|
|
You're in the
iis security
group:Kerberos and ASP NET application
iis security:
First time poster to this group,and this is my first experience looking into the intricacies of Kerberos. Anyway, I've developed a vanilla asp .net application. It has a web tier which connects to a web service which talks with the SQL server - a very standard set-up. I have set the web application to use integrated authentication and hence Kerberos, as retrieving the information requires two hops. I have set up IIS and the web config files as recommended by microsoft (and confirmed across the web). I have set the service principals and set the delegations correctly. And I was very pleased with myself when the application worked as expected from my machine. I was also very happy when it worked from my bosses machine. I wasn't so happy when it didn't work from my customer's machine (all on the same network). That's when my adventure in Kerberos, and pain, began. In a nutshell, some machines authenticate using Kerberos, while others default to NTLM and the SQL server won't (rightly) let them in (ERROR message is : Login failed for user '(null)'. Reason: Not associated with a trusted SQL Server connection.). We even had the great test case of a user with 2 similarly configured machines being able to connect successfully with one but not the other!! Sigh. As further background: client is IE7 on Win XP SP2 - and enable integrated authentication is selected; web server is on a virtual server running windows 2003 app server is also on this server (for now) sql server is SQL 2000 on a Win 2003 box. Now I've tried everything I can glean from the web to see what the differences between the 2 machines are - and I have come up with nothing. ZIP. Everything seems to be in order, but obviously something isn't!! I have run some limited packet sniffing, but that isn't really my forte - using Netmon, I could see that there was a Kerberos error (the error code was 0x3e - KDC_ERR_CLIENT_NOT_TRUSTED , but that didn't really give me much to go on). I have compared workstations and accounts in active directory, with no success. I have compared IE7 properties - nothing. Has anyone ever had this sort of problem before - ie Kerberos seems to work for some workstations but not others? Or can anyone suggest some diagnostics or something that I can run that might lead me down the right track? I'm nearing breaking point on this one - am even taking the day off tomorrow to go fishing to see if something comes up ;-) Cheers and grateful for ANY help or advice.
Are all the machines in the same domain?
Cheers Ken [quoted text, click to view] <dragonsjmd@gmail.com> wrote in message
news:0ca5054e-b2b5-4cd6-96e0-d5c37d727025@s13g2000prd.googlegroups.com... > Hi All > > First time poster to this group,and this is my first experience > looking into the intricacies of Kerberos. > > Anyway, I've developed a vanilla asp .net application. It has a web > tier which connects to a web service which talks with the SQL server - > a very standard set-up. I have set the web application to use > integrated authentication and hence Kerberos, as retrieving the > information requires two hops. > > I have set up IIS and the web config files as recommended by microsoft > (and confirmed across the web). I have set the service principals and > set the delegations correctly. And I was very pleased with myself > when the application worked as expected from my machine. I was also > very happy when it worked from my bosses machine. I wasn't so happy > when it didn't work from my customer's machine (all on the same > network). > > That's when my adventure in Kerberos, and pain, began. In a nutshell, > some machines authenticate using Kerberos, while others default to > NTLM and the SQL server won't (rightly) let them in (ERROR message > is : Login failed for user '(null)'. Reason: Not associated with a > trusted SQL Server connection.). We even had the great test case of a > user with 2 similarly configured machines being able to connect > successfully with one but not the other!! Sigh. > > As further background: > > client is IE7 on Win XP SP2 - and enable integrated authentication > is selected; > web server is on a virtual server running windows 2003 > app server is also on this server (for now) > sql server is SQL 2000 on a Win 2003 box. > > Now I've tried everything I can glean from the web to see what the > differences between the 2 machines are - and I have come up with > nothing. ZIP. Everything seems to be in order, but obviously > something isn't!! I have run some limited packet sniffing, but that > isn't really my forte - using Netmon, I could see that there was a > Kerberos error (the error code was 0x3e - KDC_ERR_CLIENT_NOT_TRUSTED , > but that didn't really give me much to go on). I have compared > workstations and accounts in active directory, with no success. I > have compared IE7 properties - nothing. > > Has anyone ever had this sort of problem before - ie Kerberos seems to > work for some workstations but not others? Or can anyone suggest some > diagnostics or something that I can run that might lead me down the > right track? > > I'm nearing breaking point on this one - am even taking the day off > tomorrow to go fishing to see if something comes up ;-) > > Cheers and grateful for ANY help or advice. > > James
Thanks for the response Ken. Yes they are all on the same domain.
Further investigative work last week revealed something which may be important: basically, Kerberos operates as expected from one specific make of machines on our network - other machines, with a different build, fail. I have my suspicions that it might be a difference between these two builds that is causing the problem. Is there any way to analyse this - for example, comparing the local security policies of the two different builds, or any other LOCAL settings that might be applicable - can local setting cause this problem and if so, what would be the best places to check? I've been on a few wild goose chases with this issue already and am looking forward to resolving it! Cheers
[quoted text, click to view]
On Apr 20, 5:17=A0pm, dragons...@gmail.com wrote: > Thanks for the response Ken. =A0Yes they are all on the same domain. > > Further investigative work last week revealed something which may be > important: =A0basically, Kerberos operates as expected from one specific > make of machines on our network - other machines, with a different > build, fail. > > I have my suspicions that it might be a difference between these two > builds that is causing the problem. =A0Is there any way to analyse this > - for example, comparing the local security policies of the two > different builds, or any other LOCAL settings that might be > applicable =A0- can local setting cause this problem and if so, what > would be the best places to check? =A0I've been on a few wild goose > chases with this issue already and am looking forward to resolving it! > > Cheers > > James James, Are the users of these machines using smart cards to logon? I suspect not, but CLIENT_NOT_TRUSTED is the typical error code for untrusted CA using PKINIT. It sounds like the KDC doesn't like these machines that are giving you problems, but a couple more data points wouldn't hurt. - If you look in the event logs and find the logon events, what package is referenced? - Install the Windows Resource Kit on one of the problem machines and try running klist or kerbtray. Are there any Kerb tickets?
I had this problem and after a lot of support call time with Microsoft, I had
to implement two fixes on every affected machine: http://support.microsoft.com/kb/911149 http://support.microsoft.com/kb/939850 Hope this helps. [quoted text, click to view] "dragonsjmd@gmail.com" wrote:
> Hi All > > First time poster to this group,and this is my first experience > looking into the intricacies of Kerberos. > > Anyway, I've developed a vanilla asp .net application. It has a web > tier which connects to a web service which talks with the SQL server - > a very standard set-up. I have set the web application to use > integrated authentication and hence Kerberos, as retrieving the > information requires two hops. > > I have set up IIS and the web config files as recommended by microsoft > (and confirmed across the web). I have set the service principals and > set the delegations correctly. And I was very pleased with myself > when the application worked as expected from my machine. I was also > very happy when it worked from my bosses machine. I wasn't so happy > when it didn't work from my customer's machine (all on the same > network). > > That's when my adventure in Kerberos, and pain, began. In a nutshell, > some machines authenticate using Kerberos, while others default to > NTLM and the SQL server won't (rightly) let them in (ERROR message > is : Login failed for user '(null)'. Reason: Not associated with a > trusted SQL Server connection.). We even had the great test case of a > user with 2 similarly configured machines being able to connect > successfully with one but not the other!! Sigh. > > As further background: > > client is IE7 on Win XP SP2 - and enable integrated authentication > is selected; > web server is on a virtual server running windows 2003 > app server is also on this server (for now) > sql server is SQL 2000 on a Win 2003 box. > > Now I've tried everything I can glean from the web to see what the > differences between the 2 machines are - and I have come up with > nothing. ZIP. Everything seems to be in order, but obviously > something isn't!! I have run some limited packet sniffing, but that > isn't really my forte - using Netmon, I could see that there was a > Kerberos error (the error code was 0x3e - KDC_ERR_CLIENT_NOT_TRUSTED , > but that didn't really give me much to go on). I have compared > workstations and accounts in active directory, with no success. I > have compared IE7 properties - nothing. > > Has anyone ever had this sort of problem before - ie Kerberos seems to > work for some workstations but not others? Or can anyone suggest some > diagnostics or something that I can run that might lead me down the > right track? > > I'm nearing breaking point on this one - am even taking the day off > tomorrow to go fishing to see if something comes up ;-) > > Cheers and grateful for ANY help or advice. > > James
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |