|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Re: IIS7 - # of universal group memberships breaks kerberos authenticabloat. No matter what protocol you are using, or what layer in the OSI stack, there are going to be limits on what can be transferred in a frame/packet/header/whatever. Hundreds of groups is going to cause an issue eventually somewhere in stack unfortunately Cheers Ken Show quoteHide quote "McDavid" <McDa***@discussions.microsoft.com> wrote in message news:3A7309C6-9788-4B85-B56F-7AC49FA9DFAB@microsoft.com... > Windows 2008 Server x64 > ASP .NET 2.0 > > Application pool is running under a domain account with appropriate HTTP > SPNs registered. Kernel-mode Windows authentication enabled. > > Web site works just fine using kerberos authentication (so I know I have > all > of my IE 7 settings configured correctly). I have tested up to 396 > domain-local group memberships. However, when I add my test account to > too > many universal groups from our child domain, passthrough authentication > will > fail. I can add a few universal groups (so I know it isn't the trust > relationship), but there is some combination of domain-local and universal > group memberships that causes the failure. > > I have checked the token size using tokensz and am nowhere near the > maximum > (all of our servers/clients are set to use the maximum kerberos token > size). > Win2k8 so kerberos is using TCP (rather than UDP... although I tested UDP > as > well and ran into the ticket-size maximum). Kerberos logging is enabled > and > doesn't report anything unusual. Kerbtray reports a kerberos ticket for > the > appropriate SPN. Wfetch using kerberos logs everything the same with or > without the Universal group memberships. ASP tracing shows that the page > renders. However, the page is supposed to redirect to another page (which > it > does if I remove the Universal group memberships) and continue. With the > Universal group memberships, it just stops after rendering the initial > page. > Active Directory group dumps do not show any significant extraneous group > memberships (SID history, etc...) to indicate exceeding the maximum number > of > group memberships allowed for kerberos. > > The symptom is this. IE 7 accesses the root URL (which redirects to the > application pool's URL) just fine with kerberos authentication. Once > redirected to the application pool's URL, IE 7 switches from detecting the > page as being in the Intranet zone to being in the Internet zone and > reports > an HTTP 400 Bad Request error. It does not do this if I remove the > extraneous Universal group memberships (so I know my IE 7 client is > configured correctly). > > I don't know what the magic number of Universal groups is that results in > kerberos failing. I just know that I can have some combination of > domain-local and universal groups. But, when I add too many universal > groups > (something like 57), it starts to fail. For example, 292 domain-local > groups > + 49 universal groups = success. But, 156 domain-local + 57 universal > groups > = failure. > > For those familiar with it, the website being hosted is Citrix Web > Interface > 5.1.1 and IE 7 is failing on the /Citrix/XenApp/auth/login.aspx page > (which > should redirect to \Citrix\XenApp\auth\integrated.aspx... and does if I > remove enough of the Universal group memberships). > > Any/All help is appreciated. Thanks in advance. 
Thread options
Other interesting topics
IIS Web Server 2008
No login prompt from IIS when using IE Microsoft-WebDAV-MiniRedir/6.0.6001 Domain Account used for IIS6 Anonymous Account Risks? Certificate Installation Can't run any ASP script when virtual catalog allows anonymous connections HttpWebRequest return 401, only when credentials are supplied IIS 6.0 on 2003 STD svr - 401.3 error with odd group membership is SSL Certificate won't Bind to Default Web Site Server 2008 Self Signed Certificates and Exceptions |
|||||||||||||||||||||||
