Re: Troubleshoot Security Issues

From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 03/27/04 

Date: Sat, 27 Mar 2004 18:20:02 +1100

Did you use the SetSpn.exe tool?

If you are accessing a website that is not the same name as the NetBIOS name
for the computer, then the service principal name (SPN) will not be
registered yet. you use the SetSPN.exe tool to do that. When IIS is
installed, it automatically registers the NetBIOS/computername of the server
it's running on.

Cheers
Ken

"Raterus" <raterus@localhost> wrote in message
news:%23yDBPq2EEHA.3788@TK2MSFTNGP10.phx.gbl...
: Oh yea, I forgot to mention that my IIS server hasn't been rebooted since
: starting all of this, could this be the problem? (I can't reboot it now
and
: see, it's a live server)
:
: "Raterus" <raterus@localhost> wrote in message
: news:e2fn92zEEHA.696@TK2MSFTNGP12.phx.gbl...
: > Ok, so here it goes,
: >
: > I just spit out the server variables, Auth_Type did = Negotiate, so I
: guess
: > I did that properly. And I've managed to also figure out that asp.net
is
: > impersonating correctly, so I guess the only thing left is delegation...
: >
: > Here is what I've done to get delegation working, I followed your advice
: and
: > tried to implement everything I saw in this article.
: > http://support.microsoft.com/default.aspx?scid=kb;en-us;810572
: >
: > I'm going to go through these steps as I do this again, just to make
sure
: > I've really done them.
: >
: > 1) My browser is authenticating with Kerberos, figured that out from
: looking
: > at the servervariables
: >
: > 2) Checked the box in IE "Enable Integrated Windows Authentication", and
I
: > restarted my computer, even though it didn't specically warn me to do
: such.
: >
: > 3) In IIS I have verified that the directory I'm accessing has
Integrated
: > Windows Authentication checked, and it is the only thing checked.
: >
: > 4) ASP.net web.config, looks exactly like that example on the website,
: > except that <allow users="*" /> is embedded in the <authorization> tag.
: > That's how I found it, I assume it is supposed to be only there. I've
: also
: > tried to impersonate using code, and by setting <identity
: > impersonate="true">. I've tried both ways and verified that they both
: work.
: >
: > note: (My webserver is NOT a domain controller, it's OS is windows
server
: > 2003, all domain controllers are hosted off of windows 2000 servers)
: >
: > 5) I've found my webserver's computer under active directory
: > users/computers, and checked a box under it's general properties "Trust
: > computer for delegation"
: >
: > 6) I've also verified on my webserver that IIS service inetinfo.exe is
: > running under the Localsystem account. The checkbox "Allow service to
: > interact with desktop" is not checked though.
: >
: > 7) I'm not sure if I really need to do this (I hope not), but I've found
: my
: > user account, and under the Account tab I've checked "Account is trusted
: for
: > delegation". I hope I don't have to do this, because that would require
: > checking that for each user on our network when this application rolls
: out!
: >
: > Here is my code that is bombing, not that it only bombs on the
webserver,
: if
: > I run this code locally, on my own IIS server it works great.
: >
: > Dim FolderInfo As New ArrayList
: > Try
: > Dim dirInfo As New DirectoryInfo(scanUserDirectoriesPath &
: > CStr(Session("username")) & "\")
: > Dim infoFiles() As FileInfo = dirInfo.GetFiles
: > Dim infoFile As FileInfo
: >
: > For Each infoFile In infoFiles
: > FolderInfo.Add(New NewScans(infoFile.Name,
: > infoFile.CreationTime.ToString, infoFile.FullName))
: > Next
: >
: > If FolderInfo.Count = 0 Then
: > dgScans.Visible = False
: > hTitle.InnerText = "No " & hTitle.InnerText
: > Else
: > dgScans.DataSource = FolderInfo
: > dgScans.DataBind()
: > End If
: >
: > Catch ex As Exception
: > lblError.Text = ex.ToString & Chr(13) & "HttpContext: " &
: > HttpContext.Current.User.Identity.Name & Chr(13) & "WindowsIdentity: " &
: > System.Security.Principal.WindowsIdentity.GetCurrent.Name & Chr(13) &
: > "Thread: " & System.Threading.Thread.CurrentPrincipal.Identity.Name
: > End Try
: >
: > Any help would be great!
: > --Michael
: >
: >
: > "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
: > news:%2389cAxtEEHA.3096@TK2MSFTNGP11.phx.gbl...
: > > a) You can put a trace on the network -or- you can dump out all the
: values
: > > in the Request.ServerVariables() collection. If you see something like
: > > Auth_Type: Negotiate, then Kerberos was used. If you see something
like
: > > Auth_Type: NTLM then NTLM was used.
: > >
: > > b) Is ASP.Net impersonating correctly? If you have <identity
: > > impersonate="true"> and set authentication to Windows then it should
: > > impersonate.
: > >
: > > c) Is delegation working correctly? I don't know. Why don't you tell
us
: > what
: > > you've done, and what's happening?
: > >
: > > Cheers
: > > Ken
: > >
: > > "Raterus" <raterus@localhost> wrote in message
: > > news:e$f2whqEEHA.3576@tk2msftngp13.phx.gbl...
: > > : What is the easiest way to troubleshoot security issues?
: > > :
: > > : I'm trying to set up a delegation secnario, which I wrote an
question
: > > about
: > > : yesterday. Something isn't working in it, but I feel kind of
helpless
: > to
: > > : even know if what I think I set up is actually what is happening in
: the
: > > : background. For instance, i'm trying to get my asp.net application
to
: > > : delegate to another computer to be able to access files on a network
: > > share.
: > > : How do I really know my browser is authenticating with Kerberos?, Is
: > > asp.net
: > > : impersonating correctly, when it accesses this network share, is
: > > delegation
: > > : working correctly?. Lots of issues like this, what is the best way
to
: > > look
: > > : at this information?
: > > :
: > > :
: > >
: > >
: >
: >
:
:

Relevant Pages

  • RE: SOME Users cannot access OWA others do, error HTTP 500
    ... I understand that some account access OWA ... IIS 6.0 compression corruption causes access violations ... compressed copy of the affected files on the SBS server: ...
    (microsoft.public.windows.server.sbs)
  • Re: Virtual Directory - Permission Denied with fso CopyFile
    ... TestUser (normal user account with same credentials on all machines). ... I logged into the IIS server as vdirUser and simply typed ... open and I had read and write permissions to the share. ... I logged off and back into the IIS server as the administrator and deleted ...
    (microsoft.public.inetserver.iis)
  • Re: 2003 Server Client/Delegation and Data Issues
    ... Did you also use F5 to update the AD UC console on the 2003, ... Win23K server to look for a unstarted services that may be needed, ... - Checked the delegation permissions on the OU ... I noticed that in the administrator account the ...
    (microsoft.public.windows.server.active_directory)
  • Re: Windows (Trusted) Authentication and SQL Server
    ... I can still run the application when logged in locally to the IIS machine, ... > The account whose credentials are being delegated must be a domain account ... > be marked in Active Directory as trusted for delegation. ... > Server) does not need to be marked as trusted. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: Access denied ( From one site to another, that is in another server)
    ... You are running into a delegation issue here. ... remote resources on behalf of the client. ... from a one server to get to another server, the account credentials must be ...
    (microsoft.public.dotnet.framework.aspnet.security)
Quantcast