iis security:
I'm seeing a problem in trying to get a web application to authenticate
cleanly and Not getting a lot of targeted errors that provide sufficient info
to troubleshoot effectively, so here I am.
Environment:
all affected systems are in a single domain run by a Win 2k3R2 server,
relatively up-to-date.
The DC is also the Kerberos server, and we have 2 other machines in this
setup.
The first is a webserver and the second is a custom application server.
Planned usage runs something like this:
From a client system you open the browser and go to the Virtual Directory
(VDir) set up on the webserver. The homepage of our client machines (hosted
by a different server), authenticates folks fine via integrated windows
authentication at this time, and as such generally no login prompts should
pop up when going to the problem webserver. This should authenticate through
via kerberos to the app server and then give the user the option to display
data via the webpage to the user, tailored based on the Windows ID.
So, instead of seeing that what I've got is the following:
1. User opens web browser, goes to homeapge and everything works fine.
2. User tries to go to the VDir hosted by the problem webserver and gets a
separate window prompting for logon. After typing in id and password
correctly three times, the webpage comes up with "Access is Denied" and
nothing else.
So, in reviewing this, I've found out a few things.
- First, the Virtual Directory appears to be properly configured. No
anonymous access, set up for Integrated Windows Authentication.
- The WebApp Pool is set to a Domain ID that in the security event logs
appears to properly authenticate using the Negotiate Package.
- The Domain Controller Verifies that the ID of the user trying to get in
Successfully authenticates as far as it's concerned, via the Security event
log on the domain controller.
- The Application server shows no failed authentication on it's end, but the
problem Webserver does:
Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.0.2.136
Source Port: 4558
Note iirc the port does change from time-to-time, which suggests that DCOM
might be involved? (based on DCOM's habit of changing ports, I'm assuming)
The error here shows in the problem web server's event log roughly 7 times
each attempt.
From all I can tell it looks like the data isn't making it back from the DC
to the webserver.
There is one other potential complication in that the two systems are hosted
by a cisco switch that offers VLAN capability. As a result, both are on
separate VLANs, but I can verify they can ping each other, etc.
At this time I've forced Kerberos to use TCP instead of UDP authentication
and set the token size to 65535, both to no effect. One thing that is
curious is that if the AppPool is set to use NetworkService instead of the
domain ID it at least loads the login page, which is a step further but not
what the user wants, as we lose fine auditing of data access on the app.
