Re: IIS and FQDN authentication confusion

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 10/11/05

  • Next message: Joe Kaplan \(MVP - ADSI\): "Re: Question about handles when doing impersonation."
    Date: Tue, 11 Oct 2005 16:51:55 -0500
    
    

    Doh, that is right! Thanks, I was so concentrating on the Kerb
    troubleshooting (that I just did for hours last week) that I forgot that
    case. :)

    He may not even have delegation enabled yet.

    Joe K.

    "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com>
    wrote in message news:42565460107a938c79cc2d24d2b42@news.microsoft.com...
    > Hello Joe,
    >
    > if you connect from localhost it always works - because technically it is
    > not a delegation - they just pass the token locally - so it is a single
    > hop only.
    >
    > for the rest i can only agree.
    >
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> It sounds like you might not be getting Kerberos authentication to the
    >> web server when you use the FQDN, and thus delegation is not working.
    >> You might check the security logs (assuming logon audits are enabled)
    >> and verify whether Kerberos or NTLM is used.
    >>
    >> Using a packet sniffer like ethereal and also a tool like Wfetch (IIS
    >> 6 resource kit) can also help troubleshoot this stuff.
    >>
    >> If that is the issue, it is possible that you might be missing a
    >> needed SPN for the web server that matches the FQDN which results in
    >> no TGT request being generated on the client end.
    >>
    >> HTH,
    >>
    >> Joe K.
    >>
    >> "Stu Carter" <Stu.Carter@nospam.nospam> wrote in message
    >> news:u4TyqmnzFHA.464@TK2MSFTNGP15.phx.gbl...
    >>
    >>> Hi,
    >>>
    >>> ENV: Windows 2003 Server SP1, IIS6, .Net 1.1
    >>>
    >>> I'd like to know why the authentication and delegation differs when
    >>> accessing a web site using the Fully Qualified Domain Name as opposed
    >>> to 'localhost'.
    >>>
    >>> We have an ASP.Net application which has only 'Integrated
    >>> authentication' enabled on the virtual directory. The ASP.Net
    >>> application access a remote resource on behalf of the authenticated
    >>> user.
    >>>
    >>> The authentication and impersonation modes are:
    >>> <authentication mode="Windows" />
    >>> <identity impersonate="true" />
    >>> I test this with 3 authentication scenarios (IE running on the IIS
    >>> server in every one).
    >>>
    >>> 1) I connect to the app using http://localhost/MyApp, everything is
    >>> fine and the remote resource is accessible.
    >>>
    >>> 2) I specify the FQDN - http://mybox.domain.local/MyApp and I am
    >>> prompted for credentials. Now, I know that this is because IE thinks
    >>> I am outside the intranet zone - fair enough. The thing I don't
    >>> understand is that although my credentials are accepted, subsequent
    >>> access to the remote resource is denied ('Access denied' error).
    >>>
    >>> 3) So I thought - OK, must be something to do with basic
    >>> authentication then. So I reconfigured the Virtual directory to have
    >>> only 'Basic Authentication' expecting the same result. I was
    >>> surprised at the outcome - using either localhost or the FQDN worked.
    >>> The web app could access the remote resource on my behalf.
    >>>
    >>> My question is - what is the difference between scenario 2 and 3?
    >>>
    >>> I am thinking that in scenario 2, IE is failing back to 'Basic
    >>> Authentication'? If that is the case, then scenario 3 should not
    >>> work either.
    >>>
    >>> So, is scenario 2 actually 'Basic authentication', but not allowing
    >>> delegation because it thinks I am not on the Intranet?!!
    >>>
    >>> I'd appreciate
    >>> <authentication mode="Windows" />
    >>> <identity impersonate="true" />
    >>>
    >>> Thanks,
    >>> Stuart
    >>> NB. To reproduce - the simple scenario is two servers:
    >>>
    >>> Web Server - ASP.Net app reading a file off of a share on the file
    >>> server.
    >>> File Server
    >
    >


  • Next message: Joe Kaplan \(MVP - ADSI\): "Re: Question about handles when doing impersonation."

    Relevant Pages

    • Re: Internet Explorer not Opening
      ... Sorry Joe didn't mean to skip you advice but I am a silver surfer and take ... > 181966 System Configuration Utility Advanced Troubleshooting Settings ... > 267288 How to Perform a Clean Boot in Windows Millennium Edition ... > 281995 How to Troubleshoot Using the Msconfig Utility in Windows ME ...
      (microsoft.public.windowsxp.network_web)
    • Re: CD Read Problem
      ... Thanks, Joe, but I did try refreshing the view several times during ... I was using the Windows Picture and Fax ... The only troubleshooting I did was to uninstall the CD-RW drive thru ...
      (microsoft.public.windowsxp.help_and_support)
    • Re: Windows 7 Word 2003 Problem Saving/Opening files
      ... Follow the troubleshooting steps at http://word.mvps.org/FAQs/AppErrors/ProblemsStartingWord.htm which should resolve that problem too. ... Joe W. ... > saying basically I don't have enough RAM or HDD space. ... > Now it allows me to save a file, but when I retrieve it, I get a> message ...
      (microsoft.public.word.application.errors)
    • RE: Configuring two virtual servers to host the same content
      ... Can you please explain the procedure and details on the configuration, ... for Extranet environment on the same web server, ... > The troubleshooting section should AT LEAST be linked to ... our deployment scenario is different from this ...
      (microsoft.public.sharepoint.windowsservices)
    • Re: Remove From Open With
      ... Clear Dynamic "Open With" Lists ... Troubleshooting, Removing and/or Cleaning Add or Remove Programs ... 2004 Windows MVP "Winny" Award ... "Joe" wrote in message ...
      (microsoft.public.windowsxp.general)