|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
IIS6 NT Authentication failsauthenticaiton to work for any web app on any web site: all worked correctly before the rebuild. Here are some of the details of how my pc is set up and the problem: - My pc is win2k3 sp1 - I am a administrator on my pc - I have mulitple web sites on my pc (only used for local development) - Each site has a unique ip address (host headers are not used). - Each site ip address and name are listed in my "host" file. - I have set certain web apps to require nt auth: in iis anonymous is unchecked and the group "authenticated users" has permissions to the folder for each web app which requires nt auth. - When I attempt to access the web app using a named url (i.e. http://myweb/myapp) I get an nt login dialog window and no matter what I enter I am just locked into that dialog window (it is not accepting my login). If I close the dialog I get a 401.1 error. I have security auditing on and I get a event 537 with the following information (I substituted "my..." below for privacy i.e. domain: mydomain): Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 537 Date: 7/14/2005 Time: 4:47:32 PM User: NT AUTHORITY\SYSTEM Computer: mywid Description: Logon Failure: Reason: An error occurred during logon User Name: myuser Domain: mydomain Logon Type: 3 Logon Process: Ðù¢ Authentication Package: NTLM Workstation Name: mywid Status code: 0xC000006D Substatus code: 0x0 Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 192.168.0.11 Source Port: 1259 IIS Log shows this: #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status 2005-07-15 00:16:09 192.168.0.11 GET /Default.aspx - 80 - 192.168.0.11 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 302 0 0 2005-07-15 00:16:09 192.168.0.11 GET /portal/NTSecurity/NTLogon.aspx /Default.aspx 80 - 192.168.0.11 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 401 2 2148074254 2005-07-15 00:16:09 192.168.0.11 GET /portal/NTSecurity/NTLogon.aspx /Default.aspx 80 - 192.168.0.11 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 401 1 0 2005-07-15 00:16:09 192.168.0.11 GET /portal/NTSecurity/NTLogon.aspx /Default.aspx 80 - 192.168.0.11 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 401 1 2148074252 - If I access the site using the ip address http://192.168.0.11/myapp I get the nt login dialog but it will accept what I enter and I can get to the appllication (note...in testing, my application is just a simple html page). - This is not unique to a specific web app or web site on my pc. I have the same problem for all apps/sites which require nt auth (the apps which do not require nt auth have no problem). - Prior to my machine rebuild this all worked correctly and I did not get a login dialog....it just accepted my domain credentials. - I am not using FP extensions. - All of the web sites folders are under c:\inetpub i.e. c:\inetpub\site1, c:\inetpub\site2..... - Since this is after a pc rebuild, my web site folders were saved to another locaiton prior to rebuild and I copied them back afterwards. I relinked each site to iis by using iis console, adding each site and specifying the folder and ip address for each site (I have checked that the ip address in iis matches the one in my host file). - Again note, I am an administrator on this pc and I am the one attempting to access the apps/sites. With all this info can anyone tell my why nt auth for iis might not work???? Thanks Brad Hi Brad,
Currently I have two suggestion on the troubleshooting for you: 1. since the IP url could logon successfully, I think the DNS configuration of the site url may cause the failure of NTLM authentication. We could use the WFetch from IIS resource kit to capture the http trace. Please capture two traces by using IP logon and DNS url logon. IIS resource kit http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73- b628-ade629c89499&DisplayLang=en 2. One authentication and Access Control Diagnostics tool is released by Microsoft this year. We could monitor the authentication process to analyze the failure. At the home page of this Diagnostics tool, please choose the option "Monitor URL Failures" from the list box "Tasks". Then specify one site URL then, select "continue?". Then click the button "Start Diagnostics". Diagnostics tool will record the authentication; after the monitoring, the button "Analyze Results" may provide more information. AuthDiag http://www.microsoft.com/downloads/details.aspx?FamilyId=E90FE777-4A21-4066- BD22-B931F7572E9A&displaylang=en Look forward to your troubleshooting result! It is my pleasure to be of any assistance. Best Regards, Wei-Dong XU Microsoft Product Support Services This posting is provided "AS IS" with no warranties, and confers no rights. This sounds like a variation of:
http://support.microsoft.com/?id=896861 -- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Brad" <lane@newsgroup.nospam> wrote in message I just rebuilt my win2k3 pc and in rebuilding my web sites I can't get ntnews:uSBuwTNiFHA.1044@tk2msftngp13.phx.gbl... authenticaiton to work for any web app on any web site: all worked correctly before the rebuild. Here are some of the details of how my pc is set up and the problem: - My pc is win2k3 sp1 - I am a administrator on my pc - I have mulitple web sites on my pc (only used for local development) - Each site has a unique ip address (host headers are not used). - Each site ip address and name are listed in my "host" file. - I have set certain web apps to require nt auth: in iis anonymous is unchecked and the group "authenticated users" has permissions to the folder for each web app which requires nt auth. - When I attempt to access the web app using a named url (i.e. http://myweb/myapp) I get an nt login dialog window and no matter what I enter I am just locked into that dialog window (it is not accepting my login). If I close the dialog I get a 401.1 error. I have security auditing on and I get a event 537 with the following information (I substituted "my..." below for privacy i.e. domain: mydomain): Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 537 Date: 7/14/2005 Time: 4:47:32 PM User: NT AUTHORITY\SYSTEM Computer: mywid Description: Logon Failure: Reason: An error occurred during logon User Name: myuser Domain: mydomain Logon Type: 3 Logon Process: Ðù¢ Authentication Package: NTLM Workstation Name: mywid Status code: 0xC000006D Substatus code: 0x0 Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 192.168.0.11 Source Port: 1259 IIS Log shows this: #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status 2005-07-15 00:16:09 192.168.0.11 GET /Default.aspx - 80 - 192.168.0.11 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 302 0 0 2005-07-15 00:16:09 192.168.0.11 GET /portal/NTSecurity/NTLogon.aspx /Default.aspx 80 - 192.168.0.11 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 401 2 2148074254 2005-07-15 00:16:09 192.168.0.11 GET /portal/NTSecurity/NTLogon.aspx /Default.aspx 80 - 192.168.0.11 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 401 1 0 2005-07-15 00:16:09 192.168.0.11 GET /portal/NTSecurity/NTLogon.aspx /Default.aspx 80 - 192.168.0.11 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 401 1 2148074252 - If I access the site using the ip address http://192.168.0.11/myapp I get the nt login dialog but it will accept what I enter and I can get to the appllication (note...in testing, my application is just a simple html page). - This is not unique to a specific web app or web site on my pc. I have the same problem for all apps/sites which require nt auth (the apps which do not require nt auth have no problem). - Prior to my machine rebuild this all worked correctly and I did not get a login dialog....it just accepted my domain credentials. - I am not using FP extensions. - All of the web sites folders are under c:\inetpub i.e. c:\inetpub\site1, c:\inetpub\site2..... - Since this is after a pc rebuild, my web site folders were saved to another locaiton prior to rebuild and I copied them back afterwards. I relinked each site to iis by using iis console, adding each site and specifying the folder and ip address for each site (I have checked that the ip address in iis matches the one in my host file). - Again note, I am an administrator on this pc and I am the one attempting to access the apps/sites. With all this info can anyone tell my why nt auth for iis might not work???? Thanks Brad Workaround #1 in that kb article (896861) resolved the problem. Thank you
very much! I had been able to enable NTLM security using the workaround in http://support.microsoft.com/?id=871179, but I could not get kerberos to work (http://support.microsoft.com/?id=215383). I removed the NTAuthenticationProviders metabase entry created by these workarounds (by default no NTAuthenticationProviders entry existed) and applied the workaround per the kb article you provided (896861) and security is working now. Thanks again. Brad "David Wang [Msft]" <some***@online.microsoft.com> wrote in message This sounds like a variation of:news:O86gsOoiFHA.576@tk2msftngp13.phx.gbl... http://support.microsoft.com/?id=896861 -- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Brad" <lane@newsgroup.nospam> wrote in message I just rebuilt my win2k3 pc and in rebuilding my web sites I can't get ntnews:uSBuwTNiFHA.1044@tk2msftngp13.phx.gbl... authenticaiton to work for any web app on any web site: all worked correctly before the rebuild. Here are some of the details of how my pc is set up and the problem: - My pc is win2k3 sp1 - I am a administrator on my pc - I have mulitple web sites on my pc (only used for local development) - Each site has a unique ip address (host headers are not used). - Each site ip address and name are listed in my "host" file. - I have set certain web apps to require nt auth: in iis anonymous is unchecked and the group "authenticated users" has permissions to the folder for each web app which requires nt auth. - When I attempt to access the web app using a named url (i.e. http://myweb/myapp) I get an nt login dialog window and no matter what I enter I am just locked into that dialog window (it is not accepting my login). If I close the dialog I get a 401.1 error. I have security auditing on and I get a event 537 with the following information (I substituted "my..." below for privacy i.e. domain: mydomain): Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 537 Date: 7/14/2005 Time: 4:47:32 PM User: NT AUTHORITY\SYSTEM Computer: mywid Description: Logon Failure: Reason: An error occurred during logon User Name: myuser Domain: mydomain Logon Type: 3 Logon Process: Ðù¢ Authentication Package: NTLM Workstation Name: mywid Status code: 0xC000006D Substatus code: 0x0 Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 192.168.0.11 Source Port: 1259 IIS Log shows this: #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status 2005-07-15 00:16:09 192.168.0.11 GET /Default.aspx - 80 - 192.168.0.11 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 302 0 0 2005-07-15 00:16:09 192.168.0.11 GET /portal/NTSecurity/NTLogon.aspx /Default.aspx 80 - 192.168.0.11 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 401 2 2148074254 2005-07-15 00:16:09 192.168.0.11 GET /portal/NTSecurity/NTLogon.aspx /Default.aspx 80 - 192.168.0.11 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 401 1 0 2005-07-15 00:16:09 192.168.0.11 GET /portal/NTSecurity/NTLogon.aspx /Default.aspx 80 - 192.168.0.11 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 401 1 2148074252 - If I access the site using the ip address http://192.168.0.11/myapp I get the nt login dialog but it will accept what I enter and I can get to the appllication (note...in testing, my application is just a simple html page). - This is not unique to a specific web app or web site on my pc. I have the same problem for all apps/sites which require nt auth (the apps which do not require nt auth have no problem). - Prior to my machine rebuild this all worked correctly and I did not get a login dialog....it just accepted my domain credentials. - I am not using FP extensions. - All of the web sites folders are under c:\inetpub i.e. c:\inetpub\site1, c:\inetpub\site2..... - Since this is after a pc rebuild, my web site folders were saved to another locaiton prior to rebuild and I copied them back afterwards. I relinked each site to iis by using iis console, adding each site and specifying the folder and ip address for each site (I have checked that the ip address in iis matches the one in my host file). - Again note, I am an administrator on this pc and I am the one attempting to access the apps/sites. With all this info can anyone tell my why nt auth for iis might not work???? Thanks Brad 
Other interesting topics
Redirecting http:// to https:/
How to disable SSL Security Alert in IE Problem with IIS, Powerpoint and AVI-File http to https redirect problem SSL Issue - Urgent IIS 5 - Integrated Windows Authentication Issues How to create a Client certificate Certificate Question Exchange 2003 OWA and IIS over SSL Running IIS MMC from workstation |
|||||||||||||||||||||||
