|
|
You're in the
iis security
group:Windows Authentication problem with IIS6 (Win2k3)
iis security:
this under older versions of IIS, but I can't seem to get it to work right in IIS6. We have a Windows 2003 Domain (pure 2K3). I want to use Windows Authentication for our Intranet applications that we write using ASP.NET. I believe the problem to be something related to the Kerberos technology, but I don't know enough about it to resolve my issue. Basically, when I enable Integrated Windows Authentication as the Authentication method for my application, users (who are logged on locally to the same network as the web server) are prompted for a login and password. After entering the username and password and clicking OK, the login dialog reappears, asking for the info again (even though it's still filled in). Clicking OK again and the same thing happens. The third time you click OK, you get the following error: - HTTP Error 401.2 - Unauthorized: Access is denied due to server configuration. Internet Information Services (IIS) Checking the Event log, under the Security category, multiple entries of the following exists: Error Event ID: 529 - Failure Audit Logon Failure: Reason: Unknown user name or bad password User Name: Domain: Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: - Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 172.16.87.77 Source Port: 0 First off - why is the browser prompting for a login name and password in the first place? Shouldn't integrated windows authentication use their Windows credentials? Oh yeah - I have checked - their browsers DO have the Enable Integrated Windows Authentication setting checked in their browser (which is IE6) advanced settings. Secondly, I know I am not typing a bad username or password - it's the same one I use to log on to Windows in the first place. At first I thought the account was locked out, but that wasn't it. After spending several hours trying to find some help on the web and in the MS knowledgebase, I came across a couple of articles (mostly relating to Windows 2000) that talked about Kerberos and Delegation. One article talked about ensuring the computer can be trusted for delegation - so, in Active Directory, I changed the Computer Account for the Web server (on the Delegation tab) from "Do not trust this computer delegation" to "Trust this computer for delegation to any server (Kerberos only)". There is a third option, "Trust this computer for delegation to specified services only" where it then offers to Use Kerberos only or Any authentication protocol and you can define services for the account. Would that option make a difference? What services do I add underneath? I also tried another article suggestion, which was to modify the IIS MetaBase using the adsutil.vbs script to set the "Negotiate,NTLM" parameter. At first, neither option was set. Then I set both (Negotiate and NTLM). No change. Then tried just NTLM - still no luck. The same article discussed using the SetSPN resource kit tool to add the HTTP protocol, which I also did, and then I added HOST, but alas, neither setting helped. For some reason, I just can't seem to get Integrated Windows Authetication to work on this web server (Windows 2003 Web Edition). Basically, I am looking for a checklist of things I can check and doublecheck to see if there is a configuration setting that I am missing to get this to work. If I can provide any more information that I haven't included, please ask...
Jeff - Thank you SOOOOO much - your suggestion to check out the IIS
Operations Guide (which I didn't even know existed) led me to the page titled "Force NTLM Authentication". It showed how to open the IIS MetaBase.xml file in notepad and locate the NTAuthenticationProviders property. Once I found it, this is what it was set to: NTAuthenticationProviders=""Negotiate, NTLM"" * Note the double quotes on either end. The page talked about deleting Negotiate part, but I found that my error was actually caused by the double quotation marks - evidently left there by the adsutil.vbs script I had run previously. It "inserted" a quoted string inside the existing quotes - which caused IIS all sorts of grief. I removed the extra quotes, setting it to NTAuthenticationProviders="Negotiate, NTLM". Presto - it worked instantly. For good measure, I also tried NTAuthenticationProviders="NTLM". That also worked great. The only difference being that the dual provider caused the IE login dialog to appear, regardless of the IE setting regarding Enabling Integrated Windows Authentication. I have a hunch that may be related to that fact that my IIS Application Pool runs as a domain user and not as a local machine account, but I'll investigate further later. There was obviously a bit of luck involved in finding this error - I hope this post helps the next person to encounter this issue and saves them the frustrated I've gone through the past 24 hours. Still - I can't complain too much - I still prefer a tightly locked-down system that you have to open as opposed to previous IIS incarnations that are causing all kinds of security grievances. I sleep better at night knowing that if it took me this long to get something working, with full Administrator rights, documentation and access, script-kiddies have got their work cut out for them. :) - Dave [quoted text, click to view] "Jeff Cochran" <jeff.nospam@zina.com> wrote in message news:40ef76a7.1070541647@msnews.microsoft.com... > On Wed, 7 Jul 2004 12:31:50 -0600, "Dave Slinn" <dslinn@accesscomm.ca> > wrote: > > [ Answered inline ] > > >I have been wrestling with IIS6 security settings - I used to be able to do > >this under older versions of IIS, but I can't seem to get it to work right > >in IIS6. > > > >We have a Windows 2003 Domain (pure 2K3). I want to use Windows > >Authentication for our Intranet applications that we write using ASP.NET. > > > >I believe the problem to be something related to the Kerberos technology, > >but I don't know enough about it to resolve my issue. Basically, when I > >enable Integrated Windows Authentication as the Authentication method for my > >application, users (who are logged on locally to the same network as the web > >server) are prompted for a login and password. After entering the username > >and password and clicking OK, the login dialog reappears, asking for the > >info again (even though it's still filled in). Clicking OK again and the > >same thing happens. The third time you click OK, you get the following > >error: > > > > - HTTP Error 401.2 - Unauthorized: Access is denied due to server > >configuration. Internet Information Services (IIS) > > > >Checking the Event log, under the Security category, multiple entries of the > >following exists: > > > >Error Event ID: 529 - Failure Audit > > Logon Failure: > > Reason: Unknown user name or bad password > > User Name: > > Domain: > > Logon Type: 3 > > Logon Process: Kerberos > > Authentication Package: Kerberos > > Workstation Name: - > > Caller User Name: - > > Caller Domain: - > > Caller Logon ID: - > > Caller Process ID: - > > Transited Services: - > > Source Network Address: 172.16.87.77 > > Source Port: 0 > > > > > >First off - why is the browser prompting for a login name and password in > >the first place? Shouldn't integrated windows authentication use their > >Windows credentials? Oh yeah - I have checked - their browsers DO have the > >Enable Integrated Windows Authentication setting checked in their browser > >(which is IE6) advanced settings. > > But that doesn't mean IE will pass credentials. If IE suspects the > site is not in an intranet or trusted zone, it doesn't pass > credentials. Add your domain to the intranet security zone in IE. > > >Secondly, I know I am not typing a bad username or password - it's the same > >one I use to log on to Windows in the first place. At first I thought the > >account was locked out, but that wasn't it. > > Is the web server in the domain? I'm assuming it's a domain account > you use. > > >After spending several hours trying to find some help on the web and in the > >MS knowledgebase, I came across a couple of articles (mostly relating to > >Windows 2000) that talked about Kerberos and Delegation. > > > >One article talked about ensuring the computer can be trusted for > >delegation - so, in Active Directory, I changed the Computer Account for the > >Web server (on the Delegation tab) from "Do not trust this computer > >delegation" to "Trust this computer for delegation to any server (Kerberos > >only)". There is a third option, "Trust this computer for delegation to > >specified services only" where it then offers to Use Kerberos only or Any > >authentication protocol and you can define services for the account. Would > >that option make a difference? What services do I add underneath? > > > >I also tried another article suggestion, which was to modify the IIS > >MetaBase using the adsutil.vbs script to set the "Negotiate,NTLM" parameter. > >At first, neither option was set. Then I set both (Negotiate and NTLM). No > >change. Then tried just NTLM - still no luck. > > > >The same article discussed using the SetSPN resource kit tool to add the > >HTTP protocol, which I also did, and then I added HOST, but alas, neither > >setting helped. > > > >For some reason, I just can't seem to get Integrated Windows Authetication > >to work on this web server (Windows 2003 Web Edition). > > > >Basically, I am looking for a checklist of things I can check and > >doublecheck to see if there is a configuration setting that I am missing to > >get this to work. > > Have you looked at: > > http://www.iisfaq.com/Default.aspx?tabid=2531 > http://www.microsoft.com/resources/documentation/iis/6/all/proddocs/en-us/sec_auth_aboutauth.mspx > > Jeff
On Wed, 7 Jul 2004 12:31:50 -0600, "Dave Slinn" <dslinn@accesscomm.ca>
[quoted text, click to view] wrote: [ Answered inline ] [quoted text, click to view] >I have been wrestling with IIS6 security settings - I used to be able to do >this under older versions of IIS, but I can't seem to get it to work right >in IIS6. > >We have a Windows 2003 Domain (pure 2K3). I want to use Windows >Authentication for our Intranet applications that we write using ASP.NET. > >I believe the problem to be something related to the Kerberos technology, >but I don't know enough about it to resolve my issue. Basically, when I >enable Integrated Windows Authentication as the Authentication method for my >application, users (who are logged on locally to the same network as the web >server) are prompted for a login and password. After entering the username >and password and clicking OK, the login dialog reappears, asking for the >info again (even though it's still filled in). Clicking OK again and the >same thing happens. The third time you click OK, you get the following >error: > > - HTTP Error 401.2 - Unauthorized: Access is denied due to server >configuration. Internet Information Services (IIS) > >Checking the Event log, under the Security category, multiple entries of the >following exists: > >Error Event ID: 529 - Failure Audit > Logon Failure: > Reason: Unknown user name or bad password > User Name: > Domain: > Logon Type: 3 > Logon Process: Kerberos > Authentication Package: Kerberos > Workstation Name: - > Caller User Name: - > Caller Domain: - > Caller Logon ID: - > Caller Process ID: - > Transited Services: - > Source Network Address: 172.16.87.77 > Source Port: 0 > > >First off - why is the browser prompting for a login name and password in >the first place? Shouldn't integrated windows authentication use their >Windows credentials? Oh yeah - I have checked - their browsers DO have the >Enable Integrated Windows Authentication setting checked in their browser >(which is IE6) advanced settings. But that doesn't mean IE will pass credentials. If IE suspects the site is not in an intranet or trusted zone, it doesn't pass credentials. Add your domain to the intranet security zone in IE. [quoted text, click to view] >Secondly, I know I am not typing a bad username or password - it's the same >one I use to log on to Windows in the first place. At first I thought the >account was locked out, but that wasn't it. Is the web server in the domain? I'm assuming it's a domain account you use. [quoted text, click to view] >After spending several hours trying to find some help on the web and in the >MS knowledgebase, I came across a couple of articles (mostly relating to >Windows 2000) that talked about Kerberos and Delegation. > >One article talked about ensuring the computer can be trusted for >delegation - so, in Active Directory, I changed the Computer Account for the >Web server (on the Delegation tab) from "Do not trust this computer >delegation" to "Trust this computer for delegation to any server (Kerberos >only)". There is a third option, "Trust this computer for delegation to >specified services only" where it then offers to Use Kerberos only or Any >authentication protocol and you can define services for the account. Would >that option make a difference? What services do I add underneath? > >I also tried another article suggestion, which was to modify the IIS >MetaBase using the adsutil.vbs script to set the "Negotiate,NTLM" parameter. >At first, neither option was set. Then I set both (Negotiate and NTLM). No >change. Then tried just NTLM - still no luck. > >The same article discussed using the SetSPN resource kit tool to add the >HTTP protocol, which I also did, and then I added HOST, but alas, neither >setting helped. > >For some reason, I just can't seem to get Integrated Windows Authetication >to work on this web server (Windows 2003 Web Edition). > >Basically, I am looking for a checklist of things I can check and >doublecheck to see if there is a configuration setting that I am missing to >get this to work. Have you looked at: http://www.iisfaq.com/Default.aspx?tabid=2531 http://www.microsoft.com/resources/documentation/iis/6/all/proddocs/en-us/sec_auth_aboutauth.mspx
This is FAQ and is actually mentioned in documentation in the same section
that talks about how to configure Application Pool Identity. http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/ca_cfgwrkridentity.asp It happens in the following circumstance: 1. Application Pool Identity is Custom 2. Authentication Protocol is Integrated 3. Server is in a domain This, together with the default value of NtAuthenticationProviders of Negotiate,NTLM , causes the 401.1 to be returned. The fix, of course, is to either set NtAuthenticationProviders to be NTLM (to not trigger Kerberos), or use setspn to set a service name under the Custom AppPool Identity. Many people have asked this exact question, but really, there is not a lot that we can do other than give you documentation that should be read before using Custom App Pool Identity. I've also heard of many people getting tricked by the extra ""s being added to the property value when using ADSUTIL.VBS -- I've personally never had problems setting that property with or without ""s. -- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "David Slinn" <dslinn@accesscomm.ca> wrote in message Jeff - Thank you SOOOOO much - your suggestion to check out the IISnews:%23MarTFKZEHA.996@TK2MSFTNGP12.phx.gbl... Operations Guide (which I didn't even know existed) led me to the page titled "Force NTLM Authentication". It showed how to open the IIS MetaBase.xml file in notepad and locate the NTAuthenticationProviders property. Once I found it, this is what it was set to: NTAuthenticationProviders=""Negotiate, NTLM"" * Note the double quotes on either end. The page talked about deleting Negotiate part, but I found that my error was actually caused by the double quotation marks - evidently left there by the adsutil.vbs script I had run previously. It "inserted" a quoted string inside the existing quotes - which caused IIS all sorts of grief. I removed the extra quotes, setting it to NTAuthenticationProviders="Negotiate, NTLM". Presto - it worked instantly. For good measure, I also tried NTAuthenticationProviders="NTLM". That also worked great. The only difference being that the dual provider caused the IE login dialog to appear, regardless of the IE setting regarding Enabling Integrated Windows Authentication. I have a hunch that may be related to that fact that my IIS Application Pool runs as a domain user and not as a local machine account, but I'll investigate further later. There was obviously a bit of luck involved in finding this error - I hope this post helps the next person to encounter this issue and saves them the frustrated I've gone through the past 24 hours. Still - I can't complain too much - I still prefer a tightly locked-down system that you have to open as opposed to previous IIS incarnations that are causing all kinds of security grievances. I sleep better at night knowing that if it took me this long to get something working, with full Administrator rights, documentation and access, script-kiddies have got their work cut out for them. :) - Dave [quoted text, click to view] "Jeff Cochran" <jeff.nospam@zina.com> wrote in message
news:40ef76a7.1070541647@msnews.microsoft.com... > On Wed, 7 Jul 2004 12:31:50 -0600, "Dave Slinn" <dslinn@accesscomm.ca> > wrote: > > [ Answered inline ] > > >I have been wrestling with IIS6 security settings - I used to be able to do > >this under older versions of IIS, but I can't seem to get it to work right > >in IIS6. > > > >We have a Windows 2003 Domain (pure 2K3). I want to use Windows > >Authentication for our Intranet applications that we write using ASP.NET. > > > >I believe the problem to be something related to the Kerberos technology, > >but I don't know enough about it to resolve my issue. Basically, when I > >enable Integrated Windows Authentication as the Authentication method for my > >application, users (who are logged on locally to the same network as the web > >server) are prompted for a login and password. After entering the username > >and password and clicking OK, the login dialog reappears, asking for the > >info again (even though it's still filled in). Clicking OK again and the > >same thing happens. The third time you click OK, you get the following > >error: > > > > - HTTP Error 401.2 - Unauthorized: Access is denied due to server > >configuration. Internet Information Services (IIS) > > > >Checking the Event log, under the Security category, multiple entries of the > >following exists: > > > >Error Event ID: 529 - Failure Audit > > Logon Failure: > > Reason: Unknown user name or bad password > > User Name: > > Domain: > > Logon Type: 3 > > Logon Process: Kerberos > > Authentication Package: Kerberos > > Workstation Name: - > > Caller User Name: - > > Caller Domain: - > > Caller Logon ID: - > > Caller Process ID: - > > Transited Services: - > > Source Network Address: 172.16.87.77 > > Source Port: 0 > > > > > >First off - why is the browser prompting for a login name and password in > >the first place? Shouldn't integrated windows authentication use their > >Windows credentials? Oh yeah - I have checked - their browsers DO have the > >Enable Integrated Windows Authentication setting checked in their browser > >(which is IE6) advanced settings. > > But that doesn't mean IE will pass credentials. If IE suspects the > site is not in an intranet or trusted zone, it doesn't pass > credentials. Add your domain to the intranet security zone in IE. > > >Secondly, I know I am not typing a bad username or password - it's the same > >one I use to log on to Windows in the first place. At first I thought the > >account was locked out, but that wasn't it. > > Is the web server in the domain? I'm assuming it's a domain account > you use. > > >After spending several hours trying to find some help on the web and in the > >MS knowledgebase, I came across a couple of articles (mostly relating to > >Windows 2000) that talked about Kerberos and Delegation. > > > >One article talked about ensuring the computer can be trusted for > >delegation - so, in Active Directory, I changed the Computer Account for the > >Web server (on the Delegation tab) from "Do not trust this computer > >delegation" to "Trust this computer for delegation to any server (Kerberos > >only)". There is a third option, "Trust this computer for delegation to > >specified services only" where it then offers to Use Kerberos only or Any > >authentication protocol and you can define services for the account. Would > >that option make a difference? What services do I add underneath? > > > >I also tried another article suggestion, which was to modify the IIS
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |