Kerberos, Delegation, and Win2.3K

gnieboer_at_corpcomm.net
Date: 07/16/03 

Date: Wed, 16 Jul 2003 00:52:44 -0700

All,

I started off with a problem getting ASP.NET to send a fax to a Win2003
Server fax server... but now...

Computer A: Client machine running IE 6.0
Computer B: Windows 2003 Server running IIS 6.0
Computer C: Windows 2003 Server with a Shared Fax
Domain: Windows 2000 Native mode with both a W2K and W2.3K DC.

The AppPool is running under a domain admin account (for testing) that
has been trusted for delegation.
Identity impersonation is on

The user logs in (again, as a domain admin for testing), and the system
attempts to query the Active Directory.
If IIS is setup to use Windows Authentication, it will fail. However,
If Basic Authentication is the method, that it succeeds.

Here's what I've already figured out:
The user's credentials need to be delegated by the AppPool in order for
them to be used to query Active Directory. This is set up correctly,
however only certain types of credentials can be delegated.
All Basic credentials can be delegated (thus it works correctly in that
case)
However, Int. Windows Authenication can use either NTLM or Kerberos
authentication. NTLM can be delegated, while Kerberos can not.
In the event log for the Domain Controller, there are failure entries
like so:

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 677
Date: 7/16/2003
Time: 12:06:09 AM
User: NT AUTHORITY\SYSTEM
Computer: SAMPLE
Description:
Service Ticket Request Failed:
  User Name:
  User Domain:
  Service Name:
  Ticket Options: 0x40830000
  Failure Code: 0xE
  Client Address: 192.168.0.111

Obviously the system is attempting to get a Kerberos ticket, failing,
and then reverting to NTLM, which then can't be delegated.

Clearly I don't want to use basic authentication to get this job done.

SO, the million dollar question is, why aren't Kerberos tickets being
granted? There seems to be very little documentation on the inner
working of the KDC and pieces need to be set up correctly. I've created
new DC's, demoted the old ones and recreated them, all to no effect.

Any help would be appreciated as always!

Geof

Relevant Pages

  • RE: Beginners Questions
    ... We do use Windows form on the presentation layer which is on ... terminal server and call web services on the business logic side. ... of using "proxy" authentication on SQL Server. ... > I have written an app with a Windows Forms UI that is deployed to clients ...
    (microsoft.public.dotnet.distributed_apps)
  • Re: PROBLEM: ASP on IIS 5 secured via "Windows Integrated Authentication" accessing "
    ... I have two virtual directories on same server with Integrated ... If i use basic authentication, ... as .NET framework config file) as well as Delegation as specified by the ... > could do whatever you want in your ASP page on behalf of the Domain Admin. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Need help configuring Wireless Connection profile
    ... and I can only use the intel OR windows utility, not both at the same time. ... Windows authentication for all users,4129,LRG\ryanv,4149,Wireless WPA2 ... SMALL BUSINESS SERVER: ... STEP #1 Install Certificate Services ...
    (microsoft.public.windowsxp.general)
  • Re: EAP-TLS with windows CE
    ... The AP was sending out an Identity Request every second, ... request to the identification server. ... When the server asks the Windows CE device to identify itself, ... I could easily steal your authentication information. ...
    (microsoft.public.windowsce.platbuilder)
  • Re: server authentication & ASP authentication
    ... on to the client workstation with an authorized Windows account. ... SQL Server with Windows authentication. ...
    (microsoft.public.sqlserver.security)