Re: Access denied ( From one site to another, that is in another server)

From: Bassel Tabbara [MSFT] (basselt@online.microsoft.com)
Date: 01/21/03 

From: basselt@online.microsoft.com (Bassel Tabbara [MSFT])
Date: Tue, 21 Jan 2003 20:22:41 GMT

Steps to configure an ASP.NET / IIS delegation
                  scenario:

- check the "Enable Integrated Windows Authentication (requires restart)"
option in the Tools - Internet Options - Advanced Tab
                
This setting enables Internet Explorer to respond to a negotiate challenge
and perform Kerberos authentication. If not running on Windows 2000
or higher Internet Explorer does not respond to a negotiate challenge and
default to NTLM (or Windows NT Challenge/Response) authentication even if
the
Enable Integrated Windows Authentication (requires restart) check box is
selected because this feature requires Windows 2000 or higher.
                
                NOTE: Administrators can enable Integrated Windows Authentication by
setting the
                         EnableNegotiate DWORD value to 1 in the following registry key:
                         HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings
There are some issues where Kerberos may fail on the Internet Explorer
client. See the following articles in the Microsoft
                                Knowledgebase:

        - 321728: Internet Explorer Does Not Support Kerberos
AuthenticationKBLink:321728.kb.en-us:
        - 325608: PRB: Authentication Delegation Through Kerberos Does Not
WorkKBLink:325608.kb.en-us:
        - 280830: Kerberos Authentication May Not Work If User Is in Many
GroupsKBLink:280830.kb.en-us:
        - 264921: INFO: How IIS Authenticates Browser
ClientsKBLink:264921.kb.en-us:

2. Web Server (IIS 5.0 or higher):
                  
a. ASP.NET Application - Windows Authentication and
                                Impersonation:
                                
- configured for Windows Authentication
                                                         
-IIS Management Console
                                                                  
-turn off Anonymous access, Basic and Digest authentication for the
application
                
To configure a web application for Windows authentication open the Internet
Information Services tool, expand the
Default Web Sites node, right-click your web application, goto Properties,
choose Directory Security, click the Edit
button for Anonymous access and authentication control and turn off
Anonymous access, Basic and Digest
authentication for the application.
                
NOTE: Internet Explorer will always pick the first authentication scheme if
given the option of choosing
from multiple authentication schemes. For example, if Anonymous
authentication is enabled and listed
before Windows Authentication, Internet Explorer will try to authenticate
anonymously. If this fails it picks
the next authentication method and tries to authenticate with Windows
authentication.
                
- web.config file
                                                                  
-<allow users="*" /> and
<deny users="?" /> in the <configuration> section
- <authentication mode="Windows" /> in the <system.web> section

- configured for Impersonation
         
- <identity impersonate="true" /> in the web.config file

-306158: INFO: Implementing Impersonation in an ASP.NET
http://support.microsoft.com/?id=306158
-317012: INFO: Process and Request Identity in
http://support.microsoft.com/?id=317012
-315736: HOW TO: Secure an ASP.NET Application by Using
http://support.microsoft.com/?id=315736

b. Active Directory - Delegation:

 Delegation has to be enabled on all machines participated on Kerberos
Delegation, it can be configured in the Active Directory tools.
                                
- Active Directory Users and Computers tool
                                                         
- machine is "trusted for delegation"
                
To configure a computer as trusted for delegation , open the Active
Directory Computers tool, expand the Domain Name node,
expand the Computers node, right-click the computer you want to configure,
choose properties from the context menu and check
the Computer ist Trusted for Delegation option.
                
- Active Directory Users and Groups tool
                                                         
- delegating account is "trusted for delegation"
                
By default, the Aspnet_wp.exe process runs under a computer account named
ASPNET. To verify that the application account can act
as a delegate, open the Active Directory Users And Groups tool, right-click
the the User object in question, choose Properties from the
context menu, click the account menu, scroll down until you see Account
Ias Trusted for Delegation in the Account Options box.
Make sure the option is checked.
                
NOTE: You do not need to perfom this step if the service is running as
LocalSystem because this account automatically supports the
trusted for delegation capability. Running ASP.NET as LocalSystem (userName
= "SYSTEM" in the <processModel> section in the
machine.config file) is by default "trusted for delegation"
                
- accounts to be delegated (domain users) are not marked as "sensitive and
cannot be delegated"
                
To verify the user's account can be delegated, open the Active Directory
Users and Groups tool, right-click the User object in question,
choose Properties from the context menu, click the Account tab, scroll down
until you see Account Is Sensitive And Cannot Be Delegated
in the Account Options box. Make sure the option is not checked.
                
See the following article in the Microsoft Knowledgebase:

325894: HOW TO: Set Computer/User Accounts to Be
http://support.microsoft.com/?id=325894

Thanks,
Bassel Tabbara
Microsoft, ASP.NET

This posting is provided "AS IS", with no warranties, and confers no rights.

--------------------
| From: "Gabriela De Feo" <gdefeo@rmya.com.ar>
| References: <OmlZ7lWwCHA.1624@TK2MSFTNGP11>
<Ld$1RkXwCHA.2600@cpmsftngxa06>
| Subject: Re: Access denied ( From one site to another, that is in another
server)
| Date: Tue, 21 Jan 2003 16:22:25 -0300
| Lines: 329
| MIME-Version: 1.0
| Content-Type: multipart/alternative;
| boundary="----=_NextPart_000_005E_01C2C169.4904BF90"
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2600.0000
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
| Message-ID: <eJq4PJYwCHA.2680@TK2MSFTNGP09>
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| NNTP-Posting-Host: 200.80.152.106
| Path: cpmsftngxa06!TK2MSFTNGP08!TK2MSFTNGP09
| Xref: cpmsftngxa06 microsoft.public.dotnet.framework.aspnet.security:3716
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
|
| Hello Bassel, first of all I want to tell you tank you very much for
responding me soon.
| The url of the first article that you send me is wrong. I coudnīt access
to it.
| I will tell you more about the context of my problem so that you can help
me more
| My web application need to authenticate every user, therefore I'm using
Integrated Windows Authentication.
| The machine.config has
| <processModel enable="true" timeout="Infinite" idleTimeout="Infinite"
shutdownTimeout="0:00:05" requestLimit="Infinite" requestQueueLimit="5000"
restartQueueLimit="10" memoryLimit="60" webGarden="false"
cpuMask="0xffffffff" userName="SYSTEM" password="AutoGenerate"
logLevel="Errors" clientConnectedCheck="0:00:05"
comAuthenticationLevel="Connect" comImpersonationLevel="Impersonate"
responseRestartDeadlockInterval="00:09:00"
responseDeadlockInterval="00:03:00" maxWorkerThreads="25"
maxIoThreads="25"/>
| The web.config has
| <authentication mode="Windows" />
| <authorization>
| <allow users="*" />
| <deny users="?"/>
| </authorization>
| <identity impersonate="true"/>
| I am tryng to acces to the Project Server site, wich is in another server
and has Integrated Windows Authentication. This site has to return a xml.
| As you tell me I need to delegate security, but I donīt know how.
| If you can help me to do it I will appreciate it
| Gaby
| "Bassel Tabbara [MSFT]" <basselt@online.microsoft.com> wrote in message
news:Ld$1RkXwCHA.2600@cpmsftngxa06...
| > Hello Gabriela,
| > You are running into a delegation issue here. Delegation is the next
step
| > up from impersonation. Rather than just being able to access local
| > resources on behalf of the client, delegation supports the accessing
of
| > remote resources on behalf of the client. When you are trying to access
| > from a one server to get to another server, the account credentials
must be
| > passed along so you can access the document on the second server.
| >
| > When users browse to an ASP.NET Web site, they request that some code
run
| > on the server. All processes run within the security context of a
specific
| > account. By default, ASPNET engines runs under aspnet account. This
account
| > has access to the IIS server computer but is not allowed to access
shared
| > folders on other computers. Therefore, you must configure the IIS
computer
| > so that it uses an account other than the aspnet account.
| >
| > After IIS is set to run under another account, you must give that
account
| > permission to all of the files and folders that are needed to use the
| > remote Access database.
| >
| > The following article describes thoroughly the steps needed to allow
you to
| > access the remote resource.
| > 810572 HOW TO: Setup an IIS / ASP.NET Delegation Scenario
| > http://support.microsoft.com/?id=810572
| >
| > 306158 INFO: Implementing Impersonation in an ASP.NET Application
| > http://support.microsoft.com/?id=306158
| > The section entitled as "Impersonate the Authenticating User in Code"
might
| > be beneficial to you.
| >
| >
| > Thanks,
| > Bassel Tabbara
| > Microsoft, ASP.NET
| >
| > This posting is provided "AS IS", with no warranties, and confers no
rights.
| >
| >
| > --------------------
| > | From: "Gabriela De Feo" <gdefeo@rmya.com.ar>
| > | Subject: Access denied ( From one site to another, that is in another
| > server)
| > | Date: Tue, 21 Jan 2003 13:24:40 -0300
| > | Lines: 72
| > | MIME-Version: 1.0
| > | Content-Type: multipart/alternative;
| > | boundary="----=_NextPart_000_002C_01C2C150.7458DB40"
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2600.0000
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
| > | Message-ID: <OmlZ7lWwCHA.1624@TK2MSFTNGP11>
| > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| > | NNTP-Posting-Host: 200.80.152.106
| > | Path: cpmsftngxa06!TK2MSFTNGP08!TK2MSFTNGP11
| > | Xref: cpmsftngxa06
microsoft.public.dotnet.framework.aspnet.security:3707
| > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
| > |
| > | Both web site have Integrated Windows Authentication.
| > | If I try to connect from my site to another that is in another server
I
| > get "Access denied".
| > | If the second site is in the same server, I can conect correctly.
| > | Note: The second site is not in a Dotnet Framework
| > | The code is as follows:
| > | sURL = "http://srv01/projectserver/LgnIntAu.asp"
| > | Dim oXMLDocument As XmlDocument
| > | oXMLDocument = New XmlDocument()
| > | oXMLDocument.Load(sURL)
| > | Please Help me !!!!!
| > | Thanks
| > |
| >
| > Thanks,
| > Bassel Tabbara
| > Microsoft, ASP.NET
| >
| > This posting is provided "AS IS", with no warranties, and confers no
rights.
| >
| >
|