|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
integrated authenticationI have a intranet asp application runing on IIS6. with data on SQL server runing on an other computer (the two servers are member server of our active directory domain). Access to the data are based on the user account who connect to the IIS application. The application is runing on the port 80 with a host header as app.mydomain.com (others applications are runing on port 80 without hostheader). The application run in an application pool with a domain account from active directory. With basic authentication, the user can launch the application and have access to the data. ( I use impersonate = true in the web.config file) I try now to activate the integrated authentication .. but nothing is runing, I always have a popup asking for user and password and the same user account cant access the application I had set using the documentation a SPN for the identity runing the application pool with the tool setspn and the synthaxe setspn -A HTTP/app.mydomain.com mydomain\myuserapp I had set the NTAuthenticationProviders to "Negociate,NTLM" within the right virtual directory and using the script adsutil.vbs I had restart the iis server (iisreset) using the authentication & diagnostique tools from microsoft on the web server and verifying kerberos security I just see " Service principal name (SPN) for user mydomain\myuserapp' not found in Active Directory" but with adsiedit on the same account I have a SPN set .. It's the only one trace i have to debug my authentication problem .. Do you have some ideas Have you configured the server as trusted for kerberos delegation ?
Show quoteHide quote "Frédéric de Thysebaert" <f***@redcross-fr.be> wrote in message news:OcgmL0vfGHA.1520@TK2MSFTNGP03.phx.gbl... > Hi, > > I have a intranet asp application runing on IIS6. with data on SQL server > runing on an other computer (the two servers are member server of our > active directory domain). Access to the data are based on the user account > who connect to the IIS application. > The application is runing on the port 80 with a host header as > app.mydomain.com (others applications are runing on port 80 without > hostheader). > The application run in an application pool with a domain account from > active directory. > With basic authentication, the user can launch the application and have > access to the data. ( I use impersonate = true in the web.config file) > I try now to activate the integrated authentication .. but nothing is > runing, I always have a popup asking for user and password and the same > user account cant access the application > I had set using the documentation a SPN for the identity runing the > application pool with the tool setspn and the synthaxe setspn -A > HTTP/app.mydomain.com mydomain\myuserapp > I had set the NTAuthenticationProviders to "Negociate,NTLM" within the > right virtual directory and using the script adsutil.vbs > I had restart the iis server (iisreset) > > using the authentication & diagnostique tools from microsoft on the web > server and verifying kerberos security I just see " Service principal name > (SPN) for user mydomain\myuserapp' not found in Active Directory" but with > adsiedit on the same account I have a SPN set .. It's the only one trace i > have to debug my authentication problem .. > > Do you have some ideas > > > yes I think that's right for me, ..
To do this I have check the delegation check box on the general tab of computer object in AD. Is it right ? Thanks "Robert Ginsburg" <robert.ginsb***@ver3.com> a écrit dans le message de news: eNRxU2yfGHA.4***@TK2MSFTNGP02.phx.gbl...Show quoteHide quote > Have you configured the server as trusted for kerberos delegation ? > "Frédéric de Thysebaert" <f***@redcross-fr.be> wrote in message > news:OcgmL0vfGHA.1520@TK2MSFTNGP03.phx.gbl... >> Hi, >> >> I have a intranet asp application runing on IIS6. with data on SQL server >> runing on an other computer (the two servers are member server of our >> active directory domain). Access to the data are based on the user >> account who connect to the IIS application. >> The application is runing on the port 80 with a host header as >> app.mydomain.com (others applications are runing on port 80 without >> hostheader). >> The application run in an application pool with a domain account from >> active directory. >> With basic authentication, the user can launch the application and have >> access to the data. ( I use impersonate = true in the web.config file) >> I try now to activate the integrated authentication .. but nothing is >> runing, I always have a popup asking for user and password and the same >> user account cant access the application >> I had set using the documentation a SPN for the identity runing the >> application pool with the tool setspn and the synthaxe setspn -A >> HTTP/app.mydomain.com mydomain\myuserapp >> I had set the NTAuthenticationProviders to "Negociate,NTLM" within the >> right virtual directory and using the script adsutil.vbs >> I had restart the iis server (iisreset) >> >> using the authentication & diagnostique tools from microsoft on the web >> server and verifying kerberos security I just see " Service principal >> name (SPN) for user mydomain\myuserapp' not found in Active Directory" >> but with adsiedit on the same account I have a SPN set .. It's the only >> one trace i have to debug my authentication problem .. >> >> Do you have some ideas >> >> >> > > Yes, thats all, so if you have done that and SQL auth is still not working,
try thie recomendations from this kb article http://support.microsoft.com/?id=319723 Show quoteHide quote "Frédéric de Thysebaert" <f***@redcross-fr.be> wrote in message news:uarDPFzfGHA.1456@TK2MSFTNGP04.phx.gbl... > yes I think that's right for me, .. > To do this I have check the delegation check box on the general tab of > computer object in AD. Is it right ? > Thanks > > "Robert Ginsburg" <robert.ginsb***@ver3.com> a écrit dans le message de > news: eNRxU2yfGHA.4***@TK2MSFTNGP02.phx.gbl... >> Have you configured the server as trusted for kerberos delegation ? >> "Frédéric de Thysebaert" <f***@redcross-fr.be> wrote in message >> news:OcgmL0vfGHA.1520@TK2MSFTNGP03.phx.gbl... >>> Hi, >>> >>> I have a intranet asp application runing on IIS6. with data on SQL >>> server runing on an other computer (the two servers are member server of >>> our active directory domain). Access to the data are based on the user >>> account who connect to the IIS application. >>> The application is runing on the port 80 with a host header as >>> app.mydomain.com (others applications are runing on port 80 without >>> hostheader). >>> The application run in an application pool with a domain account from >>> active directory. >>> With basic authentication, the user can launch the application and have >>> access to the data. ( I use impersonate = true in the web.config file) >>> I try now to activate the integrated authentication .. but nothing is >>> runing, I always have a popup asking for user and password and the same >>> user account cant access the application >>> I had set using the documentation a SPN for the identity runing the >>> application pool with the tool setspn and the synthaxe setspn -A >>> HTTP/app.mydomain.com mydomain\myuserapp >>> I had set the NTAuthenticationProviders to "Negociate,NTLM" within the >>> right virtual directory and using the script adsutil.vbs >>> I had restart the iis server (iisreset) >>> >>> using the authentication & diagnostique tools from microsoft on the web >>> server and verifying kerberos security I just see " Service principal >>> name (SPN) for user mydomain\myuserapp' not found in Active Directory" >>> but with adsiedit on the same account I have a SPN set .. It's the only >>> one trace i have to debug my authentication problem .. >>> >>> Do you have some ideas >>> >>> >>> >> >> > > Hi
I have try all this but .. I think that this is IIS authentication who is not functional. When the client connetct to http://app.mydomain.com I have a popup asking for user and password. With the only "basic authentication" the user can connect with "mydomain\user" synthax, with only "integrated" authentication, I also have the same popup but the same user with the same synthaxe of login can not connect. I with my first problem is IIS delegation of authentication... How to track this ? IIS run on a server and SQL on a other, this two servers as member of the domain and the two server have "trust the computer for delagation" checked. The account service for IIS application pool and the account service for SQL service have an association with a SPN and also have the "account is trusted for delegation" checked. thanks "Robert Ginsburg" <robert.ginsb***@ver3.com> a écrit dans le message de news: OpwFGgzfGHA.2***@TK2MSFTNGP04.phx.gbl...Show quoteHide quote > Yes, thats all, so if you have done that and SQL auth is still not > working, try thie recomendations from this kb article > http://support.microsoft.com/?id=319723 > > "Frédéric de Thysebaert" <f***@redcross-fr.be> wrote in message > news:uarDPFzfGHA.1456@TK2MSFTNGP04.phx.gbl... >> yes I think that's right for me, .. >> To do this I have check the delegation check box on the general tab of >> computer object in AD. Is it right ? >> Thanks >> >> "Robert Ginsburg" <robert.ginsb***@ver3.com> a écrit dans le message de >> news: eNRxU2yfGHA.4***@TK2MSFTNGP02.phx.gbl... >>> Have you configured the server as trusted for kerberos delegation ? >>> "Frédéric de Thysebaert" <f***@redcross-fr.be> wrote in message >>> news:OcgmL0vfGHA.1520@TK2MSFTNGP03.phx.gbl... >>>> Hi, >>>> >>>> I have a intranet asp application runing on IIS6. with data on SQL >>>> server runing on an other computer (the two servers are member server >>>> of our active directory domain). Access to the data are based on the >>>> user account who connect to the IIS application. >>>> The application is runing on the port 80 with a host header as >>>> app.mydomain.com (others applications are runing on port 80 without >>>> hostheader). >>>> The application run in an application pool with a domain account from >>>> active directory. >>>> With basic authentication, the user can launch the application and have >>>> access to the data. ( I use impersonate = true in the web.config file) >>>> I try now to activate the integrated authentication .. but nothing is >>>> runing, I always have a popup asking for user and password and the same >>>> user account cant access the application >>>> I had set using the documentation a SPN for the identity runing the >>>> application pool with the tool setspn and the synthaxe setspn -A >>>> HTTP/app.mydomain.com mydomain\myuserapp >>>> I had set the NTAuthenticationProviders to "Negociate,NTLM" within the >>>> right virtual directory and using the script adsutil.vbs >>>> I had restart the iis server (iisreset) >>>> >>>> using the authentication & diagnostique tools from microsoft on the web >>>> server and verifying kerberos security I just see " Service principal >>>> name (SPN) for user mydomain\myuserapp' not found in Active Directory" >>>> but with adsiedit on the same account I have a SPN set .. It's the only >>>> one trace i have to debug my authentication problem .. >>>> >>>> Do you have some ideas >>>> >>>> >>>> >>> >>> >> >> > > Hi,
a) in Internet Explorer, you will need to add app.mydomain.com to Internet Explorer's local Intranet security zone. IE will not attempt Kerberos authentication to websites in the Internet security zone b) You will also need to ensure that all web applications underneath app.mydomain.com are run in web app pools with the Domain\MyUserApp user context c) You will also need to check that the user accounts (for the users who are authenticating) in question are not marked as "sensitive and non delegatable" in Active Directory. Cheers Ken Show quoteHide quote "Frédéric de Thysebaert" <f***@redcross-fr.be> wrote in message news:uarDPFzfGHA.1456@TK2MSFTNGP04.phx.gbl... > yes I think that's right for me, .. > To do this I have check the delegation check box on the general tab of > computer object in AD. Is it right ? > Thanks > > "Robert Ginsburg" <robert.ginsb***@ver3.com> a écrit dans le message de > news: eNRxU2yfGHA.4***@TK2MSFTNGP02.phx.gbl... >> Have you configured the server as trusted for kerberos delegation ? >> "Frédéric de Thysebaert" <f***@redcross-fr.be> wrote in message >> news:OcgmL0vfGHA.1520@TK2MSFTNGP03.phx.gbl... >>> Hi, >>> >>> I have a intranet asp application runing on IIS6. with data on SQL >>> server runing on an other computer (the two servers are member server of >>> our active directory domain). Access to the data are based on the user >>> account who connect to the IIS application. >>> The application is runing on the port 80 with a host header as >>> app.mydomain.com (others applications are runing on port 80 without >>> hostheader). >>> The application run in an application pool with a domain account from >>> active directory. >>> With basic authentication, the user can launch the application and have >>> access to the data. ( I use impersonate = true in the web.config file) >>> I try now to activate the integrated authentication .. but nothing is >>> runing, I always have a popup asking for user and password and the same >>> user account cant access the application >>> I had set using the documentation a SPN for the identity runing the >>> application pool with the tool setspn and the synthaxe setspn -A >>> HTTP/app.mydomain.com mydomain\myuserapp >>> I had set the NTAuthenticationProviders to "Negociate,NTLM" within the >>> right virtual directory and using the script adsutil.vbs >>> I had restart the iis server (iisreset) >>> >>> using the authentication & diagnostique tools from microsoft on the web >>> server and verifying kerberos security I just see " Service principal >>> name (SPN) for user mydomain\myuserapp' not found in Active Directory" >>> but with adsiedit on the same account I have a SPN set .. It's the only >>> one trace i have to debug my authentication problem .. >>> >>> Do you have some ideas >>> >>> >>> >> >> > > 
Other interesting topics
securing multiple websites using wildcard certificate - one IIS 6.0 server
One Domain with 2 websites and 2 SSL Certs Kerberos timout with IIS6, ASP.Net and SQLServer fileshare on my website a new idea to prevent DoS attacks handling files on another server within same workgroyp !!?? Wildcard Domain Restriction No access after requiring SSL Certificate Services Web Enrollment Support not working <customErrors> confusion |
|||||||||||||||||||||||
