"David Wang [Msft]" wrote:

> FAQ.
>
> The IIS6 documentation that shows you how to use "Configurable Worker
> Process Identity" and add to IIS_WPG actually explicitly calls out this
> scenario and how to correctly configure things. Just read the documentation.
> I would give you the URL, but it is currently broken on microsoft.com and I
> haven't found the new link.
>
> In the local server case, Integrated Windows authentication uses NTLM and
> things work as you describe. In the domain case, Integrated Windows
> authentication uses Kerberos by default and you need to do the setspn steps
> (all documented).
>
> You basically either:
> 1. Configure Kerberos correctly to get rid of the popups
> 2. Configure IIS to use NTLM in a domain (less secure)
>
>
> Windows Server 2000 did not see this because it didn't give you the
> configurability to hang yourself:
> 1. IIS ran as LocalSystem (no need to setspn)
> 2. ASP.Net controlled the process identity of the managed code
>
> Windows Server 2003 is different because:
> 1. IIS runs as the configured process identity (if not
> LocalSystem/NetworkService, need to setspn)
> 2. ASP.Net does not control the process identity
>
> Re: Question 1
> > If the web server is in the domain, do I need a domain account to
> > use as the mirror account? Is it not possible with a mirrored local
> > accounts?
> Not an IIS issue. You are talking about Kerberos, Active Directory, and
> machine accounts, none of which have anything to do with IIS. :-)
>
>
> Re: Question 2
> > Then, the popup went away. At least for a while :) In a specific
> > part of the application, I'm seeing the popup once again! This
> > time I see an error telling me that the WebUIValidation.js script
> > could not be found.
>
> This is clearly not the same popup as Question1. Lack of permissions result
> in access denied failures (like the password popups), not "[resource] could
> not be found".
>
> Troubleshooting servers start from log files (since security practices state
> that error messages to the user should not be descriptive since that leaks
> security information). By default, .js extension should be downloadable, so
> you want to find the request for the WebUIValidation.js script in the log
> file and report the log line here.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
> "Ethem Azun" <EthemA***@discussions.microsoft.com> wrote in message
> news:8DCA9636-7500-4AD3-8CD9-5E3DA9EA15C7@microsoft.com...
> Hi,
>
> First of all, I must say that I'm a developer and I have only general
> operational knowledge about IIS 6.0.
>
> We have two test web servers; one of them is in domain, and the other is
> not.
> (Both Win 2003, no service packs, we are still examining sp side-effects).
>
> We are trying to install an ASP.NET 1.1 app to both servers. The application
> was previously running on Win2000 and Win XP Pro with IIS 5.1 without
> problems. The application uses integrated windows authentication with
> trusted
> subdomains (mirror accounts) to connect to a SQL Server running on a Win2k
> machine. This machine is also in the same domain but the account used for
> mirroring is not a domain account.
>
> On both servers in IIS 6, we created a new Application Pool for our
> application and assigned the mirror account as the identity to run the pool.
> The account is also added to the IIS_WPG group on the web servers.
>
> When we connect and run the application residing in the server that is not
> in the domain, everything works fine. (In this case, we connect to the
> application with local user accounts defined on that server.)
>
> If we run it from the server that is in the domain using our domain user
> accounts, we continously get an authentication popup window. I used the
> AuthDiag tool and saw an error message saying that the SPN for the mirror
> account does not exist in the Active directory. But I think this is very
> normal since the mirror account is not a domain account.
>
> Here comes the first question;
>
> If the web server is in the domain, do I need a domain account to use as the
> mirror account? Is it not possible with a mirrored local accounts?
>
> I went further and had my admin create a new domain account to use in
> mirroring. We've also seen that the same problem occurs with the domain
> account but we've found a solution with the SETSPN.exe tool. We've ran the
> following;
>
> setspn -A HTTP/myserver mydomain\mydomainaccount
> setspn -A HTTP/myserver.qualifiedname.com mydomain\mydomainaccount
>
> Then, the popup went away. At least for a while :) In a specific part of the
> application, I'm seeing the popup once again! This time I see an error
> telling me that the WebUIValidation.js script could not be found. I took a
> look at the permissions and see that IIS_WPG has read & execute on it. I
> even
> gave everyone the access to read & execute, but the problem still remains.
>
> I hope could explain the problem. I will be very glad if anyone can help,
> and appreciate any questions.
>
> Thanks,
>
> Ethem
>
>
>

"Ethem Azun" wrote:

>
> Hi David,
>
> Thanks for the insight.
>
> I've checked the logs (below). To my understanding thw request to
> "/aspnet_client/system_web/1_1_4322/WebUIValidation.js"  fails all the time.
> To that directory, Everyone has read access, and the IIS_WPG group (which my
> process user is a member of) has additionally Read&Execute and List Folders
> rights. Do you see any problems?
>
> Thanks,
>
> Ethem
>
>
> 2005-05-09 07:21:09 172.16.101.98 GET
> /Kern.Mailfactory/Processes/SystemAdministration/UserManagement/UserWorkerPopUpPage.aspx
> Mode=Edit&User_Id=777 443 - 172.16.96.215
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 2
> 2148074254
> 2005-05-09 07:21:09 172.16.101.98 GET
> /Kern.Mailfactory/Processes/SystemAdministration/UserManagement/UserWorkerPopUpPage.aspx
> Mode=Edit&User_Id=777 443 KERNCH01\AzunEthe 172.16.96.215
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 200 0 0
> 2005-05-09 07:21:09 172.16.101.98 GET
> /Kern.Mailfactory/LookAndFeel/StyleSheets/default.css - 443 - 172.16.96.215
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 2
> 2148074254
> 2005-05-09 07:21:09 172.16.101.98 GET
> /Kern.Mailfactory/LookAndFeel/StyleSheets/default.css - 443 KERNCH01\AzunEthe
> 172.16.96.215
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 200 0 0
> 2005-05-09 07:21:09 172.16.101.98 GET
> /Kern.Mailfactory/LookAndFeel/3rdParty/Infragistics/scripts/ig_shared.js -
> 443 - 172.16.96.215
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 2
> 2148074254
> 2005-05-09 07:21:09 172.16.101.98 GET
> /Kern.Mailfactory/LookAndFeel/3rdParty/Infragistics/scripts/ig_shared.js -
> 443 KERNCH01\AzunEthe 172.16.96.215
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 200 0 0
> 2005-05-09 07:21:09 172.16.101.98 GET
> /aspnet_client/system_web/1_1_4322/WebUIValidation.js - 443 - 172.16.96.215
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 2
> 2148074254
> 2005-05-09 07:21:09 172.16.101.98 GET
> /aspnet_client/system_web/1_1_4322/WebUIValidation.js - 443 - 172.16.96.215
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 1 0
> 2005-05-09 07:21:09 172.16.101.98 GET
> /aspnet_client/system_web/1_1_4322/WebUIValidation.js - 443 - 172.16.96.215
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 1 0
> 2005-05-09 07:21:17 172.16.101.98 GET
> /Kern.Mailfactory/LookAndFeel/3rdParty/Infragistics/scripts/ig_WebGrid_dom.js
> - 443 - 172.16.96.215
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 2
> 2148074254
> 2005-05-09 07:21:17 172.16.101.98 GET
> /Kern.Mailfactory/LookAndFeel/3rdParty/Infragistics/scripts/ig_WebGrid_dom.js
> - 443 KERNCH01\AzunEthe 172.16.96.215
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 200 0
> 995
> 2005-05-09 07:21:17 172.16.101.98 GET
> /Kern.Mailfactory/LookAndFeel/3rdParty/Infragistics/scripts/ig_WebGrid_kb.js
> - 443 - 172.16.96.215
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 2
> 2148074254
> 2005-05-09 07:21:17 172.16.101.98 GET
> /Kern.Mailfactory/LookAndFeel/3rdParty/Infragistics/scripts/ig_WebGrid_kb.js
> - 443 KERNCH01\AzunEthe 172.16.96.215
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 200 0 0
> 2005-05-09 07:21:17 172.16.101.98 GET
> /Kern.Mailfactory/LookAndFeel/3rdParty/Infragistics/scripts/ig_WebGrid.js -
> 443 - 172.16.96.215
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 2
> 2148074254
> 2005-05-09 07:21:17 172.16.101.98 GET
> /Kern.Mailfactory/LookAndFeel/3rdParty/Infragistics/scripts/ig_WebGrid.js -
> 443 KERNCH01\AzunEthe 172.16.96.215
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 200 0
> 995
> 2005-05-09 07:21:17 172.16.101.98 GET
> /Kern.Mailfactory/LookAndFeel/3rdParty/Infragistics/scripts/ig_WebGrid_ie6.js
> - 443 - 172.16.96.215
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 2
> 2148074254
> 2005-05-09 07:21:17 172.16.101.98 GET
> /Kern.Mailfactory/LookAndFeel/3rdParty/Infragistics/scripts/ig_WebGrid_ie6.js
> - 443 KERNCH01\AzunEthe 172.16.96.215
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 200 0 0
> 2005-05-09 07:21:17 172.16.101.98 GET
> /Kern.Mailfactory/LookAndFeel/3rdParty/Infragistics/scripts/ig_WebGrid_srt.js
> - 443 - 172.16.96.215
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 2
> 2148074254
> 2005-05-09 07:21:17 172.16.101.98 GET
> /Kern.Mailfactory/LookAndFeel/3rdParty/Infragistics/scripts/ig_WebGrid_srt.js
> - 443 KERNCH01\AzunEthe 172.16.96.215
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 200 0 0
> 2005-05-09 07:21:17 172.16.101.98 GET
> /Kern.Mailfactory/LookAndFeel/3rdParty/Infragistics/scripts/ig_WebGrid_ie.js
> - 443 - 172.16.96.215
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 2
> 2148074254
> 2005-05-09 07:21:17 172.16.101.98 GET
> /Kern.Mailfactory/LookAndFeel/3rdParty/Infragistics/scripts/ig_WebGrid_ie.js
> - 443 KERNCH01\AzunEthe 172.16.96.215
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 200 0 0
> 2005-05-09 07:21:17 172.16.101.98 GET
> /Kern.Mailfactory/LookAndFeel/3rdParty/Infragistics/scripts/ig_webtoolbar2_2.js
> - 443 - 172.16.96.215
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 2
> 2148074254
> 2005-05-09 07:21:17 172.16.101.98 GET
> /Kern.Mailfactory/LookAndFeel/3rdParty/Infragistics/scripts/ig_webtoolbar2_2.js
> - 443 KERNCH01\AzunEthe 172.16.96.215
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 200 0 0
> 2005-05-09 07:21:17 172.16.101.98 GET
> /Kern.Mailfactory/LookAndFeel/Images/ContentImages/ActionButtons/save.gif -
> 443 - 172.16.96.215
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 2
> 2148074254
> 2005-05-09 07:21:17 172.16.101.98 GET
> /Kern.Mailfactory/LookAndFeel/Images/ContentImages/ActionButtons/delete.gif -
> 443 - 172.16.96.215
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 2
> 2148074254
> 2005-05-09 07:21:17 172.16.101.98 GET
> /Kern.Mailfactory/LookAndFeel/Images/ContentImages/ActionButtons/delete.gif -
> 443 KERNCH01\AzunEthe 172.16.96.215
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 200 0 0
> 2005-05-09 07:21:17 172.16.101.98 GET
> /Kern.Mailfactory/LookAndFeel/Images/ContentImages/ActionButtons/save.gif -
> 443 KERNCH01\AzunEthe 172.16.96.215
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 200 0 0
> 2005-05-09 07:21:18 172.16.101.98 GET
> /Kern.Mailfactory/LookAndFeel/3rdParty/Infragistics/images/ig_tblBlank.gif -
> 443 - 172.16.96.215
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 2
> 2148074254
> 2005-05-09 07:21:18 172.16.101.98 GET
> /Kern.Mailfactory/LookAndFeel/3rdParty/Infragistics/images/ig_tblBlank.gif -
> 443 KERNCH01\AzunEthe 172.16.96.215
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 200 0 0
> 2005-05-09 07:21:18 172.16.101.98 GET
> /Kern.Mailfactory/LookAndFeel/Images/ContentImages/ActionButtons/cancel.gif -
> 443 - 172.16.96.215
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 2
> 2148074254
> 2005-05-09 07:21:18 172.16.101.98 GET
> /Kern.Mailfactory/LookAndFeel/Images/ContentImages/ActionButtons/cancel.gif -
> 443 KERNCH01\AzunEthe 172.16.96.215
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 200 0 0
>
>
> "David Wang [Msft]" wrote:
>
> > FAQ.
> >
> > The IIS6 documentation that shows you how to use "Configurable Worker
> > Process Identity" and add to IIS_WPG actually explicitly calls out this
> > scenario and how to correctly configure things. Just read the documentation.
> > I would give you the URL, but it is currently broken on microsoft.com and I
> > haven't found the new link.
> >
> > In the local server case, Integrated Windows authentication uses NTLM and
> > things work as you describe. In the domain case, Integrated Windows
> > authentication uses Kerberos by default and you need to do the setspn steps
> > (all documented).
> >
> > You basically either:
> > 1. Configure Kerberos correctly to get rid of the popups
> > 2. Configure IIS to use NTLM in a domain (less secure)
> >
> >
> > Windows Server 2000 did not see this because it didn't give you the
> > configurability to hang yourself:
> > 1. IIS ran as LocalSystem (no need to setspn)
> > 2. ASP.Net controlled the process identity of the managed code
> >
> > Windows Server 2003 is different because:
> > 1. IIS runs as the configured process identity (if not
> > LocalSystem/NetworkService, need to setspn)
> > 2. ASP.Net does not control the process identity
> >
> > Re: Question 1
> > > If the web server is in the domain, do I need a domain account to
> > > use as the mirror account? Is it not possible with a mirrored local
> > > accounts?
> > Not an IIS issue. You are talking about Kerberos, Active Directory, and
> > machine accounts, none of which have anything to do with IIS. :-)
> >
> >
> > Re: Question 2
> > > Then, the popup went away. At least for a while :) In a specific
> > > part of the application, I'm seeing the popup once again! This
> > > time I see an error telling me that the WebUIValidation.js script
> > > could not be found.
> >
> > This is clearly not the same popup as Question1. Lack of permissions result
> > in access denied failures (like the password popups), not "[resource] could
> > not be found".
> >
> > Troubleshooting servers start from log files (since security practices state
> > that error messages to the user should not be descriptive since that leaks
> > security information). By default, .js extension should be downloadable, so
> > you want to find the request for the WebUIValidation.js script in the log
> > file and report the log line here.
> >
> > --
> > //David
> > IIS
> > http://blogs.msdn.com/David.Wang
> > This posting is provided "AS IS" with no warranties, and confers no rights.
> > //
> > "Ethem Azun" <EthemA***@discussions.microsoft.com> wrote in message
> > news:8DCA9636-7500-4AD3-8CD9-5E3DA9EA15C7@microsoft.com...
> > Hi,
> >
> > First of all, I must say that I'm a developer and I have only general
> > operational knowledge about IIS 6.0.
> >
> > We have two test web servers; one of them is in domain, and the other is
> > not.
> > (Both Win 2003, no service packs, we are still examining sp side-effects).
> >
> > We are trying to install an ASP.NET 1.1 app to both servers. The application
> > was previously running on Win2000 and Win XP Pro with IIS 5.1 without
> > problems. The application uses integrated windows authentication with
> > trusted
> > subdomains (mirror accounts) to connect to a SQL Server running on a Win2k
> > machine. This machine is also in the same domain but the account used for
> > mirroring is not a domain account.
> >
> > On both servers in IIS 6, we created a new Application Pool for our
> > application and assigned the mirror account as the identity to run the pool.
> > The account is also added to the IIS_WPG group on the web servers.
> >
> > When we connect and run the application residing in the server that is not
> > in the domain, everything works fine. (In this case, we connect to the
> > application with local user accounts defined on that server.)
> >
> > If we run it from the server that is in the domain using our domain user
> > accounts, we continously get an authentication popup window. I used the
> > AuthDiag tool and saw an error message saying that the SPN for the mirror
> > account does not exist in the Active directory. But I think this is very
> > normal since the mirror account is not a domain account.
> >
> > Here comes the first question;
> >
> > If the web server is in the domain, do I need a domain account to use as the
> > mirror account? Is it not possible with a mirrored local accounts?
> >
> > I went further and had my admin create a new domain account to use in
> > mirroring. We've also seen that the same problem occurs with the domain
> > account but we've found a solution with the SETSPN.exe tool. We've ran the
> > following;
> >
> > setspn -A HTTP/myserver mydomain\mydomainaccount
> > setspn -A HTTP/myserver.qualifiedname.com mydomain\mydomainaccount
> >
> > Then, the popup went away. At least for a while :) In a specific part of the
> > application, I'm seeing the popup once again! This time I see an error
> > telling me that the WebUIValidation.js script could not be found. I took a
> > look at the permissions and see that IIS_WPG has read & execute on it. I
> > even
> > gave everyone the access to read & execute, but the problem still remains.
> >
> > I hope could explain the problem. I will be very glad if anyone can help,
> > and appreciate any questions.
> >
> > Thanks,
> >
> > Ethem
> >
> >
> >