Re: Access denied ( From one site to another, that is in another server)

From: Gabriela De Feo (gdefeo@rmya.com.ar)
Date: 01/21/03 

From: "Gabriela De Feo" <gdefeo@rmya.com.ar>
Date: Tue, 21 Jan 2003 18:26:49 -0300

If insted of configure the ASP.NET Application for Windows Authentication, I
configure it for Basic Authentication, can I avoid use Kerberos and use
something simpler?

The scenario would like this:

Site .Net (Basic Authentication) ------> Site asp(Windows Authentication)

"Bassel Tabbara [MSFT]" <basselt@online.microsoft.com> wrote in message
news:YI8cZrYwCHA.1128@cpmsftngxa08...
> Steps to configure an ASP.NET / IIS delegation
> scenario:
>
> - check the "Enable Integrated Windows Authentication (requires restart)"
> option in the Tools - Internet Options - Advanced Tab
>
> This setting enables Internet Explorer to respond to a negotiate challenge
> and perform Kerberos authentication. If not running on Windows 2000
> or higher Internet Explorer does not respond to a negotiate challenge and
> default to NTLM (or Windows NT Challenge/Response) authentication even if
> the
> Enable Integrated Windows Authentication (requires restart) check box is
> selected because this feature requires Windows 2000 or higher.
>
> NOTE: Administrators can enable Integrated Windows Authentication by
> setting the
> EnableNegotiate DWORD value to 1 in the following registry key:
> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
> Settings
> There are some issues where Kerberos may fail on the Internet Explorer
> client. See the following articles in the Microsoft
> Knowledgebase:
>
> - 321728: Internet Explorer Does Not Support Kerberos
> AuthenticationKBLink:321728.kb.en-us:
> - 325608: PRB: Authentication Delegation Through Kerberos Does Not
> WorkKBLink:325608.kb.en-us:
> - 280830: Kerberos Authentication May Not Work If User Is in Many
> GroupsKBLink:280830.kb.en-us:
> - 264921: INFO: How IIS Authenticates Browser
> ClientsKBLink:264921.kb.en-us:
>
> 2. Web Server (IIS 5.0 or higher):
>
> a. ASP.NET Application - Windows Authentication and
> Impersonation:
>
> - configured for Windows Authentication
>
> -IIS Management Console
>
> -turn off Anonymous access, Basic and Digest authentication for the
> application
>
> To configure a web application for Windows authentication open the
Internet
> Information Services tool, expand the
> Default Web Sites node, right-click your web application, goto Properties,
> choose Directory Security, click the Edit
> button for Anonymous access and authentication control and turn off
> Anonymous access, Basic and Digest
> authentication for the application.
>
> NOTE: Internet Explorer will always pick the first authentication scheme
if
> given the option of choosing
> from multiple authentication schemes. For example, if Anonymous
> authentication is enabled and listed
> before Windows Authentication, Internet Explorer will try to authenticate
> anonymously. If this fails it picks
> the next authentication method and tries to authenticate with Windows
> authentication.
>
> - web.config file
>
> -<allow users="*" /> and
> <deny users="?" /> in the <configuration> section
> - <authentication mode="Windows" /> in the <system.web> section
>
> - configured for Impersonation
>
> - <identity impersonate="true" /> in the web.config file
>
> -306158: INFO: Implementing Impersonation in an ASP.NET
> http://support.microsoft.com/?id=306158
> -317012: INFO: Process and Request Identity in
> http://support.microsoft.com/?id=317012
> -315736: HOW TO: Secure an ASP.NET Application by Using
> http://support.microsoft.com/?id=315736
>
> b. Active Directory - Delegation:
>
> Delegation has to be enabled on all machines participated on Kerberos
> Delegation, it can be configured in the Active Directory tools.
>
> - Active Directory Users and Computers tool
>
> - machine is "trusted for delegation"
>
> To configure a computer as trusted for delegation , open the Active
> Directory Computers tool, expand the Domain Name node,
> expand the Computers node, right-click the computer you want to
configure,
> choose properties from the context menu and check
> the Computer ist Trusted for Delegation option.
>
> - Active Directory Users and Groups tool
>
> - delegating account is "trusted for delegation"
>
> By default, the Aspnet_wp.exe process runs under a computer account named
> ASPNET. To verify that the application account can act
> as a delegate, open the Active Directory Users And Groups tool,
right-click
> the the User object in question, choose Properties from the
> context menu, click the account menu, scroll down until you see Account
> Ias Trusted for Delegation in the Account Options box.
> Make sure the option is checked.
>
> NOTE: You do not need to perfom this step if the service is running as
> LocalSystem because this account automatically supports the
> trusted for delegation capability. Running ASP.NET as LocalSystem
(userName
> = "SYSTEM" in the <processModel> section in the
> machine.config file) is by default "trusted for delegation"
>
> - accounts to be delegated (domain users) are not marked as "sensitive and
> cannot be delegated"
>
> To verify the user's account can be delegated, open the Active Directory
> Users and Groups tool, right-click the User object in question,
> choose Properties from the context menu, click the Account tab, scroll
down
> until you see Account Is Sensitive And Cannot Be Delegated
> in the Account Options box. Make sure the option is not checked.
>
> See the following article in the Microsoft Knowledgebase:
>
> 325894: HOW TO: Set Computer/User Accounts to Be
> http://support.microsoft.com/?id=325894
>
> Thanks,
> Bassel Tabbara
> Microsoft, ASP.NET
>
> This posting is provided "AS IS", with no warranties, and confers no
rights.
>
> --------------------
> | From: "Gabriela De Feo" <gdefeo@rmya.com.ar>
> | References: <OmlZ7lWwCHA.1624@TK2MSFTNGP11>
> <Ld$1RkXwCHA.2600@cpmsftngxa06>
> | Subject: Re: Access denied ( From one site to another, that is in
another
> server)
> | Date: Tue, 21 Jan 2003 16:22:25 -0300
> | Lines: 329
> | MIME-Version: 1.0
> | Content-Type: multipart/alternative;
> | boundary="----=_NextPart_000_005E_01C2C169.4904BF90"
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.2600.0000
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
> | Message-ID: <eJq4PJYwCHA.2680@TK2MSFTNGP09>
> | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> | NNTP-Posting-Host: 200.80.152.106
> | Path: cpmsftngxa06!TK2MSFTNGP08!TK2MSFTNGP09
> | Xref: cpmsftngxa06
microsoft.public.dotnet.framework.aspnet.security:3716
> | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> |
> | Hello Bassel, first of all I want to tell you tank you very much for
> responding me soon.
> | The url of the first article that you send me is wrong. I coudnīt access
> to it.
> | I will tell you more about the context of my problem so that you can
help
> me more
> | My web application need to authenticate every user, therefore I'm using
> Integrated Windows Authentication.
> | The machine.config has
> | <processModel enable="true" timeout="Infinite" idleTimeout="Infinite"
> shutdownTimeout="0:00:05" requestLimit="Infinite" requestQueueLimit="5000"
> restartQueueLimit="10" memoryLimit="60" webGarden="false"
> cpuMask="0xffffffff" userName="SYSTEM" password="AutoGenerate"
> logLevel="Errors" clientConnectedCheck="0:00:05"
> comAuthenticationLevel="Connect" comImpersonationLevel="Impersonate"
> responseRestartDeadlockInterval="00:09:00"
> responseDeadlockInterval="00:03:00" maxWorkerThreads="25"
> maxIoThreads="25"/>
> | The web.config has
> | <authentication mode="Windows" />
> | <authorization>
> | <allow users="*" />
> | <deny users="?"/>
> | </authorization>
> | <identity impersonate="true"/>
> | I am tryng to acces to the Project Server site, wich is in another
server
> and has Integrated Windows Authentication. This site has to return a xml.
> | As you tell me I need to delegate security, but I donīt know how.
> | If you can help me to do it I will appreciate it
> | Gaby
> | "Bassel Tabbara [MSFT]" <basselt@online.microsoft.com> wrote in message
> news:Ld$1RkXwCHA.2600@cpmsftngxa06...
> | > Hello Gabriela,
> | > You are running into a delegation issue here. Delegation is the next
> step
> | > up from impersonation. Rather than just being able to access local
> | > resources on behalf of the client, delegation supports the accessing
> of
> | > remote resources on behalf of the client. When you are trying to
access
> | > from a one server to get to another server, the account credentials
> must be
> | > passed along so you can access the document on the second server.
> | >
> | > When users browse to an ASP.NET Web site, they request that some code
> run
> | > on the server. All processes run within the security context of a
> specific
> | > account. By default, ASPNET engines runs under aspnet account. This
> account
> | > has access to the IIS server computer but is not allowed to access
> shared
> | > folders on other computers. Therefore, you must configure the IIS
> computer
> | > so that it uses an account other than the aspnet account.
> | >
> | > After IIS is set to run under another account, you must give that
> account
> | > permission to all of the files and folders that are needed to use the
> | > remote Access database.
> | >
> | > The following article describes thoroughly the steps needed to allow
> you to
> | > access the remote resource.
> | > 810572 HOW TO: Setup an IIS / ASP.NET Delegation Scenario
> | > http://support.microsoft.com/?id=810572
> | >
> | > 306158 INFO: Implementing Impersonation in an ASP.NET Application
> | > http://support.microsoft.com/?id=306158
> | > The section entitled as "Impersonate the Authenticating User in Code"
> might
> | > be beneficial to you.
> | >
> | >
> | > Thanks,
> | > Bassel Tabbara
> | > Microsoft, ASP.NET
> | >
> | > This posting is provided "AS IS", with no warranties, and confers no
> rights.
> | >
> | >
> | > --------------------
> | > | From: "Gabriela De Feo" <gdefeo@rmya.com.ar>
> | > | Subject: Access denied ( From one site to another, that is in
another
> | > server)
> | > | Date: Tue, 21 Jan 2003 13:24:40 -0300
> | > | Lines: 72
> | > | MIME-Version: 1.0
> | > | Content-Type: multipart/alternative;
> | > | boundary="----=_NextPart_000_002C_01C2C150.7458DB40"
> | > | X-Priority: 3
> | > | X-MSMail-Priority: Normal
> | > | X-Newsreader: Microsoft Outlook Express 6.00.2600.0000
> | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
> | > | Message-ID: <OmlZ7lWwCHA.1624@TK2MSFTNGP11>
> | > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> | > | NNTP-Posting-Host: 200.80.152.106
> | > | Path: cpmsftngxa06!TK2MSFTNGP08!TK2MSFTNGP11
> | > | Xref: cpmsftngxa06
> microsoft.public.dotnet.framework.aspnet.security:3707
> | > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> | > |
> | > | Both web site have Integrated Windows Authentication.
> | > | If I try to connect from my site to another that is in another
server
> I
> | > get "Access denied".
> | > | If the second site is in the same server, I can conect correctly.
> | > | Note: The second site is not in a Dotnet Framework
> | > | The code is as follows:
> | > | sURL = "http://srv01/projectserver/LgnIntAu.asp"
> | > | Dim oXMLDocument As XmlDocument
> | > | oXMLDocument = New XmlDocument()
> | > | oXMLDocument.Load(sURL)
> | > | Please Help me !!!!!
> | > | Thanks
> | > |
> | >
> | > Thanks,
> | > Bassel Tabbara
> | > Microsoft, ASP.NET
> | >
> | > This posting is provided "AS IS", with no warranties, and confers no
> rights.
> | >
> | >
> |
>
>
>
>