iis security: Hi,

I've got a WSUS server, which has been working fine for nearly a year. For
some reason, in the past month or 2, when I try to manage the WSUS service
from the web console, using the server name (https://wsuserver/WSUSadmin) I
get an authentication error. The authentication box pops up, asking for
username & password, however no matter what credentials I enter, (mine,
domain admin, enterprise admin) it pops up 3 times, fails, and then I get
the WSUS message:

Access denied
Network policy settings prevent you from accessing this Windows Server
Update Services server.
If you believe you have received this message in error, please check with
your system administrator.

However, if I connect using the servers IP address, NOT hostname,
(https://192.168.0.10/WSUSadmin) it works perfectly. I'm faily sure it's not
an IIS setting, as I've setup a test server with WSUS installed, that works
with hostname, and exported the web site to an XML file, then imported it
into the live WSUS server. Also the live & test servers are both in the same
OU, with the same group policy applied, so all the security settings
*should* be the same.

What security setting would cause authentication to a hostname to fail, but
to an IP address to work?

Cheers

Ben

Hi Ben,

I believe this article discusses your issue and the workaround:
http://support.microsoft.com/default.aspx?scid=kb;en-us;896861

Please let me know if this does not help.

--
Greg Lindsay [MSFT]
greg.lindsay@microsoft.com

Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

[quoted text, click to view]

Hi Greg,

Thanks for the reply. Tried both workarounds described on that page, and
rebooted the server last night, but it didn't fix the issue, the logon still
fails when you try and open a page via hostname, but works with IP address!
I don't think I mentioned our setup, we have 2 servers, first is Win2003
SP1, running as a DC, DHCP, DNS, and the other, is our web/app server,
Win2003 SP1, member server. This runs the WSUS web site, and also VMWare,
which is what I setup as a test WSUS server and got working.

Many thanks

Ben


[quoted text, click to view]

Hi Ben,

First pleasure check if you ping the wsusever, the IP address 192.168.0.10
is properly returned. Otherwise this is most likely a routing error.

If the servername/IP resolution appears to be fine, would you please export
IIS configuration and send it to me to have a check?

To dump your metabase configuration, please install IIS6 resource kit tools
and use the Metabase Explorer utility. Export the data under LM root node
in to a mbk file.

Internet Information Services (IIS) 6.0 Resource Kit Tools
http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=56fc
92ee-a71a-4c73-b628-ade629c89499

You can send the file to me at: wjzhang@online.microsoft.com (please remove
online.)

Best Regards,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Hi Ben,

I got your email and have responded to you. I still think this is an IIS
issue, and at this point it would be best to examine security logs to track
down what is causing the issue.

--
Greg Lindsay [MSFT]
greg.lindsay@microsoft.com

Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

[quoted text, click to view]

Hi Greg,

I got your email, thanks.
This is a copy of the security event log entry that appears after you try to
logon via hostname. Five of these appear after you try to enter the username
& password with 2 retries via IE.

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 31/07/2006
Time: 10:33:54
User: NT AUTHORITY\SYSTEM
Computer: WSUSERVER
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.0.50
Source Port: 1766


[quoted text, click to view]

Hi WenJun,

Thanks for the reply, I downloaded and ran the IIS res kit, very useful
tool, didn't realise it existed! I have exported the config and metabase and
emailed it to you. Hopefully you should have it by now.

Kind regards

Ben

[quoted text, click to view]

Hi Ben,

I haven't received mail from you. Could you please double-check the address?

My email is: wjzhang@online.microsoft.com (please remove online.)

Thanks & Have a nice day!

Best Regards,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Hi WenJun,

I definatly sent it to the address below (removing online.) on the 31st
July. Have re-sent this morning, it's from my hotmail account,
bjblackmore@NOSPAM.hotmail.com (remove NOSPAM.)
Is it possible that it was blocked because of encrypted content? When I
exported the metabase I encrypred it with a password, seeing as it was being
transmitted over email!

Ben


[quoted text, click to view]

Hi Ben,

I've replied your email. Thanks.

Best Regards,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Hi WenJun,

I got your email, many thanks. I made some changes to the web sites, deleted
the 2 test sites, but still get the same problem.
Have replied to your email, and attached the 2 new config files.

Best regards

Ben


[quoted text, click to view]

Hi,

Let's use webfetch to trace the rawdata of http request/response and
determine if the problem is actually on server-side.

HOW TO: Use Wfetch.exe to Troubleshoot HTTP Connections
http://support.microsoft.com/default.aspx?scid=kb;en-us;284285

To use, please input:

Host: (Your servername)

Path: (The relative path of your page. e.g: /WSUSAdmin/)

Auth: (Select NTLM and specify your domain\username credential)

Press Go! to issue a http request to the server and check what response is
returned. I think the trace should slow us with the details. Please paste
the whole log data here.

I'll wait for your update. Thanks.

Best Regards,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

WenJun,

Here is the TRACE details, below are the details for a GET (wasn't sure if
it mattered which I used)

started....
WWWConnect::Connect("appserver","80")\n
IP = "192.168.254.5:80"\n
source port: 2582\r\n
SEC_I_CONTINUE_NEEDED - InitializeSecurityContext\n
REQUEST: **************\n
TRACE /WSUSadmin HTTP/1.1\r\n
Host: appserver\r\n
Accept: */*\r\n
Connection: Keep-Alive\r\n
Authorization: NTLM
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==\r\n
\r\n
RESPONSE: **************\n
HTTP/1.1 401 Unauthorized\r\n
Content-Length: 1037\r\n
Content-Type: text/html\r\n
Server: Microsoft-IIS/6.0\r\n
WWW-Authenticate: NTLM
TlRMTVNTUAACAAAAFAAUADgAAAAVgoniWve8zs/3BIYAAAAAAAAAAKYApgBMAAAABQLODgAAAA9BAEwAUABIAEEAQwBPAFUAUgBUAAIAFABBAEwAUABIAEEAQwBPAFUA
UgBUAAEAEgBBAFAAUABTAEUAUgBWAEUAUgAEABwAYQBsAHAAaABhAGMAbwB1AHIAdAAuAGMAbwBtAAMAMABhAHAAcABzAGUAcgB2AGUAcgAuAGEAbABwAGgAYQBjAG8AdQByAHQALgBjAG8AbQAFABw
AYQBsAHAAaABhAGMAbwB1AHIAdAAuAGMAbwBtAAAAAAA=\r\n
X-Powered-By: ASP.NET\r\n
Date: Fri, 04 Aug 2006 13:43:12 GMT\r\n
\r\n
SEC_E_OK - InitializeSecurityContext\n
\r\n
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >\r\n
<html>\r\n
\t<head>\r\n
\t\t<title>Access denied</title>\r\n
\t\t<style type="text/css">\r\n
\r\n
body {\r\n
\tcolor: black;\r\n
\tbackground-color: #F5F5F5;\r\n
\toverflow: auto;\r\n
\tmargin: 0px;\r\n
\tfont-family: Tahoma;\r\n
\tfont-size: 66.6%;\r\n
}\r\n
\r\n
body div.CurrentNavigation {\r\n
\theight: 28px;\r\n
\tline-height: 28px;\r\n
\tcolor: white;\r\n
\tbackground-color: #666F74;\r\n
\tpadding: 0px 10px 0px 10px;\r\n
\tfont-weight: bold;\r\n
}\r\n
\r\n
body div.Content {\r\n
\tpadding: 16px;\r\n
}\r\n
\r\n
body div.Content div.Title {\r\n
\tfont-size: 225%;\r\n
\tfont-family: Franklin Gothic Medium;\r\n
\tmargin-bottom: 5px;\r\n
}\r\n
\r\n
\t\t</style>\r\n
\t</head>\r\n
\t<body>\r\n
\t\t<div class="CurrentNavigation">Windows Server Update Services
error</div>\r\n
\t\t<div class="Content">\r\n
\t\t\t<div class="Title">Access denied</div>\r\n
\t\t\tNetwork policy settings prevent you from accessing this Windows Server
Update Services server.<br /><br />\r\n
\t\t\tIf you believe you have received this message in error, please check
with your system administrator.<br /><br />\r\n
\t\t</div>\r\n
\t</body>\r\n
</html>\r\n
REQUEST: **************\n
TRACE /WSUSadmin HTTP/1.1\r\n
Host: appserver\r\n
Accept: */*\r\n
Connection: Keep-Alive\r\n
Authorization: NTLM
TlRMTVNTUAADAAAAGAAYAIgAAADWANYAoAAAABQAFABIAAAAGgAaAFwAAAASABIAdgAAABAAEAB2AQAAFYKI4gUCzg4AAAAPYQBsAHAAaABhAGMAbwB1AHIAdABiAGUAbgA
uAGIAbABhAGMAawBtAG8AcgBlAEEAUABQAFMARQBSAFYARQBSACc1L9G7vFsyNLyHVWi19z6hJXbSSx8QmwvQZMChosgEB3py/S6dosoBAQAAAAAAAP4x+u3Lt8YBoSV20ksfEJsAAAAAAgAUAEEATA
BQAEgAQQBDAE8AVQBSAFQAAQASAEEAUABQAFMARQBSAFYARQBSAAQAHABhAGwAcABoAGEAYwBvAHUAcgB0AC4AYwBvAG0AAwAwAGEAcABwAHMAZQByAHYAZQByAC4AYQBsAHAAaABhAGMAbwB1AHIAd
AAuAGMAbwBtAAUAHABhAGwAcABoAGEAYwBvAHUAcgB0AC4AYwBvAG0AAAAAAAAAAACubInVbwVD4N4uUEqZITud\r\n
\r\n
RESPONSE: **************\n
HTTP/1.1 302 Found\r\n
Date: Fri, 04 Aug 2006 13:43:12 GMT\r\n
Server: Microsoft-IIS/6.0\r\n
X-Powered-By: ASP.NET\r\n
X-AspNet-Version: 1.1.4322\r\n
Location: /WSUSAdmin/Errors/Error.aspx\r\n
Cache-Control: private\r\n
Content-Type: text/html; charset=utf-8\r\n
Content-Length: 2645\r\n
\r\n
<!doctype html public "-//w3c//dtd html 4.0 transitional//en" >\n
<html>\n
<head>\n
<title>Windows Server Update Services error</title>\n
<link rel="stylesheet" type="text/css"
href="/WsusAdmin/Common/Common.css">\n
<script language="JScript" type="text/javascript"
src="/WsusAdmin/Common/Common.js"></script>\n
<script language="JScript" type="text/javascript">\n
function InitializeErrorPage()\n
{\n
try\n
{\n
if(!TopFrame.SiteProperlyInitialized) // If site wasn't properly
initialized (got to site without going to home page first), go to home
page\n
{\n
TopFrame.Banner.TabHome.click();\n
}\n
}catch(e){}\n
}\n
</script>\n
<script language="JScript" type="text/javascript">\n
function ShowErrorDetails()\n
{\n
Details.parentElement.style.height = "100%";\n
Details.previousSibling.style.display = "block";\n
DetailsButton.disabled = true;\n
ResizeDialog();\n
}\n
</script>\n
</head>\n
<body onload="Initialize();InitializeErrorPage();CloseWaitDialog();"
class="Content">\n
<table cellspacing="0" style="width: 100%;height: 100%;"
class="UserFontSize">\n
<tr>\n
<td style="vertical-align: top;">\n
<div class="Introduction">Windows Server Update Services
encountered an error. </div>\n
<div id="Summary" class="Content" style="padding-bottom:
11px;">Thread was being aborted.</div>\n
<button id="DetailsButton" onclick="ShowErrorDetails();"
style="margin-left: 9px;">Show Details</button><br /><br />\n
</td>\n
</tr>\n
<tr>\n
<td class="ErrorDetails">\n
<div class="SectionHeader">Details</div>\n
<textarea id="Details" contenteditable="false"
wrap="off">System.Threading.ThreadAbortException: Thread was being
aborted.\r\n
at System.Threading.Thread.AbortInternal()\r\n
at System.Threading.Thread.Abort(Object stateInfo)\r\n
at System.Web.HttpResponse.End()\r\n
at System.Web.HttpResponse.Redirect(String url, Boolean endResponse)\r\n
at System.Web.HttpResponse.Redirect(String url)\r\n
at Administration.Errors.ErrorRedirect.Page_Load(Object sender, EventArgs
e)\n
\n
at System.Threading.Thread.AbortInternal()\r\n
at System.Threading.Thread.Abort(Object stateInfo)\r\n
at System.Web.HttpResponse.End()\r\n
at System.Web.HttpResponse.Redirect(String url, Boolean endResponse)\r\n
at System.Web.HttpResponse.Redirect(String url)\r\n
at Administration.Errors.ErrorRedirect.Page_Load(Object sender, EventArgs
e)</textarea>\n
</td>\n
</tr>\n
</table>\n
</body>\n
</html>
finished.

=============
GET
=============

started....
Reusing existing connection (source port 2584)\n
SEC_I_CONTINUE_NEEDED - InitializeSecurityContext\n
REQUEST: **************\n
GET /WSUSadmin HTTP/1.1\r\n
Host: appserver\r\n
Accept: */*\r\n
Connection: Keep-Alive\r\n
Authorization: NTLM
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==\r\n
\r\n
RESPONSE: **************\n
HTTP/1.1 401 Unauthorized\r\n
Content-Length: 1037\r\n
Content-Type: text/html\r\n
Server: Microsoft-IIS/6.0\r\n
WWW-Authenticate: NTLM
TlRMTVNTUAACAAAAFAAUADgAAAAVgoni/bUU5xXahGAAAAAAAAAAAKYApgBMAAAABQLODgAAAA9BAEwAUABIAEEAQwBPAFUAUgBUAAIAFABBAEwAUABIAEEAQwBPAFUA

Hi Ben,

I saw NTLM works according to the trace. As least, the authentication is
passed between IIS and the client. Now it looks like this is probably a
Kerberos auth related issue.

Please go to the problematic client, open its IE Internet
Options->Advanced, make sure the 'Enable Integrated Windows Authentication'
option isn't selected. In this case, IE will use NTLM to perform Integrated
auth with IIS instead of Kerberos protocol. See if this will let the SUS
site work from now.

If it works, this means Kerberos authentication fails in your domain. You
have to ping our Windows AD group to help on Kerberos side troubleshooting.
Do you have a proper Kerberos Domain Controller(KDC) set in the domain?

Thanks.

Best Regards,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Hi WenJun,

That fixed the problem, after turning off the 'Enable Integrated Windows
Authentication' option in IE the WSUS site works.

We are running 2 Windows 2003 domain controllers, so Kerberos should work, I
don't think we've had any other problems flagged, there don't seem to be any
Kerberos related events in any of the event logs.

How do I troubleshoot Kerberos related issues in IIS 6? I've read
support.microsoft.com/kb/326985 but that's for troubleshooting IIS 4 & 5.
Will the same principles work?

I will post a topic to the Windows AD group, but I'm not to sure what to
ask, as I have no error codes or messages to go on.

Many thanks

Ben


[quoted text, click to view]

Hi Ben,

You can launch WebFetch again and set the auth type to Kerberos to
reproduce an authentication error. Then open event viewer security log on
the server. Generally you should see logon failure events in it with
detailed logon parameters and error code.

You can then post the error events to our Windows AD group for assistance.
Thanks.

Best Regards,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.