Re: Integrated Windows Authentication Timeout?
- From: Bradley Landis <BradleyLandis@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 3 Apr 2007 08:48:02 -0700
Okay, so I have narrowed the problem down to Kerberos Authentication. When a
user first visits the site all authenticiation is done via Kerberos. After
the period of inactiity, the next hit to the web site authenticates using
NTLM for some reason. Since we have Constrained Delegation set up as
"Kerberos Only" it does not forward the NTLM credentials to the database
server. This results in the "NT AUTHORITY\Anonymous logon" error.
So the question is why does it fall back to NTLM after a period of
inactivity of about 30 minutes? I have used kerbtray.exe to look at the
tickets and they all say 10 hours until expiration with 7 days of renewal.
Should I edit the Metabase on the web server to not allow NTLM? Would that
force the authentication to Kerberos or would the authentication just fail?
Thanks,
Bradley
"anonymous" wrote:
I found this, do you think it could be related:.
http://technet2.microsoft.com/WindowsServer/en/library/b36b8071-3cc5-46fa-be13-280aa43f2fd21033.mspx?mfr=true
S4UTicketLifetime
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Version
Windows Server 2003
This entry controls the lifetime, in minutes, of tickets obtained by S4U
proxy requests. This entry does not exist in the registry by default. The
default value is 15 minutes.
"anonymous" wrote:
Okay, I got rid of the viewstate error. But I still get the authentication
error after 20 minutes of inactivity. I have tried disabling the "shutdown
idle worker processes", and "recycle worker processes" options on the
application pool with no change in this behavior.
Does anyone have any ideas of what could be going wrong? Or suggestions of
specific things for me to audit or log that might point me in the right
direction?
"Joe Kaplan" wrote:
No I don't. That's an interesting observation and I don't know if that is
coincidence or not. The first thing to do would be to figure out how the
viewstate got corrupted, but I'm not really much of a viewstate expert, so
I'm not really sure what the best bet is for troubleshooting that problem.
Someone else will certainly know though. :)
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"anonymous" <anonymous@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2B0B127F-D89B-4702-9450-A7D08F5A5908@xxxxxxxxxxxxxxxx
Seems like this event correlates to the error:
"Viewstate verification failed. Reason: The viewstate supplied failed
integrity check."
Any idea what is going on?
"Joe Kaplan" wrote:
Like I said before, I've never seen this, so I'm not sure what the likely
culprit is. However, you might want to see if your app pool is recycling
and if there is a correlation there. You should see events in the System
event log indicating a recycle event.
Also, I'd suggest bumping up the auditing on both the web server and SQL
server so that you are auditing both logon success and failure messages.
That way, you should get more diagnostic info in the security event log
as
to what is transpiring.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"anonymous" <anonymous@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:34C2A7A8-B2CA-4880-A024-08A1326CBE61@xxxxxxxxxxxxxxxx
Joe,
Thanks for the reply. It does happen on the attempt to connect to the
SQL
Server. I have not been able to reproduce it with the same setup on
IIS
5.0
if that helps. Can something with the Application Pool be timing out?
"Joe Kaplan" wrote:
Is that exception thrown by the connection attempt to SQL (thus an
error
in
the delegation) or does that happen at the browser level? Can you
show a
stack trace?
IWA doesn't time out, although Kerberos tickets can expire. 20
minutes
sounds way too short to have anything to do with that though.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Bradley Landis" <BradleyLandis@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:76CA1BCC-67A8-462A-A41D-F3D082DB395F@xxxxxxxxxxxxxxxx
Environment:
IIS 6.0
ASP.NET 2.0
Integrated Windows Authentication
Identity impersonate=true
Constrained Delegation set to impersonate user while connecting to
SQL
Server
Problem scenario:
Everything above works perfectly well except when the user leaves a
page
sit
idle for 20 minutes or so. At that point if they come back and
click a
link
on the page the following error is thrown:
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
I do not use any session data so the session timeout should not be
the
problem. I tried extending the session timeout anyway as an
experiment
and
it did not have any effect. I know there are other timeouts
associated
with
Forms Authentication, but are there other timeouts associated with
Integrated
Windows Authentication? If so, how and where do I configure them.
Thank you,
Bradley
- Follow-Ups:
- Re: Integrated Windows Authentication Timeout?
- From: Joe Kaplan
- Re: Integrated Windows Authentication Timeout?
- Prev by Date: Re: basic authentication by code -- help needed!!!
- Next by Date: Re: Integrated Windows Authentication Timeout?
- Previous by thread: basic authentication by code -- help needed!!!
- Next by thread: Re: Integrated Windows Authentication Timeout?
- Index(es):
Relevant Pages
|
|
