, not everything happens in the right way. There are many features in this version of Windows that create problems for the users. One feature that is available in systems based on Windows 7 or Windows Server 2008 R2 is Extended Protection for Integrated Authentication that further supports Channel Binding Token. However, due to the availability of support for Channel Binding Token, non-windows NTLM or Kerberos-based servers cannot authenticate the system. If your system is facing this problem then here you can find useful information to deal away with this problem.

Various errors due to Extended Protection for Integrated Authentication

As mentioned above, the system is not able to get authentication from non-windows based Kerberos Servers. In addition to this, the system fails to get NTML authentication from proxy servers and non-windows NTLM servers. It is true that a user may come across these different problems but the root cause for all of them is same. If you want to get rid of all these problems, there is a way for it as well. However, before discussing the solution to the problem you should know why this problem occurs. In such technical problems, it is important to know the reason behind them. This is because if you know the cause of the problem can easily find a way to solution from it.

Root cause of the problem

In systems based on Windows 7 or Windows Server 2008 R2, a feature is present known as Extended Protection for Integrated Authentication that further increases the security in the system. This feature authenticates incoming network connections very strictly by using Integrated Windows Authentication or IWA. In systems where the feature is available is set to ON by default and thus you will experience problems like non-authentication by non-windows NTML or Kerberos-based servers.

It has been seen that in such systems whenever an attempt is made by client to establish a connection with server, the request sent for authentication bounds to Service Principal Name. In addition, these systems disable the option of LMv2 and authentication problems become more prominent.

How to solve the issue

If you want to deal away with this problem then there are two different ways. One way is to check for vendors that are compatible with these versions of servers. For instance, if you are experiencing a problem as the non-windows NTLM server or proxy server requires LMv2 you should look out for vendors who offer the option of LMv2.

One other way by which you can get rid of this problem is by making few changes to the registry of the system. However, this can cause serious damage to your system if done incorrectly. If you wish to adopt this method then handle it carefully.

Summary: if you are using Windows 7 or Windows Server 2008 R2 on your systems then problems like non-authentication of Kerberos-based servers may take place. Two different ways are used to solve this problem and the choice of the method depends entirely on the user.