|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Kerberos timout with IIS6, ASP.Net and SQLServeralmost driving me nuts... We have a traditional ASP.Net 1.1 web site accessing a SQL2000 database using delegation and a trusted connection. I have seen many posts regarding this setup, and we had quite some trouble getting it all working ourself. User could finally access the web server and pull data from the database, fully authenticated through Kerberos and Integrated Windows Authentication. The problem is: - After a user have been inactive for anything from a few minutes to half an hour, the connection with the database is broken and it responds with the well known login failed for user (null) error. Some more facts: - The connection with the web server works fine, and as long as the exception is trapped in the code, all pages are displayed (as intended when a db connection is unavailable, that is) - I got a feeling that the Kerberos ticket is expireing and the web server doesn't bother asking the client for a new one. - We do have trust for delegation set up in the AD for the web server to access any resource - We do have a HTTP/fqdm SPN set up in AD Questions: - Any suggestions to what this might be caused by? - Would we need a SPN for the DB server too? (This is just accessed through the netbios name) - Do you know of any Kerberos-related settings that would make the initial authetication work, but connections to fail at a later point? One more thing... The very same problem was posted unanswered here in several newsgroups about a year ago: http://groups.google.com/group/microsoft.public.adsi.general/browse_thread/thread/d53ecbeaa94af2d3/133e72c9029b8b32?lnk=st&q=kerberos+timeout+iis6&rnum=4#133e72c9029b8b32 This posting describes a bit more what have been tried and not. I have done very much the same approach, with no more luck than that guy. (I have not found any other postings that I can tell are describing the same problem as my) Any help on this matter is most appreciated. Regards, Roar Fredriksen Systems Engineer Omega Project Solutions Inc Hi,
Can you enable Kerberos audit logging on the IIS box, and post the relevant events that are being logged when the problems start occuring? http://support.microsoft.com/?id=262177 Cheers Ken <roarf***@gmail.com> wrote in message Show quoteHide quote news:1147898055.853976.36330@j73g2000cwa.googlegroups.com... > I've been struggling with a problem for the last two months that are > almost driving me nuts... > > We have a traditional ASP.Net 1.1 web site accessing a SQL2000 database > using delegation and a trusted connection. I have seen many posts > regarding this setup, and we had quite some trouble getting it all > working ourself. User could finally access the web server and pull data > from the database, fully authenticated through Kerberos and Integrated > Windows Authentication. > > The problem is: > - After a user have been inactive for anything from a few minutes to > half an hour, the connection with the database is broken and it > responds with the well known login failed for user (null) error. > > Some more facts: > - The connection with the web server works fine, and as long as the > exception is trapped in the code, all pages are displayed (as intended > when a db connection is unavailable, that is) > - I got a feeling that the Kerberos ticket is expireing and the web > server doesn't bother asking the client for a new one. > - We do have trust for delegation set up in the AD for the web server > to access any resource > - We do have a HTTP/fqdm SPN set up in AD > > Questions: > - Any suggestions to what this might be caused by? > - Would we need a SPN for the DB server too? (This is just accessed > through the netbios name) > - Do you know of any Kerberos-related settings that would make the > initial authetication work, but connections to fail at a later point? > > > One more thing... The very same problem was posted unanswered here in > several newsgroups about a year ago: > http://groups.google.com/group/microsoft.public.adsi.general/browse_thread/thread/d53ecbeaa94af2d3/133e72c9029b8b32?lnk=st&q=kerberos+timeout+iis6&rnum=4#133e72c9029b8b32 > > This posting describes a bit more what have been tried and not. I have > done very much the same approach, with no more luck than that guy. > > (I have not found any other postings that I can tell are describing the > same problem as my) > > > Any help on this matter is most appreciated. > > Regards, > Roar Fredriksen > Systems Engineer > Omega Project Solutions Inc > Thanks for your reply Ken!
Unfortunately, we are developing in a shared environment without direct access to the web server. I will check with the Administrator if we can have this done on this server. Should this log kerberos events for communication with the sql server, the client's browser or both? This will log Kerberos events on the IIS server (i.e. logon failed, ticket
corrupt/altered etc). You will probably want to enable this on the SQL Server as well, just in case the problem is at the SQL Server box rather than at the IIS box Cheers Ken Show quoteHide quote "Roar" <roarf***@gmail.com> wrote in message news:1147965165.263988.246430@y43g2000cwc.googlegroups.com... > Thanks for your reply Ken! > > Unfortunately, we are developing in a shared environment without direct > access to the web server. I will check with the Administrator if we can > have this done on this server. > > Should this log kerberos events for communication with the sql server, > the client's browser or both? > 
Other interesting topics
Service principal name (SPN) / Active Directory Problem
What dictates whether the LOGON_USER Server Variable is sent? IIS6, Windows Integrated Authentication, Denied access Authenticate web access based on IP address in IIS5 Integrated Authentication with trusted domain. HTTPS : Secured and non secured item with absolute path Multiple SSL Sites on One Web Server Running on Port 443 Dumb basic authentication and SSL question Multiple secured web servers on same IP require multiple certificates? IWA not working |
|||||||||||||||||||||||
