Re: Access denied ( From one site to another, that is in another server)

From: Gabriela De Feo (gdefeo@rmya.com.ar)
Date: 01/22/03 

From: "Gabriela De Feo" <gdefeo@rmya.com.ar>
Date: Wed, 22 Jan 2003 15:27:10 -0300

 Bassel,
I am sorry that I have to bother you again, but I always get "Access denied"

I am working at the next scenario:

.Net Site

- IIS Security:

    Basic Authentication

- Web config:

    <authentication mode="Windows" />

    <authorization>

    <allow users="*" />

    <deny users="?" />

    </authorization>

    <identity impersonate="true"/>

- Code:

    Dim oXMLDocument As MSXML2.DOMDocument30

    oXMLDocument = New MSXML2.DOMDocument30()

    oXMLDocument.Load(sURL)

.Asp Site

- IIS Security:

    Integrated Authentication

If the ASP site is located in the same server where is the NET site I have
no problems, but If it is in another one, oXMLDocument.parseError.reason
returns "Access denied".

Note: The second server has install DotNet Framework too.

Thanks

"Bassel Tabbara [MSFT]" <basselt@online.microsoft.com> wrote in message
news:n7kSomiwCHA.2416@cpmsftngxa08...
> Hello Gabriela,
> You don't need to configure anything more for the scenario of basic
> authentication. In fact, Basic and windows integrated allows delegation
but
> you
> need to impersonate the user as I described it in my previous post.
> For Reading an xml file, you can use the XMLDomDocument with the proper
> permission to the file that you are reading it.
>
> Thanks,
> Bassel Tabbara
> Microsoft, ASP.NET
>
> This posting is provided "AS IS", with no warranties, and confers no
rights.
>
>
> --------------------
> | From: "Gabriela De Feo" <gdefeo@rmya.com.ar>
> | References: <OmlZ7lWwCHA.1624@TK2MSFTNGP11>
> <Ld$1RkXwCHA.2600@cpmsftngxa06> <eJq4PJYwCHA.2680@TK2MSFTNGP09>
> <YI8cZrYwCHA.1128@cpmsftngxa08> <ev55wOZwCHA.2476@TK2MSFTNGP10>
> <MLyorWawCHA.2148@cpmsftngxa08>
> | Subject: Re: Access denied ( From one site to another, that is in
another
> server)
> | Date: Wed, 22 Jan 2003 10:47:45 -0300
> | Lines: 395
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.2600.0000
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
> | Message-ID: <#xK45yhwCHA.2652@TK2MSFTNGP11>
> | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> | NNTP-Posting-Host: 200.80.152.106
> | Path: cpmsftngxa08!cppssbbsa01.microsoft.com!TK2MSFTNGP08!TK2MSFTNGP11
> | Xref: cpmsftngxa08
microsoft.public.dotnet.framework.aspnet.security:3757
> | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> |
> | Do I have to configure something more?
> |
> | Or it is enough configuring the security of the sites? (Site .NET, Basic
> | Authentication---->Site ASP, Windows Authentication)
> |
> | What do I have to use to obtain an XML from an ASP page? XMLDomDocument,
> | HTTPRequest, or there is someting different? Remember that the ASP page
> | belongs to the site that has Windows Authentication.
> |
> |
> |
> |
> |
> | "Bassel Tabbara [MSFT]" <basselt@online.microsoft.com> wrote in message
> | news:MLyorWawCHA.2148@cpmsftngxa08...
> | > Gabriela,
> | > Yes you can delegate the token using Basic Authentication. So your
> | > scenario should work.
> | >
> | >
> | > Thanks,
> | > Bassel Tabbara
> | > Microsoft, ASP.NET
> | >
> | > This posting is provided "AS IS", with no warranties, and confers no
> | rights.
> | >
> | >
> | > --------------------
> | > | From: "Gabriela De Feo" <gdefeo@rmya.com.ar>
> | > | References: <OmlZ7lWwCHA.1624@TK2MSFTNGP11>
> | > <Ld$1RkXwCHA.2600@cpmsftngxa06> <eJq4PJYwCHA.2680@TK2MSFTNGP09>
> | > <YI8cZrYwCHA.1128@cpmsftngxa08>
> | > | Subject: Re: Access denied ( From one site to another, that is in
> | another
> | > server)
> | > | Date: Tue, 21 Jan 2003 18:26:49 -0300
> | > | Lines: 310
> | > | X-Priority: 3
> | > | X-MSMail-Priority: Normal
> | > | X-Newsreader: Microsoft Outlook Express 6.00.2600.0000
> | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
> | > | Message-ID: <ev55wOZwCHA.2476@TK2MSFTNGP10>
> | > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> | > | NNTP-Posting-Host: 200.80.152.106
> | > | Path: cpmsftngxa06!TK2MSFTNGP08!TK2MSFTNGP10
> | > | Xref: cpmsftngxa06
> | microsoft.public.dotnet.framework.aspnet.security:3719
> | > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> | > |
> | > | If insted of configure the ASP.NET Application for Windows
> | > Authentication, I
> | > | configure it for Basic Authentication, can I avoid use Kerberos and
> use
> | > | something simpler?
> | > |
> | > | The scenario would like this:
> | > |
> | > | Site .Net (Basic Authentication) ------> Site asp(Windows
> | Authentication)
> | > |
> | > |
> | > | "Bassel Tabbara [MSFT]" <basselt@online.microsoft.com> wrote in
> message
> | > | news:YI8cZrYwCHA.1128@cpmsftngxa08...
> | > | > Steps to configure an ASP.NET / IIS delegation
> | > | > scenario:
> | > | >
> | > | > - check the "Enable Integrated Windows Authentication (requires
> | > restart)"
> | > | > option in the Tools - Internet Options - Advanced Tab
> | > | >
> | > | > This setting enables Internet Explorer to respond to a negotiate
> | > challenge
> | > | > and perform Kerberos authentication. If not running on Windows
2000
> | > | > or higher Internet Explorer does not respond to a negotiate
> challenge
> | > and
> | > | > default to NTLM (or Windows NT Challenge/Response) authentication
> even
> | > if
> | > | > the
> | > | > Enable Integrated Windows Authentication (requires restart) check
> box
> | is
> | > | > selected because this feature requires Windows 2000 or higher.
> | > | >
> | > | > NOTE: Administrators can enable Integrated Windows Authentication
by
> | > | > setting the
> | > | > EnableNegotiate DWORD value to 1 in the following registry key:
> | > | >
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
> | > | > Settings
> | > | > There are some issues where Kerberos may fail on the Internet
> Explorer
> | > | > client. See the following articles in the Microsoft
> | > | > Knowledgebase:
> | > | >
> | > | > - 321728: Internet Explorer Does Not Support Kerberos
> | > | > AuthenticationKBLink:321728.kb.en-us:
> | > | > - 325608: PRB: Authentication Delegation Through Kerberos Does Not
> | > | > WorkKBLink:325608.kb.en-us:
> | > | > - 280830: Kerberos Authentication May Not Work If User Is in Many
> | > | > GroupsKBLink:280830.kb.en-us:
> | > | > - 264921: INFO: How IIS Authenticates Browser
> | > | > ClientsKBLink:264921.kb.en-us:
> | > | >
> | > | > 2. Web Server (IIS 5.0 or higher):
> | > | >
> | > | > a. ASP.NET Application - Windows Authentication and
> | > | > Impersonation:
> | > | >
> | > | > - configured for Windows Authentication
> | > | >
> | > | > -IIS Management Console
> | > | >
> | > | > -turn off Anonymous access, Basic and Digest authentication for
the
> | > | > application
> | > | >
> | > | > To configure a web application for Windows authentication open the
> | > | Internet
> | > | > Information Services tool, expand the
> | > | > Default Web Sites node, right-click your web application, goto
> | > Properties,
> | > | > choose Directory Security, click the Edit
> | > | > button for Anonymous access and authentication control and turn
off
> | > | > Anonymous access, Basic and Digest
> | > | > authentication for the application.
> | > | >
> | > | > NOTE: Internet Explorer will always pick the first authentication
> | scheme
> | > | if
> | > | > given the option of choosing
> | > | > from multiple authentication schemes. For example, if Anonymous
> | > | > authentication is enabled and listed
> | > | > before Windows Authentication, Internet Explorer will try to
> | > authenticate
> | > | > anonymously. If this fails it picks
> | > | > the next authentication method and tries to authenticate with
> Windows
> | > | > authentication.
> | > | >
> | > | > - web.config file
> | > | >
> | > | > -<allow users="*" /> and
> | > | > <deny users="?" /> in the <configuration> section
> | > | > - <authentication mode="Windows" /> in the <system.web> section
> | > | >
> | > | > - configured for Impersonation
> | > | >
> | > | > - <identity impersonate="true" /> in the web.config file
> | > | >
> | > | > -306158: INFO: Implementing Impersonation in an ASP.NET
> | > | > http://support.microsoft.com/?id=306158
> | > | > -317012: INFO: Process and Request Identity in
> | > | > http://support.microsoft.com/?id=317012
> | > | > -315736: HOW TO: Secure an ASP.NET Application by Using
> | > | > http://support.microsoft.com/?id=315736
> | > | >
> | > | > b. Active Directory - Delegation:
> | > | >
> | > | > Delegation has to be enabled on all machines participated on
> Kerberos
> | > | > Delegation, it can be configured in the Active Directory tools.
> | > | >
> | > | > - Active Directory Users and Computers tool
> | > | >
> | > | > - machine is "trusted for delegation"
> | > | >
> | > | > To configure a computer as trusted for delegation , open the
Active
> | > | > Directory Computers tool, expand the Domain Name node,
> | > | > expand the Computers node, right-click the computer you want to
> | > | configure,
> | > | > choose properties from the context menu and check
> | > | > the Computer ist Trusted for Delegation option.
> | > | >
> | > | > - Active Directory Users and Groups tool
> | > | >
> | > | > - delegating account is "trusted for delegation"
> | > | >
> | > | > By default, the Aspnet_wp.exe process runs under a computer
account
> | > named
> | > | > ASPNET. To verify that the application account can act
> | > | > as a delegate, open the Active Directory Users And Groups tool,
> | > | right-click
> | > | > the the User object in question, choose Properties from the
> | > | > context menu, click the account menu, scroll down until you see
> | Account
> | > | > Ias Trusted for Delegation in the Account Options box.
> | > | > Make sure the option is checked.
> | > | >
> | > | > NOTE: You do not need to perfom this step if the service is
running
> as
> | > | > LocalSystem because this account automatically supports the
> | > | > trusted for delegation capability. Running ASP.NET as LocalSystem
> | > | (userName
> | > | > = "SYSTEM" in the <processModel> section in the
> | > | > machine.config file) is by default "trusted for delegation"
> | > | >
> | > | > - accounts to be delegated (domain users) are not marked as
> "sensitive
> | > and
> | > | > cannot be delegated"
> | > | >
> | > | > To verify the user's account can be delegated, open the Active
> | > Directory
> | > | > Users and Groups tool, right-click the User object in question,
> | > | > choose Properties from the context menu, click the Account tab,
> scroll
> | > | down
> | > | > until you see Account Is Sensitive And Cannot Be Delegated
> | > | > in the Account Options box. Make sure the option is not checked.
> | > | >
> | > | > See the following article in the Microsoft Knowledgebase:
> | > | >
> | > | > 325894: HOW TO: Set Computer/User Accounts to Be
> | > | > http://support.microsoft.com/?id=325894
> | > | >
> | > | > Thanks,
> | > | > Bassel Tabbara
> | > | > Microsoft, ASP.NET
> | > | >
> | > | > This posting is provided "AS IS", with no warranties, and confers
no
> | > | rights.
> | > | >
> | > | > --------------------
> | > | > | From: "Gabriela De Feo" <gdefeo@rmya.com.ar>
> | > | > | References: <OmlZ7lWwCHA.1624@TK2MSFTNGP11>
> | > | > <Ld$1RkXwCHA.2600@cpmsftngxa06>
> | > | > | Subject: Re: Access denied ( From one site to another, that is
in
> | > | another
> | > | > server)
> | > | > | Date: Tue, 21 Jan 2003 16:22:25 -0300
> | > | > | Lines: 329
> | > | > | MIME-Version: 1.0
> | > | > | Content-Type: multipart/alternative;
> | > | > | boundary="----=_NextPart_000_005E_01C2C169.4904BF90"
> | > | > | X-Priority: 3
> | > | > | X-MSMail-Priority: Normal
> | > | > | X-Newsreader: Microsoft Outlook Express 6.00.2600.0000
> | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
> | > | > | Message-ID: <eJq4PJYwCHA.2680@TK2MSFTNGP09>
> | > | > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> | > | > | NNTP-Posting-Host: 200.80.152.106
> | > | > | Path: cpmsftngxa06!TK2MSFTNGP08!TK2MSFTNGP09
> | > | > | Xref: cpmsftngxa06
> | > | microsoft.public.dotnet.framework.aspnet.security:3716
> | > | > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> | > | > |
> | > | > | Hello Bassel, first of all I want to tell you tank you very much
> for
> | > | > responding me soon.
> | > | > | The url of the first article that you send me is wrong. I
coudnīt
> | > access
> | > | > to it.
> | > | > | I will tell you more about the context of my problem so that you
> can
> | > | help
> | > | > me more
> | > | > | My web application need to authenticate every user, therefore
I'm
> | > using
> | > | > Integrated Windows Authentication.
> | > | > | The machine.config has
> | > | > | <processModel enable="true" timeout="Infinite"
> | idleTimeout="Infinite"
> | > | > shutdownTimeout="0:00:05" requestLimit="Infinite"
> | > requestQueueLimit="5000"
> | > | > restartQueueLimit="10" memoryLimit="60" webGarden="false"
> | > | > cpuMask="0xffffffff" userName="SYSTEM" password="AutoGenerate"
> | > | > logLevel="Errors" clientConnectedCheck="0:00:05"
> | > | > comAuthenticationLevel="Connect"
comImpersonationLevel="Impersonate"
> | > | > responseRestartDeadlockInterval="00:09:00"
> | > | > responseDeadlockInterval="00:03:00" maxWorkerThreads="25"
> | > | > maxIoThreads="25"/>
> | > | > | The web.config has
> | > | > | <authentication mode="Windows" />
> | > | > | <authorization>
> | > | > | <allow users="*" />
> | > | > | <deny users="?"/>
> | > | > | </authorization>
> | > | > | <identity impersonate="true"/>
> | > | > | I am tryng to acces to the Project Server site, wich is in
another
> | > | server
> | > | > and has Integrated Windows Authentication. This site has to return
a
> | > xml.
> | > | > | As you tell me I need to delegate security, but I donīt know
how.
> | > | > | If you can help me to do it I will appreciate it
> | > | > | Gaby
> | > | > | "Bassel Tabbara [MSFT]" <basselt@online.microsoft.com> wrote in
> | > message
> | > | > news:Ld$1RkXwCHA.2600@cpmsftngxa06...
> | > | > | > Hello Gabriela,
> | > | > | > You are running into a delegation issue here. Delegation is
the
> | next
> | > | > step
> | > | > | > up from impersonation. Rather than just being able to access
> local
> | > | > | > resources on behalf of the client, delegation supports the
> | > accessing
> | > | > of
> | > | > | > remote resources on behalf of the client. When you are trying
to
> | > | access
> | > | > | > from a one server to get to another server, the account
> | credentials
> | > | > must be
> | > | > | > passed along so you can access the document on the second
> server.
> | > | > | >
> | > | > | > When users browse to an ASP.NET Web site, they request that
some
> | > code
> | > | > run
> | > | > | > on the server. All processes run within the security context
of
> a
> | > | > specific
> | > | > | > account. By default, ASPNET engines runs under aspnet account.
> | This
> | > | > account
> | > | > | > has access to the IIS server computer but is not allowed to
> access
> | > | > shared
> | > | > | > folders on other computers. Therefore, you must configure the
> IIS
> | > | > computer
> | > | > | > so that it uses an account other than the aspnet account.
> | > | > | >
> | > | > | > After IIS is set to run under another account, you must give
> that
> | > | > account
> | > | > | > permission to all of the files and folders that are needed to
> use
> | > the
> | > | > | > remote Access database.
> | > | > | >
> | > | > | > The following article describes thoroughly the steps needed to
> | allow
> | > | > you to
> | > | > | > access the remote resource.
> | > | > | > 810572 HOW TO: Setup an IIS / ASP.NET Delegation Scenario
> | > | > | > http://support.microsoft.com/?id=810572
> | > | > | >
> | > | > | > 306158 INFO: Implementing Impersonation in an ASP.NET
> Application
> | > | > | > http://support.microsoft.com/?id=306158
> | > | > | > The section entitled as "Impersonate the Authenticating User
in
> | > Code"
> | > | > might
> | > | > | > be beneficial to you.
> | > | > | >
> | > | > | >
> | > | > | > Thanks,
> | > | > | > Bassel Tabbara
> | > | > | > Microsoft, ASP.NET
> | > | > | >
> | > | > | > This posting is provided "AS IS", with no warranties, and
> confers
> | no
> | > | > rights.
> | > | > | >
> | > | > | >
> | > | > | > --------------------
> | > | > | > | From: "Gabriela De Feo" <gdefeo@rmya.com.ar>
> | > | > | > | Subject: Access denied ( From one site to another, that is
in
> | > | another
> | > | > | > server)
> | > | > | > | Date: Tue, 21 Jan 2003 13:24:40 -0300
> | > | > | > | Lines: 72
> | > | > | > | MIME-Version: 1.0
> | > | > | > | Content-Type: multipart/alternative;
> | > | > | > | boundary="----=_NextPart_000_002C_01C2C150.7458DB40"
> | > | > | > | X-Priority: 3
> | > | > | > | X-MSMail-Priority: Normal
> | > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.2600.0000
> | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
> | > | > | > | Message-ID: <OmlZ7lWwCHA.1624@TK2MSFTNGP11>
> | > | > | > | Newsgroups:
microsoft.public.dotnet.framework.aspnet.security
> | > | > | > | NNTP-Posting-Host: 200.80.152.106
> | > | > | > | Path: cpmsftngxa06!TK2MSFTNGP08!TK2MSFTNGP11
> | > | > | > | Xref: cpmsftngxa06
> | > | > microsoft.public.dotnet.framework.aspnet.security:3707
> | > | > | > | X-Tomcat-NG:
microsoft.public.dotnet.framework.aspnet.security
> | > | > | > |
> | > | > | > | Both web site have Integrated Windows Authentication.
> | > | > | > | If I try to connect from my site to another that is in
another
> | > | server
> | > | > I
> | > | > | > get "Access denied".
> | > | > | > | If the second site is in the same server, I can conect
> | correctly.
> | > | > | > | Note: The second site is not in a Dotnet Framework
> | > | > | > | The code is as follows:
> | > | > | > | sURL = "http://srv01/projectserver/LgnIntAu.asp"
> | > | > | > | Dim oXMLDocument As XmlDocument
> | > | > | > | oXMLDocument = New XmlDocument()
> | > | > | > | oXMLDocument.Load(sURL)
> | > | > | > | Please Help me !!!!!
> | > | > | > | Thanks
> | > | > | > |
> | > | > | >
> | > | > | > Thanks,
> | > | > | > Bassel Tabbara
> | > | > | > Microsoft, ASP.NET
> | > | > | >
> | > | > | > This posting is provided "AS IS", with no warranties, and
> confers
> | no
> | > | > rights.
> | > | > | >
> | > | > | >
> | > | > |
> | > | >
> | > | >
> | > | >
> | > | >
> | > |
> | > |
> | > |
> | >
> |
> |
> |
>