|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Service principal name (SPN) / Active Directory ProblemI'm having problems getting a web application working -- it's throwing a 403
error. I ran AuthDiag to determine what was wrong, and it's giving me the message: Service principal name (SPN) for user 'DOMAIN\MACHINE_asp' not found in Active Directory Is there something I can run (preferably from the command line) to add this MACHINE_asp user into Active Directory? -- Thanks. You should not add SPNs unless there is a need to do so.
Firstly, what are the relevant log file entries for the requests in question (assuming IIS 6.0)? Secondly, after you disable "Show Friednly HTTP Errors" in IE, and reload the page, what is the full error message you see on the screen? 403 errors can occur for lots of reasons - we nee to find out which one is the real underlying cause. Basically an SPN (Service Principal Name) allows Kerberos Authentication to work - it allows Active Directory to create service tickets for particular services, and allows the remote service to decrypt the ticket. However, adding additional SPNs can also break Kerberos AuthN, because Active Directory does not know who the end user account is. So, don't add any unless necessary. Cheers Ken Show quoteHide quote "RCarbol" <rcarbol@nospam.nospam> wrote in message news:74CC07B1-C59B-4299-956A-70C6A494E2FE@microsoft.com... > I'm having problems getting a web application working -- it's throwing a > 403 > error. > > I ran AuthDiag to determine what was wrong, and it's giving me the > message: > > Service principal name (SPN) for user 'DOMAIN\MACHINE_asp' not found in > Active Directory > > Is there something I can run (preferably from the command line) to add > this > MACHINE_asp user into Active Directory? > > -- > Thanks. > Firstly, what are the relevant log file entries for the requests in question 2006-05-16 15:33:57 142.15.29.115 GET /VssAdmin - 80 - 142.15.48.132 > (assuming IIS 6.0)? Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 2 2148074254 2006-05-16 15:33:57 142.15.29.115 GET /VssAdmin - 80 - 142.15.48.132 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 1 0 2006-05-16 15:33:57 142.15.29.115 GET /VssAdmin - 80 - 142.15.48.132 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 1 0 2006-05-16 15:34:06 142.15.29.115 GET /VssAdmin - 80 - 142.15.48.132 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 1 0 2006-05-16 15:34:06 142.15.29.115 GET /VssAdmin - 80 - 142.15.48.132 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 1 0 > Secondly, after you disable "Show Friednly HTTP Errors" in IE, and reload Sorry, misreported the error earlier -- it's actually a 401.1 error.> the page, what is the full error message you see on the screen? 403 errors > can occur for lots of reasons - we nee to find out which one is the real > underlying cause. This is an intranet site, as you may have gathered. Thanks again. Hi,
OK, since we have 401 not 403 errors, we need to follow different troubleshooting steps. Can you look in the Windows Security Event Log on the server, and locate the relevant logon failure events. We need to see what authentication package (NTLM or Kerberos is being used). The relevant event should also have some information on why the logon is failing. Can you find the relevant event, and paste them here please? depending on which AuthN package is being used, we need to troubleshoot that. Cheers Ken Show quoteHide quote "RCarbol" <rcarbol@nospam.nospam> wrote in message news:9D5FB9E7-B7AF-433A-B9C3-9C209C5715AA@microsoft.com... >> Firstly, what are the relevant log file entries for the requests in >> question >> (assuming IIS 6.0)? > > 2006-05-16 15:33:57 142.15.29.115 GET /VssAdmin - 80 - 142.15.48.132 > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 > 2 > 2148074254 > 2006-05-16 15:33:57 142.15.29.115 GET /VssAdmin - 80 - 142.15.48.132 > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 > 1 0 > 2006-05-16 15:33:57 142.15.29.115 GET /VssAdmin - 80 - 142.15.48.132 > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 > 1 0 > 2006-05-16 15:34:06 142.15.29.115 GET /VssAdmin - 80 - 142.15.48.132 > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 > 1 0 > 2006-05-16 15:34:06 142.15.29.115 GET /VssAdmin - 80 - 142.15.48.132 > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 > 1 0 > > >> Secondly, after you disable "Show Friednly HTTP Errors" in IE, and reload >> the page, what is the full error message you see on the screen? 403 >> errors >> can occur for lots of reasons - we nee to find out which one is the real >> underlying cause. > > Sorry, misreported the error earlier -- it's actually a 401.1 error. > > This is an intranet site, as you may have gathered. > > > Thanks again. "Ken Schaefer" wrote: Event Type: Failure Audit> Can you look in the Windows Security Event Log on the server, and locate the > relevant logon failure events. We need to see what authentication package > (NTLM or Kerberos is being used). The relevant event should also have some > information on why the logon is failing. Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 2006/05/17 Time: 2:59:34 PM User: NT AUTHORITY\SYSTEM Computer: WEBTEST3 Description: Logon Failure: Reason: Unknown user name or bad password User Name: Domain: Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: - Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 142.15.48.132 Source Port: 1348 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. --RC Hi ,
403 is not an authentication error. We should gather IIS log files to determine the exact 403 error code(with subcode). This will help you address the actual problem. Below are all 403.x codes we defined in IIS: 403 - Forbidden. IIS defines a number of different 403 errors that indicate a more specific cause of the error:?403.1 - Execute access forbidden. 403.2 - Read access forbidden. 403.3 - Write access forbidden. 403.4 - SSL required. 403.5 - SSL 128 required. 403.6 - IP address rejected. 403.7 - Client certificate required. 403.8 - Site access denied. 403.9 - Too many users. 403.10 - Invalid configuration. 403.11 - Password change. 403.12 - Mapper denied access. 403.13 - Client certificate revoked. 403.14 - Directory listing denied. 403.15 - Client Access Licenses exceeded. 403.16 - Client certificate is untrusted or invalid. 403.17 - Client certificate has expired or is not yet valid. 403.18 - Cannot execute requested URL in the current application pool. This error code is specific to IIS 6.0. 403.19 - Cannot execute CGIs for the client in this application pool. This error code is specific to IIS 6.0. 403.20 - Passport logon failed. This error code is specific to IIS 6.0. Please collect the recent log files in \System32\LogFiles\W3SVC[n]\ directory (n here is the Site ID which can be viewed in the right panel by clicking Web Sites folder in IIS) and paste the records with 403 error here. Thanks. Best regards, WenJun Zhang Microsoft Online Partner Support This posting is provided "AS IS" with no warranties, and confers no rights. Hi,
OK, so we are using Kerberos here. Can you tell me the following details of your configuration? a) The URL that is being used to access the web page - are you using http://servername or http://servername.domain.com? Or are you using some kind of DNS alias? b) The website's web application pool: what user context is it being run under? Is it Network Service? Or a custom user context? The answers to the two questions above will tell us what SPNs need to be registered (if any) and under what user/computer accounts. c) Lastly, can you enable Kerberos logging on the IIS box, and post the relevant event log entries? Thanks http://support.microsoft.com/?id=262177 Cheers Ken Show quoteHide quote "RCarbol" <rcarbol@nospam.nospam> wrote in message news:7202FB21-19BF-4DDB-92D5-42861C458E0B@microsoft.com... > "Ken Schaefer" wrote: > >> Can you look in the Windows Security Event Log on the server, and locate >> the >> relevant logon failure events. We need to see what authentication package >> (NTLM or Kerberos is being used). The relevant event should also have >> some >> information on why the logon is failing. > > > Event Type: Failure Audit > Event Source: Security > Event Category: Logon/Logoff > Event ID: 529 > Date: 2006/05/17 > Time: 2:59:34 PM > User: NT AUTHORITY\SYSTEM > Computer: WEBTEST3 > Description: > Logon Failure: > Reason: Unknown user name or bad password > User Name: > Domain: > Logon Type: 3 > Logon Process: Kerberos > Authentication Package: Kerberos > Workstation Name: - > Caller User Name: - > Caller Domain: - > Caller Logon ID: - > Caller Process ID: - > Transited Services: - > Source Network Address: 142.15.48.132 > Source Port: 1348 > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > > > --RC > I'm still working at this -- I'll let you know the results as soon as I
can. Ken Schaefer wrote:
> a) The URL that is being used to access the web page - are you using We're using http://servername within an intranet. Does it make a> http://servername or http://servername.domain.com? Or are you using some > kind of DNS alias? difference? > b) The website's web application pool: what user context is it being run I think it must be some custom user; the Identity is set to an account> under? Is it Network Service? Or a custom user context? of the form [domain]\webtest3_asp > c) Lastly, can you enable Kerberos logging on the IIS box, and post the Done. Two events reported when I tried to hit the website:> relevant event log entries? Thanks > http://support.microsoft.com/?id=262177 Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 680 Date: 2006/05/30 Time: 10:22:43 AM User: NT AUTHORITY\SYSTEM Computer: WEBTEST3 Description: Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: [domain]/[my account] Source Workstation: VE657818 Error Code: 0xC0000064 .. Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 2006/05/30 Time: 10:22:43 AM User: NT AUTHORITY\SYSTEM Computer: WEBTEST3 Description: Logon Failure: Reason: Unknown user name or bad password User Name: [domain]/[my account] Domain: Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: VE657818 Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 142.15.48.132 Source Port: 2384 Thanks, Roger Hi,
Thanks for the information. At the very least: You will need to register a SPNs for HTTP/servername and HTTP/servername.domain.com under the Domain\WebTest3_asp account. Alternatively you can register the HOST/servername and HOST/servername.domain.com SPNs You can use the SetSPN tool from the Windows Resource Kit to do this: http://support.microsoft.com/kb/892777 Or you can use ADSIEdit.msc (this is a GUI tool, if you prefer to be able to see the current SPNs, and just copy then relevant information across): http://technet2.microsoft.com/WindowsServer/en/Library/ebca3324-5427-471a-bc19-9aa1decd3d401033.mspx?mfr=true Note: All web applications residing at the location http://servername must be running in one (or more) app pools that have the same identity (WebTest3_asp). You can't have apps running in app pools with different identities (e.g. http://servername/app1 -> WebTest3_asp, and http://servername/webapp2 running in an app pool under Network Service) The two events that you see are logon/logoff failuring auditing events. You should have got more events related to Kerberos issues (did you restart the box after setting the reg key?) Cheers Ken <rcar***@home.com> wrote in message Show quoteHide quote news:1149006824.105733.277650@38g2000cwa.googlegroups.com... > Ken Schaefer wrote: > >> a) The URL that is being used to access the web page - are you using >> http://servername or http://servername.domain.com? Or are you using some >> kind of DNS alias? > > We're using http://servername within an intranet. Does it make a > difference? > > >> b) The website's web application pool: what user context is it being run >> under? Is it Network Service? Or a custom user context? > > I think it must be some custom user; the Identity is set to an account > of the form > [domain]\webtest3_asp > > >> c) Lastly, can you enable Kerberos logging on the IIS box, and post the >> relevant event log entries? Thanks >> http://support.microsoft.com/?id=262177 > > Done. Two events reported when I tried to hit the website: > > Event Type: Failure Audit > Event Source: Security > Event Category: Account Logon > Event ID: 680 > Date: 2006/05/30 > Time: 10:22:43 AM > User: NT AUTHORITY\SYSTEM > Computer: WEBTEST3 > Description: > Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 > Logon account: [domain]/[my account] > Source Workstation: VE657818 > Error Code: 0xC0000064 > > . > > Event Type: Failure Audit > Event Source: Security > Event Category: Logon/Logoff > Event ID: 529 > Date: 2006/05/30 > Time: 10:22:43 AM > User: NT AUTHORITY\SYSTEM > Computer: WEBTEST3 > Description: > Logon Failure: > Reason: Unknown user name or bad password > User Name: [domain]/[my account] > Domain: > Logon Type: 3 > Logon Process: NtLmSsp > Authentication Package: NTLM > Workstation Name: VE657818 > Caller User Name: - > Caller Domain: - > Caller Logon ID: - > Caller Process ID: - > Transited Services: - > Source Network Address: 142.15.48.132 > Source Port: 2384 > > > > > Thanks, > Roger > 
Other interesting topics
Getting 401.1 when using DNS, okay using NETBIOS and Localhost
Host a secure web application and OWA, use as many servers and resources as necessary. iis 6 ssl issues IIS6, Windows Integrated Authentication, Denied access Windows Authentication with asp.net 2.0 Integrated Windows Authority setting causing IIS 6.0 to crash Multiple Host Headers and SSL Authenticate web access based on IP address in IIS5 Integrated Authentication with trusted domain. HTTPS : Secured and non secured item with absolute path |
|||||||||||||||||||||||
