|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Kerberos from XP to IIS hosting ASP.NET 2.0 Web Service helpThe client, middle-tier, and back-end servers are all in the same Windows 2000 functional level domain. All 3 are trusted for delegation. The account used for testing has domain admin priviliges on the domain, and admin priviliges on all 3 boxes. The account is also marked as being trusted for delegation. The client is an XP machine. The middle-tier is Win2003SE running IIS6 and MDAC2.7. The website is named irr.uams.edu which differs from the computer name, OAC3. These SPNS are registered on the server: HOST/irr.uams.edu HTTP/OAC3.vcaa.ad.uams.edu HTTP/OAC3 HTTP/irr.uams.edu SMTPSVC/OAC3.vcaa.ad.uams.edu SMTPSVC/OAC3 HOST/OAC3 HOST/OAC3.vcaa.ad.uams.edu The folder hosting the web service is only accessible via Integrated Auth and anonymous access is disabled. IIS is running under the SYSTEM account. The local security policy allows SYSTEM to Act as part of the operating system and to impersonate a client after authentication. I have tested connecting with an ASP.NET 2.0 console application and IE6 from the client machine. When I code the console app to use Negotiate authentication, I fail to connect to the SQL server with the message "Login failed for user NT AUTHORITY/Anonymous. In addition the files captured by Network Monitor have these entries generated by the exchange between client and IIS box: Content-Type: text/html Server: Microsoft-IIS/6.0 WWW-Authenticate: Negotiate WWW-Authenticate: NTLM MicrosoftOfficeWebServer: 5.0_Pub X-Powered-By: ASP.NET When I code the console app to use Kerberos I always get a 401 unauthorized error and the same headers. I have also tried using IE6 (Integrated Authentication turned on, irr.uams.edu in the local intranet zone, etc.) with the same results. Servers are all within 5 minutes of each other and DC. Net engineering tells me that Kerberos is not blocked. Any ideas on what else I should check appreciated. Thanks. Some things that weren't mentioned in your post:
a) What user account is the web application pool running under? If it is running under a custom account, you need to register an SPN under that account, not the computer account in AD. b) What SPNs do you have registered for the *SQL Server*? What user account is SQL Server running under? What port? c) Looking in the IIS server's security event log, have you verified that the the actual logon is using Kerberos? Or is it using NTLM Cheers Ken Show quoteHide quote "Brian Cobb" <BrianC***@discussions.microsoft.com> wrote in message news:A4CBB565-5A23-4868-B185-C98690DC42A8@microsoft.com... :I am trying to get Basic Kerberos Auth to work. : : The client, middle-tier, and back-end servers are all in the same Windows : 2000 functional level domain. All 3 are trusted for delegation. The account : used for testing has domain admin priviliges on the domain, and admin : priviliges on all 3 boxes. The account is also marked as being trusted for : delegation. : : The client is an XP machine. : : The middle-tier is Win2003SE running IIS6 and MDAC2.7. The website is named : irr.uams.edu which differs from the computer name, OAC3. These SPNS are : registered on the server: : HOST/irr.uams.edu : HTTP/OAC3.vcaa.ad.uams.edu : HTTP/OAC3 : HTTP/irr.uams.edu : SMTPSVC/OAC3.vcaa.ad.uams.edu : SMTPSVC/OAC3 : HOST/OAC3 : HOST/OAC3.vcaa.ad.uams.edu : The folder hosting the web service is only accessible via Integrated Auth : and anonymous access is disabled. IIS is running under the SYSTEM account. : The local security policy allows SYSTEM to Act as part of the operating : system and to impersonate a client after authentication. : : I have tested connecting with an ASP.NET 2.0 console application and IE6 : from the client machine. : : When I code the console app to use Negotiate authentication, I fail to : connect to the SQL server with the message "Login failed for user NT : AUTHORITY/Anonymous. In addition the files captured by Network Monitor have : these entries generated by the exchange between client and IIS box: : : Content-Type: text/html : Server: Microsoft-IIS/6.0 : WWW-Authenticate: Negotiate : WWW-Authenticate: NTLM : MicrosoftOfficeWebServer: 5.0_Pub : X-Powered-By: ASP.NET : : : When I code the console app to use Kerberos I always get a 401 unauthorized : error and the same headers. I have also tried using IE6 (Integrated : Authentication turned on, irr.uams.edu in the local intranet zone, etc.) with : the same results. : : Servers are all within 5 minutes of each other and DC. Net engineering : tells me that Kerberos is not blocked. Any ideas on what else I should check : appreciated. : : Thanks. : : Thank you for your response.
The application pool is is running under the local system account. The SQL SPNs are: MSSQLSvc/OAC2:1433 MSSQLSvc/OAC2.vcaa.ad.uams.edu:1433 MSOLAPSvc/OAC2 MSOLAPSvc/OAC2.vcaa.ad.uams.edu SMTPSVC/OAC2 SMTPSVC/OAC2.vcaa.ad.uams.edu HOST/OAC2 HOST/OAC2.vcaa.ad.uams.edu The SQL service is NOT running under local system. Instead it is using a local account. I don't think this is a problem, though, (yet). I also neglected to mention in my first mail that the web app attempts to open a connection on the SQL server. It is at that point I see the "Login failed for user NT AUTHORITY/Anonymous" message. Maybe I'm mis-interpreting what's happening, but it seems that I am authenticating to the webservice as an Anonymous user. And anonymous user can't open a db connection because he has no db rights. Should I replace my local account on the SQL box with a domain account? I'm not sure which account you mean in item c. If you mean the user login it can authenticate only using NTLM. Trying to authenticate via Kerberos makes the 401 error happen. Show quoteHide quote "Ken Schaefer" wrote: > Some things that weren't mentioned in your post: > > a) What user account is the web application pool running under? If it is > running under a custom account, you need to register an SPN under that > account, not the computer account in AD. > > b) What SPNs do you have registered for the *SQL Server*? What user account > is SQL Server running under? What port? > > c) Looking in the IIS server's security event log, have you verified that > the the actual logon is using Kerberos? Or is it using NTLM > > Cheers > Ken > > -- > IIS Blog: http://www.adOpenStatic.com/cs/blogs/ken > > > "Brian Cobb" <BrianC***@discussions.microsoft.com> wrote in message > news:A4CBB565-5A23-4868-B185-C98690DC42A8@microsoft.com... > :I am trying to get Basic Kerberos Auth to work. > : > : The client, middle-tier, and back-end servers are all in the same Windows > : 2000 functional level domain. All 3 are trusted for delegation. The > account > : used for testing has domain admin priviliges on the domain, and admin > : priviliges on all 3 boxes. The account is also marked as being trusted > for > : delegation. > : > : The client is an XP machine. > : > : The middle-tier is Win2003SE running IIS6 and MDAC2.7. The website is > named > : irr.uams.edu which differs from the computer name, OAC3. These SPNS are > : registered on the server: > : HOST/irr.uams.edu > : HTTP/OAC3.vcaa.ad.uams.edu > : HTTP/OAC3 > : HTTP/irr.uams.edu > : SMTPSVC/OAC3.vcaa.ad.uams.edu > : SMTPSVC/OAC3 > : HOST/OAC3 > : HOST/OAC3.vcaa.ad.uams.edu > : The folder hosting the web service is only accessible via Integrated Auth > : and anonymous access is disabled. IIS is running under the SYSTEM > account. > : The local security policy allows SYSTEM to Act as part of the operating > : system and to impersonate a client after authentication. > : > : I have tested connecting with an ASP.NET 2.0 console application and IE6 > : from the client machine. > : > : When I code the console app to use Negotiate authentication, I fail to > : connect to the SQL server with the message "Login failed for user NT > : AUTHORITY/Anonymous. In addition the files captured by Network Monitor > have > : these entries generated by the exchange between client and IIS box: > : > : Content-Type: text/html > : Server: Microsoft-IIS/6.0 > : WWW-Authenticate: Negotiate > : WWW-Authenticate: NTLM > : MicrosoftOfficeWebServer: 5.0_Pub > : X-Powered-By: ASP.NET > : > : > : When I code the console app to use Kerberos I always get a 401 > unauthorized > : error and the same headers. I have also tried using IE6 (Integrated > : Authentication turned on, irr.uams.edu in the local intranet zone, etc.) > with > : the same results. > : > : Servers are all within 5 minutes of each other and DC. Net engineering > : tells me that Kerberos is not blocked. Any ideas on what else I should > check > : appreciated. > : > : Thanks. > : > : > > > Hi,
a) If your MS SQL Server is running under a custom /local/ account, then I'm not sure how Kerberos authentication is supposed to work. The IIS server needs to get a Kerberos ticket for the remote service (namely SQL Server). The ticket needs to be encrypted with a password that the remote SQL Server can decrypt. If SQL Server is running under a domain account, then the SPN can be registered under the domain account. If the SQL Server is running under LocalSystem, then the SPN can be registered under the computer account in AD. If you are running SQL Server in a workgroup, or under a local account, I don't think Kerberos is going to work b) No, you are not authenticating to IIS as anonymous. What is happening is that you are authenticating using whatever credentials you have supplied. However the next hop (from IIS to SQL Server) is anonymous. This is because IIS is not able to get an appropriate Kerberos ticket to connect to the remote server as your user account (remember, IIS doesn't have your username/password, so it can't just connect as you) c) If the authentication from XP -> IIS is NTLM, then Kerberos is not going to work from IIS -> SQL Server. NTLM is not delegatable (i.e. an authentication by NTLM can not then be delegatable another hop to a remote service). You need authenticate using Kerberos between XP and IIS. Get it working using a web browser first, then let's worry about how to get your application working. Cheers Ken Show quoteHide quote "Brian Cobb" <BrianC***@discussions.microsoft.com> wrote in message news:0DD74468-AEE5-4E9F-81A2-AEC269B2B064@microsoft.com... : Thank you for your response. : : The application pool is is running under the local system account. : : The SQL SPNs are: : MSSQLSvc/OAC2:1433 : MSSQLSvc/OAC2.vcaa.ad.uams.edu:1433 : MSOLAPSvc/OAC2 : MSOLAPSvc/OAC2.vcaa.ad.uams.edu : SMTPSVC/OAC2 : SMTPSVC/OAC2.vcaa.ad.uams.edu : HOST/OAC2 : HOST/OAC2.vcaa.ad.uams.edu : The SQL service is NOT running under local system. Instead it is using a : local account. I don't think this is a problem, though, (yet). I also : neglected to mention in my first mail that the web app attempts to open a : connection on the SQL server. It is at that point I see the "Login failed : for user NT AUTHORITY/Anonymous" message. Maybe I'm mis-interpreting what's : happening, but it seems that I am authenticating to the webservice as an : Anonymous user. And anonymous user can't open a db connection because he has : no db rights. Should I replace my local account on the SQL box with a domain : account? : : I'm not sure which account you mean in item c. If you mean the user login : it can authenticate only using NTLM. Trying to authenticate via Kerberos : makes the 401 error happen. : : : : "Ken Schaefer" wrote: : : > Some things that weren't mentioned in your post: : > : > a) What user account is the web application pool running under? If it is : > running under a custom account, you need to register an SPN under that : > account, not the computer account in AD. : > : > b) What SPNs do you have registered for the *SQL Server*? What user account : > is SQL Server running under? What port? : > : > c) Looking in the IIS server's security event log, have you verified that : > the the actual logon is using Kerberos? Or is it using NTLM : > : > Cheers : > Ken : > : > -- : > IIS Blog: http://www.adOpenStatic.com/cs/blogs/ken : > : > : > "Brian Cobb" <BrianC***@discussions.microsoft.com> wrote in message : > news:A4CBB565-5A23-4868-B185-C98690DC42A8@microsoft.com... : > :I am trying to get Basic Kerberos Auth to work. : > : : > : The client, middle-tier, and back-end servers are all in the same Windows : > : 2000 functional level domain. All 3 are trusted for delegation. The : > account : > : used for testing has domain admin priviliges on the domain, and admin : > : priviliges on all 3 boxes. The account is also marked as being trusted : > for : > : delegation. : > : : > : The client is an XP machine. : > : : > : The middle-tier is Win2003SE running IIS6 and MDAC2.7. The website is : > named : > : irr.uams.edu which differs from the computer name, OAC3. These SPNS are : > : registered on the server: : > : HOST/irr.uams.edu : > : HTTP/OAC3.vcaa.ad.uams.edu : > : HTTP/OAC3 : > : HTTP/irr.uams.edu : > : SMTPSVC/OAC3.vcaa.ad.uams.edu : > : SMTPSVC/OAC3 : > : HOST/OAC3 : > : HOST/OAC3.vcaa.ad.uams.edu : > : The folder hosting the web service is only accessible via Integrated Auth : > : and anonymous access is disabled. IIS is running under the SYSTEM : > account. : > : The local security policy allows SYSTEM to Act as part of the operating : > : system and to impersonate a client after authentication. : > : : > : I have tested connecting with an ASP.NET 2.0 console application and IE6 : > : from the client machine. : > : : > : When I code the console app to use Negotiate authentication, I fail to : > : connect to the SQL server with the message "Login failed for user NT : > : AUTHORITY/Anonymous. In addition the files captured by Network Monitor : > have : > : these entries generated by the exchange between client and IIS box: : > : : > : Content-Type: text/html : > : Server: Microsoft-IIS/6.0 : > : WWW-Authenticate: Negotiate : > : WWW-Authenticate: NTLM : > : MicrosoftOfficeWebServer: 5.0_Pub : > : X-Powered-By: ASP.NET : > : : > : : > : When I code the console app to use Kerberos I always get a 401 : > unauthorized : > : error and the same headers. I have also tried using IE6 (Integrated : > : Authentication turned on, irr.uams.edu in the local intranet zone, etc.) : > with : > : the same results. : > : : > : Servers are all within 5 minutes of each other and DC. Net engineering : > : tells me that Kerberos is not blocked. Any ideas on what else I should : > check : > : appreciated. : > : : > : Thanks. : > : : > : : > : > : > Thanks for your response.
It is an issue with the SQL server running under a local account. Changing to a domain account trusted for delegation and configuring SPNs for SQL under the account allowed the console app to work. Show quoteHide quote "Ken Schaefer" wrote: > Hi, > > a) If your MS SQL Server is running under a custom /local/ account, then I'm > not sure how Kerberos authentication is supposed to work. The IIS server > needs to get a Kerberos ticket for the remote service (namely SQL Server). > The ticket needs to be encrypted with a password that the remote SQL Server > can decrypt. If SQL Server is running under a domain account, then the SPN > can be registered under the domain account. If the SQL Server is running > under LocalSystem, then the SPN can be registered under the computer account > in AD. If you are running SQL Server in a workgroup, or under a local > account, I don't think Kerberos is going to work > > b) No, you are not authenticating to IIS as anonymous. What is happening is > that you are authenticating using whatever credentials you have supplied. > However the next hop (from IIS to SQL Server) is anonymous. This is because > IIS is not able to get an appropriate Kerberos ticket to connect to the > remote server as your user account (remember, IIS doesn't have your > username/password, so it can't just connect as you) > > c) If the authentication from XP -> IIS is NTLM, then Kerberos is not going > to work from IIS -> SQL Server. NTLM is not delegatable (i.e. an > authentication by NTLM can not then be delegatable another hop to a remote > service). You need authenticate using Kerberos between XP and IIS. Get it > working using a web browser first, then let's worry about how to get your > application working. > > Cheers > Ken > > -- > IIS Blog: http://www.adOpenStatic.com/cs/blogs/ken > > > "Brian Cobb" <BrianC***@discussions.microsoft.com> wrote in message > news:0DD74468-AEE5-4E9F-81A2-AEC269B2B064@microsoft.com... > : Thank you for your response. > : > : The application pool is is running under the local system account. > : > : The SQL SPNs are: > : MSSQLSvc/OAC2:1433 > : MSSQLSvc/OAC2.vcaa.ad.uams.edu:1433 > : MSOLAPSvc/OAC2 > : MSOLAPSvc/OAC2.vcaa.ad.uams.edu > : SMTPSVC/OAC2 > : SMTPSVC/OAC2.vcaa.ad.uams.edu > : HOST/OAC2 > : HOST/OAC2.vcaa.ad.uams.edu > : The SQL service is NOT running under local system. Instead it is using a > : local account. I don't think this is a problem, though, (yet). I also > : neglected to mention in my first mail that the web app attempts to open a > : connection on the SQL server. It is at that point I see the "Login failed > : for user NT AUTHORITY/Anonymous" message. Maybe I'm mis-interpreting > what's > : happening, but it seems that I am authenticating to the webservice as an > : Anonymous user. And anonymous user can't open a db connection because he > has > : no db rights. Should I replace my local account on the SQL box with a > domain > : account? > : > : I'm not sure which account you mean in item c. If you mean the user login > : it can authenticate only using NTLM. Trying to authenticate via Kerberos > : makes the 401 error happen. > : > : > : > : "Ken Schaefer" wrote: > : > : > Some things that weren't mentioned in your post: > : > > : > a) What user account is the web application pool running under? If it is > : > running under a custom account, you need to register an SPN under that > : > account, not the computer account in AD. > : > > : > b) What SPNs do you have registered for the *SQL Server*? What user > account > : > is SQL Server running under? What port? > : > > : > c) Looking in the IIS server's security event log, have you verified > that > : > the the actual logon is using Kerberos? Or is it using NTLM > : > > : > Cheers > : > Ken > : > > : > -- > : > IIS Blog: http://www.adOpenStatic.com/cs/blogs/ken > : > > : > > : > "Brian Cobb" <BrianC***@discussions.microsoft.com> wrote in message > : > news:A4CBB565-5A23-4868-B185-C98690DC42A8@microsoft.com... > : > :I am trying to get Basic Kerberos Auth to work. > : > : > : > : The client, middle-tier, and back-end servers are all in the same > Windows > : > : 2000 functional level domain. All 3 are trusted for delegation. The > : > account > : > : used for testing has domain admin priviliges on the domain, and admin > : > : priviliges on all 3 boxes. The account is also marked as being > trusted > : > for > : > : delegation. > : > : > : > : The client is an XP machine. > : > : > : > : The middle-tier is Win2003SE running IIS6 and MDAC2.7. The website is > : > named > : > : irr.uams.edu which differs from the computer name, OAC3. These SPNS > are > : > : registered on the server: > : > : HOST/irr.uams.edu > : > : HTTP/OAC3.vcaa.ad.uams.edu > : > : HTTP/OAC3 > : > : HTTP/irr.uams.edu > : > : SMTPSVC/OAC3.vcaa.ad.uams.edu > : > : SMTPSVC/OAC3 > : > : HOST/OAC3 > : > : HOST/OAC3.vcaa.ad.uams.edu > : > : The folder hosting the web service is only accessible via Integrated > Auth > : > : and anonymous access is disabled. IIS is running under the SYSTEM > : > account. > : > : The local security policy allows SYSTEM to Act as part of the > operating > : > : system and to impersonate a client after authentication. > : > : > : > : I have tested connecting with an ASP.NET 2.0 console application and > IE6 > : > : from the client machine. > : > : > : > : When I code the console app to use Negotiate authentication, I fail > to > : > : connect to the SQL server with the message "Login failed for user NT > : > : AUTHORITY/Anonymous. In addition the files captured by Network Monitor > : > have > : > : these entries generated by the exchange between client and IIS box: > : > : > : > : Content-Type: text/html > : > : Server: Microsoft-IIS/6.0 > : > : WWW-Authenticate: Negotiate > : > : WWW-Authenticate: NTLM > : > : MicrosoftOfficeWebServer: 5.0_Pub > : > : X-Powered-By: ASP.NET > : > : > : > : > : > : When I code the console app to use Kerberos I always get a 401 > : > unauthorized > : > : error and the same headers. I have also tried using IE6 (Integrated > : > : Authentication turned on, irr.uams.edu in the local intranet zone, > etc.) > : > with > : > : the same results. > : > : > : > : Servers are all within 5 minutes of each other and DC. Net > engineering > : > : tells me that Kerberos is not blocked. Any ideas on what else I > should > : > check > : > : appreciated. > : > : > : > : Thanks. > : > : > : > : > : > > : > > : > > > > 
Other interesting topics
|
|||||||||||||||||||||||
