Re: Windows integrated authentication with site content on UNC share...

• Previous message: Jeff Cochran: "Re: Problem with IIS6."
• In reply to: Ken Schaefer: "Re: Windows integrated authentication with site content on UNC share..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 23 Jan 2004 07:51:03 -0800

Hello,

> a) is the webserver sending the "Negotiate" authentication header

How do I verify this?

> b) are the client browsers able to support Kerberos authentication

Yes. I am using IE 6 on Windows 2003.

> c) what steps do you take to enable delegation for both computers *and* user
> accounts in question

I have configured the AD such that the web server and the
DOMAIN\testuser are trusted for delegation. For web server, I did this
by right clicking on web server computer account and enabled the
checkbox for "Trust computer for delegation". For user, I did this by
right clicking on the user account, went to "Account" tab and enabled
the checkbox "Account is trusted for delegation" under account
options. I verified that "Account is sensitive and cannot be
delegated" is turned off.

BTW, I turned on auditing and kerberos logging and I am receiving some
errors in event log on AD and the web server.

On web server, in security log, I get the following error

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 1/23/2004
Time: 5:58:36 AM
User: NT AUTHORITY\SYSTEM
Computer: WEBSERVER
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account: testuser
 Source Workstation: PRASAD-LT
 Error Code: 0xC0000064

In System log, I get the following error

Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 3
Date: 1/23/2004
Time: 5:58:36 AM
User: N/A
Computer: WEBSERVER
Description:
A Kerberos Error Message was received:
         on logon session
 Client Time:
 Server Time: 0:28:36.0000 1/23/2004 Z
 Error Code: 0xd KDC_ERR_BADOPTION
 Extended Error: 0xc00000bb KLIN(0)
 Client Realm:
 Client Name:
 Server Realm: DOMAIN.COM
 Server Name: host/webserver.domain.com
 Target Name: host/webserver.domain.com@WEBSERVER.DOMAIN.COM
 Error Text:
 File: 9
 Line: ab8
 Error Data is in record data.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 30 15 a1 03 02 01 03 a2 0.¡....¢
0008: 0e 04 0c bb 00 00 c0 00 ...»..À.
0010: 00 00 00 03 00 00 00 .......

On AD, in security log, I am getting the following

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 673
Date: 1/23/2004
Time: 5:58:36 AM
User: NT AUTHORITY\SYSTEM
Computer: DC
Description:
Service Ticket Request:
            User Name:
            User Domain: DOMAIN.COM
            Service Name: host/webserver.domain.com
            Service ID: -
            Ticket Options: 0x40830000
            Ticket Encryption Type: -
            Client Address: 10.72.36.5
            Failure Code: 0xD
            Logon GUID: -
            Transited Services: -

Thanks.
-Prasad

"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message news:<#Ulx8uU4DHA.1752@tk2msftngp13.phx.gbl>...
> You are indeed running into a delegation issue.
>
> However there are a number of things you need to do to get this all working,
> and you haven't provided enough details:
>
> a) is the webserver sending the "Negotiate" authentication header
> b) are the client browsers able to support Kerberos authentication
> c) what steps do you take to enable delegation for both computers *and* user
> accounts in question
>
> The following KB article has steps for IIS -> SQL Server, and you'd need to
> follow something similar for IIS -> Remote file server:
> http://support.microsoft.com/?id=319723
>
> Can you outline the exact steps that you took? We may be able to spot
> something that you missed.
>
> Cheers
> Ken
>
>
>
> "Prasad Dabak" <pdabak@yahoo.com> wrote in message
> news:96ca2fd2.0401220732.30a028de@posting.google.com...
> : Hello,
> :
> : I have the following setup
> :
> : Machine setup
> : -------------
> : Windows 2003 Domain Controller (Domain function level is Windows 2000
> : native). Windows 2003 server running IIS 6
> : Windows 2003 server acting as a file server.
> :
> : Configuration
> : -------------
> : 1. The file server has a share called "WEBCONTENT", that, has everyone
> : full control permissions.
> : 2. There is a website on the web server whose webroot points to
> : \\FileServer\WEBCONTENT\wwwroot. The web site is configured to use
> : Integrated Windows Authentication. Anonymous access is enabled for the
> : site.
> : 3. The anonymous user of the website is DOMAIN\IUSR_testuser (AD
> : user). This user has Read permissions on the entire file system
> : pointed by \\FileServer\WEBCONTENT\webroot
> : 4. There is another user called DOMAIN\testuser (AD user). This user
> : has full control on the entire file system pointed by
> : \\FileServer\WEBCONTENT\webroot.
> : 5. The DOMAIN\WebServer computer account has full control on the
> : entire file system pointed by \\FileServer\WEBCONTENT\webroot
> : 6. I have configured the AD such that the web server and the
> : DOMAIN\testuser are trusted for delegation.
> :
> : I am able to successfully browse the web site. No issues here.
> :
> : Now, the problem that I am facing:
> :
> : There is one page under \\FileServer\WEBCONTENT\wwwroot say
> : protected.htm. I have configured the metabase such that this file does
> : not have anonymous access enabled for it. Hence, when I access this
> : page, I get an authentication box. However, despite of entering the
> : correct account name i.e. DOMAIN\testuser, it is not allowing me to
> : browse the page. After 3 attempts it throws HTTP Error 401.3.
> :
> : Now, if I just switch the web site from "Windows integrated
> : authentication" to "Basic authentication", it all works fine.
> :
> : I am pretty sure, that, this is an issue with delegation. However, I
> : think, I am following all the steps required for delegation. I used
> : the following article for reference.
> :
> :
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/deploy/confeat/RemStorg.asp
> :
> : I have seen numerous posts on this forum related to this issue, but
> : could not find any closure.
> :
> : Can anyone shade some light on this?
> :
> : Thanks.
> : -Prasad

• Previous message: Jeff Cochran: "Re: Problem with IIS6."
• In reply to: Ken Schaefer: "Re: Windows integrated authentication with site content on UNC share..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]