I set up multiple web sites on my new Vista pc and so far, windows
authentication only seems to be working with web apps on the localhost web
site.

My PC network adapter one static ip address, which connects to the domain,
and multiple non-routable ip addresses on the same adapter for use with the
web sites (i.e. 192.168.0.20). localhost binds to "unassigned" ip
addresses, while the rest of my ip addresses bind to the 192.168.0.x series.
These have all been added to the Hosts file too, so my Hosts file looks
something like this (names changed to protect the innocent):
127.0.0.1 localhost
192.168.0.10 ecommerce
192.168.0.11 intranet
192.168.0.12 internet
192.168.0.13 webservicehost

I created a simple asp.net app called Test in localhost. In IIS I enabled
Impersonation and Windows Authentication. The default.aspx page does a
simple response.write of WindowsIndentity.GetCurrent.Name (if you test this
the page needs a using System.Security.Principal for this to work). If I
run this it properly displays my domain id (domain\username).

I copied this web app to another one of the web sites under IIS7, one that
uses one of the non-routable ip addresses and set the same settings in IIS
console. Now when I run the app I receive a windows login dialog and no
mater what I enter for a login it just prompts me again until it fails and I
receive a 401.1.

Now someone is bound to say this setup with the adapter using one static ip
and the multiple non-routable ip address should not work.....but this whole
setup works great on my win2003 server pc, which is what I am trying to
migrate from. In fact the only reason my "old" workstation OS is win2003 is
for being able to run multiple web sites...and I just want to get the same
thing working under Vista/IIS7


Brad

Interesting followup to this: In IE7 on Vista I disabled "Enable
Integrated Windows Authentication" and now Windows Authenticaiton against
all the web sites works. Yes, you read correctly...by disabling windows
authentication in IE....the windows authenticaiton from IE to the web sites
now works. Definitely did not have to do this in IE7 on my win2003 pc.

[quoted text, click to view]
I set up multiple web sites on my new Vista pc and so far, windows
authentication only seems to be working with web apps on the localhost web
site.

My PC network adapter one static ip address, which connects to the domain,
and multiple non-routable ip addresses on the same adapter for use with the
web sites (i.e. 192.168.0.20). localhost binds to "unassigned" ip
addresses, while the rest of my ip addresses bind to the 192.168.0.x series.
These have all been added to the Hosts file too, so my Hosts file looks
something like this (names changed to protect the innocent):
127.0.0.1 localhost
192.168.0.10 ecommerce
192.168.0.11 intranet
192.168.0.12 internet
192.168.0.13 webservicehost

I created a simple asp.net app called Test in localhost. In IIS I enabled
Impersonation and Windows Authentication. The default.aspx page does a
simple response.write of WindowsIndentity.GetCurrent.Name (if you test this
the page needs a using System.Security.Principal for this to work). If I
run this it properly displays my domain id (domain\username).

I copied this web app to another one of the web sites under IIS7, one that
uses one of the non-routable ip addresses and set the same settings in IIS
console. Now when I run the app I receive a windows login dialog and no
mater what I enter for a login it just prompts me again until it fails and I
receive a 401.1.

Now someone is bound to say this setup with the adapter using one static ip
and the multiple non-routable ip address should not work.....but this whole
setup works great on my win2003 server pc, which is what I am trying to
migrate from. In fact the only reason my "old" workstation OS is win2003 is
for being able to run multiple web sites...and I just want to get the same
thing working under Vista/IIS7


Brad

Hi Brad,

The findings of you indicates the problem isn't on the IIS server itself.
When disabling 'enable integrated windows authentication' option in IE, it
doesn't mean integrated auth is turned off. The difference here is IE will
use Kerberos protocol to perform integarted auth with IIS with the option
turned on and use NTLM protocol when the option is off. Please refer to:

Internet Explorer does not support Kerberos authentication with proxy
servers
http://support.microsoft.com/kb/321728/

Therefore the symptom indicates somehow Kerberos doesn't work when you
connect to the web sites from the problematic Vista client.

You may use webfetch to trace the rawdata of http request/response to turn
up more details.

HOW TO: Use Wfetch.exe to Troubleshoot HTTP Connections
http://support.microsoft.com/default.aspx?scid=kb;en-us;284285

To use, please input:

Host: (Your servername)
Port: (Your web site's TCP Port)
Path: (The relative path of a sample page. e.g: /index.htm)
Auth: (Select Kerberos and input domain, username and password)

Press Go! to issue a http request to the server and check what response is
returned.

I look forward to your result.

Have a good day.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Thank you for the information. I confirmed that indeed NTLM works but
Kerberos is not working. Keeping in mind that the web sites are all on
same the Vista client that is running the IE7 browser (the Vista client is
running IIS7 with multiple web sites). Here is the result of a trace using
Kerberos
started....
WWWConnect::Connect("inside","80")\n
IP = "192.168.0.21:80"\n
source port: 49946\r\n
ISC_REQ_MUTUAL_AUTH | ISC_REQ_DELEGATE set\n
0x80090303 (The specified target is unknown or unreachable):
Unable to InitializeSecurityContext
WWWConnect::Close("inside","80")\n
closed source port: 49946\r\n
finished.

I ran cscript adsutil.vbs get w3svc/root/NTAuthenticationProviders and
confirmed that Negotiate,NTLM were enabled
I then ran cscript adsutil.vbs set w3svc/root/NTAuthenticationProviders
"NTLM" to force NTLM only. I changed IE back use integrated authentication.
And IE authentication works correctly. I ran cscript adsutil.vbs set
w3svc/root/NTAuthenticationProviders "Negotiate,NTLM"....and confirmed again
that IE authnetication does not work unless I turn off integrated
authentication.

So this seems to indicate Kerberos is not working on Vista (between IIS and
IE both on the same Vista client) when using the non-routable ip addresses.
Any thoughts as to why?

Brad


[quoted text, click to view]
Hi Brad,

The findings of you indicates the problem isn't on the IIS server itself.
When disabling 'enable integrated windows authentication' option in IE, it
doesn't mean integrated auth is turned off. The difference here is IE will
use Kerberos protocol to perform integarted auth with IIS with the option
turned on and use NTLM protocol when the option is off. Please refer to:

Internet Explorer does not support Kerberos authentication with proxy
servers
http://support.microsoft.com/kb/321728/

Therefore the symptom indicates somehow Kerberos doesn't work when you
connect to the web sites from the problematic Vista client.

You may use webfetch to trace the rawdata of http request/response to turn
up more details.

HOW TO: Use Wfetch.exe to Troubleshoot HTTP Connections
http://support.microsoft.com/default.aspx?scid=kb;en-us;284285

To use, please input:

Host: (Your servername)
Port: (Your web site's TCP Port)
Path: (The relative path of a sample page. e.g: /index.htm)
Auth: (Select Kerberos and input domain, username and password)

Press Go! to issue a http request to the server and check what response is
returned.

I look forward to your result.

Have a good day.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Hi Brad,

The error 0x80090303 for Kerberos authentication generally indicates
missing SPN for the network resource. You should use SetSPN to manually set
SPNs for those web sites to test. The format is:

Setspn -A HTTP/<your web site's FQDN> <server netbiosname>

You can refer to the following article for the details.

326985 How to troubleshoot Kerberos-related issues in IIS
http://support.microsoft.com/default.aspx?scid=kb;EN-US;326985

Please update here if the info helps resolve the issue. Thanks.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.