Re: IIS6 - Integrated Authentication Probs

From: JayDee (darius_falt_at_hotmail.com)
Date: 10/23/03

  • Next message: JayDee: "Re: IIS6 - Integrated Authentication Probs"
    Date: Thu, 23 Oct 2003 11:24:35 +0100
    
    

    ...and my reseponse....

    -->

    "Ken

    Adding to my previous post,

    I meslead you slightly (actually I was misleaf myself!!!)
    I'm actually running in win2000 mixed mode, not win2003 native mode, for my
    domain infrastructure

    even though my servers are 2k3 - i havent made the jump yet, becuase I'm
    still in the middle of a migration
    So I cant go the whole way with constrained delegation,
    but reading between the lines on the IIS RK Docs (Chap5, pp469) I have
    enabled "trust computer for delegation" in the W2K3 computer account
    webserver in DSA.MSC
    Theres a note below this option says that this will only enable delegation
    for services running under Local System.

    My web app is running in IIS5 isolation mode, which means it will run under
    an IWAM account not the Local System,
    Suffice to say, I'm not entirely surprised that this doesnt seem to fix my
    problem.

    At the moment I'm stuck again.

    does this mean I'm stuffed?

    J"

    "JayDee" <darius_falt@hotmail.com> wrote in message
    news:#RsHE8UmDHA.1676@TK2MSFTNGP09.phx.gbl...
    > heres the help provided by the illustrious Ken.
    >
    > -->
    >
    > "The "problem" isn't really a problem - it's expected behaviour.
    >
    > When you use IWA, your user password is never sent across the wire -
    that's
    > what makes it more secure that Basic authentication. However, the token
    that
    > the webserver gets from the Domain Controller doesn't have permission to
    > logon to other network resources.
    >
    > When you use Basic authentication, your username *and* password are
    > transmitted, in the clear, to the webserver, who can then "act" on your
    > behalf (as if you were logged on at the webserver) and get access to
    network
    > resources
    >
    > (I'm sure the actual way this works is a little more complex, but this
    > should suffice for the purposes of your dilemma).
    >
    > OK, so what do you do about it?
    >
    > With Windows 2000 you need to enable delegation (Windows 2003 allows for
    > constrained delegation which is much "safer" in that you can restrict the
    > services that are delegated). Now, you say you have a Windows 2003 native
    > mode domain? If so, then you need to follow the delegation procedure
    > outlined in Chapter 5 ((IIRC) of the IIS 6 Resource Kit:
    >
    >
    http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=80A1
    > B6E6-829E-49B7-8C02-333D9C148E69
    >
    > Cheers
    > Ken"
    >
    >
    >
    >
    > "JayDee" <darius_falt@hotmail.com> wrote in message
    > news:OXWNq4UmDHA.1708@TK2MSFTNGP12.phx.gbl...
    > > I originally posted this in IIS group,
    > > but I thought I'd try here,
    > >
    > > I'm really stuck getting integrated authentication to work accross a web
    > > server to a UNC share on another server
    > >
    > > If anyone feels so inclined, Id really appreciate any help on offer.
    > >
    > > Heres the problem
    > >
    > > It seems that when I use "integrated authentication" that the
    credentials
    > > parsed from my browser to the web server are not being used correctly by
    > the
    > > webserver to authenticate me on the target resource: The target
    resource -
    > > as I mentioned - is located on another machine.
    > >
    > > How do I know this?
    > >
    > > a) - I can see in the log files that the correct credentials are being
    > > parsed from my browser to the webserver.
    > > b) - Despite the fact these credentials are being parsed, i'm still
    being
    > > asked to present credentials by way of the browser 'Username and
    Password'
    > > dialogue box.
    > > c) - Even if I manually present valid credentails at this dialogue box,
    > I'm
    > > still not able to authenticate to the target resource. After 3 attempts
    at
    > > entering info into the Dialogue, I get the same 401.3 Error -
    > "Unauthorized:
    > > Access is denied due to an ACL set on the requested resource"
    > >
    > > Hence - this is a general problem with the way the web server is using
    my
    > > credentials to authenticate with the target resource.
    > >
    > > If I change the Authentication method from "Integrated" to "Basic", I am
    > > always prompted for credentials, this is expected.
    > > This time, if I enter valid credentials, then the Web Server give me
    > access
    > > to the resource I need.
    > >
    > > So the problem here seems to be in how the IIS6 Web Server parses my
    > > credentials for authentication on the target resource, but ONLY when its
    > > handling it via INTEGRATED AUTHENTICATION
    > >
    > > I thought that it might be something to do with NTLM versus Kerberos,
    > > but this just adds to my confustion as in my test instance everything
    > should
    > > be working with Kerberos,
    > >
    > > Heres the setup.
    > >
    > > Its a W2K3 native mode domain,
    > > with a W2K3 Web Server and IIS 6.
    > > The client machine is WinXP Pro SP1a
    > > The user and computer accounts are both members of this W2K3 Domain,
    > >
    > > I'm trying to digest the info I've found in the arcticle 332142,
    > > I'll also try manually setting the authentication method by adapting the
    > > IIS5 procedure given in 215383,
    > >
    > >
    > > Bu I'm completely in the dark here. I could reall really use some MS
    help
    > on
    > > this.
    > >
    > >
    > > Anyone out there?
    > >
    > >
    > > thanks people - I really appreciate your time.
    > >
    > >
    > >
    > >
    >
    >


  • Next message: JayDee: "Re: IIS6 - Integrated Authentication Probs"

    Relevant Pages

    • Re: IIS6 - Integrated Authentication Probs
      ... When you use Basic authentication, ... outlined in Chapter 5 of the IIS 6 Resource Kit: ... > b) - Despite the fact these credentials are being parsed, ... > Hence - this is a general problem with the way the web server is using my ...
      (microsoft.public.inetserver.iis.security)
    • Re: Integrated windows authentication and NetworkCredential
      ... if delegation is properly configured AND you are impersonating ... you can get a valid credential object via: ... Delegating user's credentials is one of the most often asked about, ... >> authentication in IIS. ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Client Certificate Mapping and Delegation?
      ... Is it possible to perform security delegation on ... W2K/IIS 5 when authenticating visitors by client certificate mapping over ... Windows authentication) using the credentials mapped to their certificate. ...
      (microsoft.public.inetserver.iis.security)
    • IIS Client Certificate Mapping and Windows 2000 Delegation to SQL
      ... Is it possible to perform security delegation on ... W2K/IIS 5 when authenticating visitors by client certificate mapping over ... Windows authentication) using the credentials mapped to their certificate. ...
      (microsoft.public.inetserver.iis.security)
    • Re: shared folder access
      ... Your first option is to use Basic Authentication in IIS over SSL. ... This will remove the UNC user token credentials (something that cannot be ... Doing so causes IIS to attempt delegation using ...
      (microsoft.public.dotnet.framework.aspnet.security)