Re: Troubleshoot Security Issues
From: Raterus (raterus_at_localhost)
Date: 03/26/04
- Next message: aspx newbie: "aspnet vs IUSR_COMPUTERNAME"
- Previous message: Paul: "Navigating a RS on the Client?"
- In reply to: Raterus: "Re: Troubleshoot Security Issues"
- Next in thread: Ken Schaefer: "Re: Troubleshoot Security Issues"
- Reply: Ken Schaefer: "Re: Troubleshoot Security Issues"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 26 Mar 2004 14:40:45 -0500
Oh yea, I forgot to mention that my IIS server hasn't been rebooted since
starting all of this, could this be the problem? (I can't reboot it now and
see, it's a live server)
"Raterus" <raterus@localhost> wrote in message
news:e2fn92zEEHA.696@TK2MSFTNGP12.phx.gbl...
> Ok, so here it goes,
>
> I just spit out the server variables, Auth_Type did = Negotiate, so I
guess
> I did that properly. And I've managed to also figure out that asp.net is
> impersonating correctly, so I guess the only thing left is delegation...
>
> Here is what I've done to get delegation working, I followed your advice
and
> tried to implement everything I saw in this article.
> http://support.microsoft.com/default.aspx?scid=kb;en-us;810572
>
> I'm going to go through these steps as I do this again, just to make sure
> I've really done them.
>
> 1) My browser is authenticating with Kerberos, figured that out from
looking
> at the servervariables
>
> 2) Checked the box in IE "Enable Integrated Windows Authentication", and I
> restarted my computer, even though it didn't specically warn me to do
such.
>
> 3) In IIS I have verified that the directory I'm accessing has Integrated
> Windows Authentication checked, and it is the only thing checked.
>
> 4) ASP.net web.config, looks exactly like that example on the website,
> except that <allow users="*" /> is embedded in the <authorization> tag.
> That's how I found it, I assume it is supposed to be only there. I've
also
> tried to impersonate using code, and by setting <identity
> impersonate="true">. I've tried both ways and verified that they both
work.
>
> note: (My webserver is NOT a domain controller, it's OS is windows server
> 2003, all domain controllers are hosted off of windows 2000 servers)
>
> 5) I've found my webserver's computer under active directory
> users/computers, and checked a box under it's general properties "Trust
> computer for delegation"
>
> 6) I've also verified on my webserver that IIS service inetinfo.exe is
> running under the Localsystem account. The checkbox "Allow service to
> interact with desktop" is not checked though.
>
> 7) I'm not sure if I really need to do this (I hope not), but I've found
my
> user account, and under the Account tab I've checked "Account is trusted
for
> delegation". I hope I don't have to do this, because that would require
> checking that for each user on our network when this application rolls
out!
>
> Here is my code that is bombing, not that it only bombs on the webserver,
if
> I run this code locally, on my own IIS server it works great.
>
> Dim FolderInfo As New ArrayList
> Try
> Dim dirInfo As New DirectoryInfo(scanUserDirectoriesPath &
> CStr(Session("username")) & "\")
> Dim infoFiles() As FileInfo = dirInfo.GetFiles
> Dim infoFile As FileInfo
>
> For Each infoFile In infoFiles
> FolderInfo.Add(New NewScans(infoFile.Name,
> infoFile.CreationTime.ToString, infoFile.FullName))
> Next
>
> If FolderInfo.Count = 0 Then
> dgScans.Visible = False
> hTitle.InnerText = "No " & hTitle.InnerText
> Else
> dgScans.DataSource = FolderInfo
> dgScans.DataBind()
> End If
>
> Catch ex As Exception
> lblError.Text = ex.ToString & Chr(13) & "HttpContext: " &
> HttpContext.Current.User.Identity.Name & Chr(13) & "WindowsIdentity: " &
> System.Security.Principal.WindowsIdentity.GetCurrent.Name & Chr(13) &
> "Thread: " & System.Threading.Thread.CurrentPrincipal.Identity.Name
> End Try
>
> Any help would be great!
> --Michael
>
>
> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
> news:%2389cAxtEEHA.3096@TK2MSFTNGP11.phx.gbl...
> > a) You can put a trace on the network -or- you can dump out all the
values
> > in the Request.ServerVariables() collection. If you see something like
> > Auth_Type: Negotiate, then Kerberos was used. If you see something like
> > Auth_Type: NTLM then NTLM was used.
> >
> > b) Is ASP.Net impersonating correctly? If you have <identity
> > impersonate="true"> and set authentication to Windows then it should
> > impersonate.
> >
> > c) Is delegation working correctly? I don't know. Why don't you tell us
> what
> > you've done, and what's happening?
> >
> > Cheers
> > Ken
> >
> > "Raterus" <raterus@localhost> wrote in message
> > news:e$f2whqEEHA.3576@tk2msftngp13.phx.gbl...
> > : What is the easiest way to troubleshoot security issues?
> > :
> > : I'm trying to set up a delegation secnario, which I wrote an question
> > about
> > : yesterday. Something isn't working in it, but I feel kind of helpless
> to
> > : even know if what I think I set up is actually what is happening in
the
> > : background. For instance, i'm trying to get my asp.net application to
> > : delegate to another computer to be able to access files on a network
> > share.
> > : How do I really know my browser is authenticating with Kerberos?, Is
> > asp.net
> > : impersonating correctly, when it accesses this network share, is
> > delegation
> > : working correctly?. Lots of issues like this, what is the best way to
> > look
> > : at this information?
> > :
> > :
> >
> >
>
>
- Next message: aspx newbie: "aspnet vs IUSR_COMPUTERNAME"
- Previous message: Paul: "Navigating a RS on the Client?"
- In reply to: Raterus: "Re: Troubleshoot Security Issues"
- Next in thread: Ken Schaefer: "Re: Troubleshoot Security Issues"
- Reply: Ken Schaefer: "Re: Troubleshoot Security Issues"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
