|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
IIS7 with multiple web sites - Windows Auth only working on localhostauthentication only seems to be working with web apps on the localhost web site. My PC network adapter one static ip address, which connects to the domain, and multiple non-routable ip addresses on the same adapter for use with the web sites (i.e. 192.168.0.20). localhost binds to "unassigned" ip addresses, while the rest of my ip addresses bind to the 192.168.0.x series. These have all been added to the Hosts file too, so my Hosts file looks something like this (names changed to protect the innocent): 127.0.0.1 localhost 192.168.0.10 ecommerce 192.168.0.11 intranet 192.168.0.12 internet 192.168.0.13 webservicehost I created a simple asp.net app called Test in localhost. In IIS I enabled Impersonation and Windows Authentication. The default.aspx page does a simple response.write of WindowsIndentity.GetCurrent.Name (if you test this the page needs a using System.Security.Principal for this to work). If I run this it properly displays my domain id (domain\username). I copied this web app to another one of the web sites under IIS7, one that uses one of the non-routable ip addresses and set the same settings in IIS console. Now when I run the app I receive a windows login dialog and no mater what I enter for a login it just prompts me again until it fails and I receive a 401.1. Now someone is bound to say this setup with the adapter using one static ip and the multiple non-routable ip address should not work.....but this whole setup works great on my win2003 server pc, which is what I am trying to migrate from. In fact the only reason my "old" workstation OS is win2003 is for being able to run multiple web sites...and I just want to get the same thing working under Vista/IIS7 Brad Interesting followup to this: In IE7 on Vista I disabled "Enable
Integrated Windows Authentication" and now Windows Authenticaiton against all the web sites works. Yes, you read correctly...by disabling windows authentication in IE....the windows authenticaiton from IE to the web sites now works. Definitely did not have to do this in IE7 on my win2003 pc. "Brad" <lane@newsgroup.nospam> wrote in message I set up multiple web sites on my new Vista pc and so far, windowsnews:%23zM$drjHHHA.1188@TK2MSFTNGP06.phx.gbl... authentication only seems to be working with web apps on the localhost web site. My PC network adapter one static ip address, which connects to the domain, and multiple non-routable ip addresses on the same adapter for use with the web sites (i.e. 192.168.0.20). localhost binds to "unassigned" ip addresses, while the rest of my ip addresses bind to the 192.168.0.x series. These have all been added to the Hosts file too, so my Hosts file looks something like this (names changed to protect the innocent): 127.0.0.1 localhost 192.168.0.10 ecommerce 192.168.0.11 intranet 192.168.0.12 internet 192.168.0.13 webservicehost I created a simple asp.net app called Test in localhost. In IIS I enabled Impersonation and Windows Authentication. The default.aspx page does a simple response.write of WindowsIndentity.GetCurrent.Name (if you test this the page needs a using System.Security.Principal for this to work). If I run this it properly displays my domain id (domain\username). I copied this web app to another one of the web sites under IIS7, one that uses one of the non-routable ip addresses and set the same settings in IIS console. Now when I run the app I receive a windows login dialog and no mater what I enter for a login it just prompts me again until it fails and I receive a 401.1. Now someone is bound to say this setup with the adapter using one static ip and the multiple non-routable ip address should not work.....but this whole setup works great on my win2003 server pc, which is what I am trying to migrate from. In fact the only reason my "old" workstation OS is win2003 is for being able to run multiple web sites...and I just want to get the same thing working under Vista/IIS7 Brad Hi Brad,
The findings of you indicates the problem isn't on the IIS server itself. When disabling 'enable integrated windows authentication' option in IE, it doesn't mean integrated auth is turned off. The difference here is IE will use Kerberos protocol to perform integarted auth with IIS with the option turned on and use NTLM protocol when the option is off. Please refer to: Internet Explorer does not support Kerberos authentication with proxy servers http://support.microsoft.com/kb/321728/ Therefore the symptom indicates somehow Kerberos doesn't work when you connect to the web sites from the problematic Vista client. You may use webfetch to trace the rawdata of http request/response to turn up more details. HOW TO: Use Wfetch.exe to Troubleshoot HTTP Connections http://support.microsoft.com/default.aspx?scid=kb;en-us;284285 To use, please input: Host: (Your servername) Port: (Your web site's TCP Port) Path: (The relative path of a sample page. e.g: /index.htm) Auth: (Select Kerberos and input domain, username and password) Press Go! to issue a http request to the server and check what response is returned. I look forward to your result. Have a good day. Sincerely, WenJun Zhang Microsoft Online Community Support ================================================== Get notification to my posts through email? Please refer to: http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif ications. Note: The MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 1 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions or complex project analysis and dump analysis issues. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at: http://msdn.microsoft.com/subscriptions/support/default.aspx. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. Thank you for the information. I confirmed that indeed NTLM works but
Kerberos is not working. Keeping in mind that the web sites are all on same the Vista client that is running the IE7 browser (the Vista client is running IIS7 with multiple web sites). Here is the result of a trace using Kerberos started.... WWWConnect::Connect("inside","80")\n IP = "192.168.0.21:80"\n source port: 49946\r\n ISC_REQ_MUTUAL_AUTH | ISC_REQ_DELEGATE set\n 0x80090303 (The specified target is unknown or unreachable): Unable to InitializeSecurityContext WWWConnect::Close("inside","80")\n closed source port: 49946\r\n finished. I ran cscript adsutil.vbs get w3svc/root/NTAuthenticationProviders and confirmed that Negotiate,NTLM were enabled I then ran cscript adsutil.vbs set w3svc/root/NTAuthenticationProviders "NTLM" to force NTLM only. I changed IE back use integrated authentication. And IE authentication works correctly. I ran cscript adsutil.vbs set w3svc/root/NTAuthenticationProviders "Negotiate,NTLM"....and confirmed again that IE authnetication does not work unless I turn off integrated authentication. So this seems to indicate Kerberos is not working on Vista (between IIS and IE both on the same Vista client) when using the non-routable ip addresses. Any thoughts as to why? Brad ""WenJun Zhang[msft]"" <wjzh***@online.microsoft.com> wrote in message news:nmDAgepHHHA.2304@TK2MSFTNGHUB02.phx.gbl... The findings of you indicates the problem isn't on the IIS server itself.Hi Brad, When disabling 'enable integrated windows authentication' option in IE, it doesn't mean integrated auth is turned off. The difference here is IE will use Kerberos protocol to perform integarted auth with IIS with the option turned on and use NTLM protocol when the option is off. Please refer to: Internet Explorer does not support Kerberos authentication with proxy servers http://support.microsoft.com/kb/321728/ Therefore the symptom indicates somehow Kerberos doesn't work when you connect to the web sites from the problematic Vista client. You may use webfetch to trace the rawdata of http request/response to turn up more details. HOW TO: Use Wfetch.exe to Troubleshoot HTTP Connections http://support.microsoft.com/default.aspx?scid=kb;en-us;284285 To use, please input: Host: (Your servername) Port: (Your web site's TCP Port) Path: (The relative path of a sample page. e.g: /index.htm) Auth: (Select Kerberos and input domain, username and password) Press Go! to issue a http request to the server and check what response is returned. I look forward to your result. Have a good day. Sincerely, WenJun Zhang Microsoft Online Community Support ================================================== Get notification to my posts through email? Please refer to: http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif ications. Note: The MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 1 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions or complex project analysis and dump analysis issues. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at: http://msdn.microsoft.com/subscriptions/support/default.aspx. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. Hi Brad,
The error 0x80090303 for Kerberos authentication generally indicates missing SPN for the network resource. You should use SetSPN to manually set SPNs for those web sites to test. The format is: Setspn -A HTTP/<your web site's FQDN> <server netbiosname> You can refer to the following article for the details. 326985 How to troubleshoot Kerberos-related issues in IIS http://support.microsoft.com/default.aspx?scid=kb;EN-US;326985 Please update here if the info helps resolve the issue. Thanks. Sincerely, WenJun Zhang Microsoft Online Community Support ================================================== Get notification to my posts through email? Please refer to: http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif ications. Note: The MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 1 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions or complex project analysis and dump analysis issues. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at: http://msdn.microsoft.com/subscriptions/support/default.aspx. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. 
Other interesting topics
Could not load type 'System.Web.Security.AccessRoleProvider'
UNC Share causing Internal Server Error 500 Win2K3, IIS6, and IE6 - Can't get IWA/NTLM to work Virus in IFRAME injected into our ASP pages (downloader trojan on client) Login not require a domain in IIS hosted site? notepad will not save .config file in iis7 RPC over HTTPS for Exchange IIS Security and files upload/create "Certificate does not have a private key" Multiple SSL - Same Server - Same Port/IP |
|||||||||||||||||||||||
