Re: Windows Authentication problem with IIS6 (Win2k3)
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 07/08/04
- Previous message: Razak: "IIS Folder and file security. Impersonation does not work."
- In reply to: David Slinn: "Re: Windows Authentication problem with IIS6 (Win2k3)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 8 Jul 2004 00:34:11 -0700
This is FAQ and is actually mentioned in documentation in the same section
that talks about how to configure Application Pool Identity.
It happens in the following circumstance:
1. Application Pool Identity is Custom
2. Authentication Protocol is Integrated
3. Server is in a domain
This, together with the default value of NtAuthenticationProviders of
Negotiate,NTLM , causes the 401.1 to be returned.
The fix, of course, is to either set NtAuthenticationProviders to be NTLM
(to not trigger Kerberos), or use setspn to set a service name under the
Custom AppPool Identity.
Many people have asked this exact question, but really, there is not a lot
that we can do other than give you documentation that should be read before
using Custom App Pool Identity. I've also heard of many people getting
tricked by the extra ""s being added to the property value when using
ADSUTIL.VBS -- I've personally never had problems setting that property with
or without ""s.
--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"David Slinn" <dslinn@accesscomm.ca> wrote in message
news:%23MarTFKZEHA.996@TK2MSFTNGP12.phx.gbl...
Jeff - Thank you SOOOOO much - your suggestion to check out the IIS
Operations Guide (which I didn't even know existed) led me to the page
titled "Force NTLM Authentication". It showed how to open the IIS
MetaBase.xml file in notepad and locate the NTAuthenticationProviders
property. Once I found it, this is what it was set to:
NTAuthenticationProviders=""Negotiate, NTLM""
* Note the double quotes on either end.
The page talked about deleting Negotiate part, but I found that my error was
actually caused by the double quotation marks - evidently left there by the
adsutil.vbs script I had run previously. It "inserted" a quoted string
inside the existing quotes - which caused IIS all sorts of grief. I removed
the extra quotes, setting it to NTAuthenticationProviders="Negotiate, NTLM".
Presto - it worked instantly. For good measure, I also tried
NTAuthenticationProviders="NTLM". That also worked great. The only
difference being that the dual provider caused the IE login dialog to
appear, regardless of the IE setting regarding Enabling Integrated Windows
Authentication. I have a hunch that may be related to that fact that my IIS
Application Pool runs as a domain user and not as a local machine account,
but I'll investigate further later.
There was obviously a bit of luck involved in finding this error - I hope
this post helps the next person to encounter this issue and saves them the
frustrated I've gone through the past 24 hours.
Still - I can't complain too much - I still prefer a tightly locked-down
system that you have to open as opposed to previous IIS incarnations that
are causing all kinds of security grievances. I sleep better at night
knowing that if it took me this long to get something working, with full
Administrator rights, documentation and access, script-kiddies have got
their work cut out for them. :)
- Dave
"Jeff Cochran" <jeff.nospam@zina.com> wrote in message
news:40ef76a7.1070541647@msnews.microsoft.com...
> On Wed, 7 Jul 2004 12:31:50 -0600, "Dave Slinn" <dslinn@accesscomm.ca>
> wrote:
>
> [ Answered inline ]
>
> >I have been wrestling with IIS6 security settings - I used to be able to
do
> >this under older versions of IIS, but I can't seem to get it to work
right
> >in IIS6.
> >
> >We have a Windows 2003 Domain (pure 2K3). I want to use Windows
> >Authentication for our Intranet applications that we write using ASP.NET.
> >
> >I believe the problem to be something related to the Kerberos technology,
> >but I don't know enough about it to resolve my issue. Basically, when I
> >enable Integrated Windows Authentication as the Authentication method for
my
> >application, users (who are logged on locally to the same network as the
web
> >server) are prompted for a login and password. After entering the
username
> >and password and clicking OK, the login dialog reappears, asking for the
> >info again (even though it's still filled in). Clicking OK again and the
> >same thing happens. The third time you click OK, you get the following
> >error:
> >
> > - HTTP Error 401.2 - Unauthorized: Access is denied due to server
> >configuration. Internet Information Services (IIS)
> >
> >Checking the Event log, under the Security category, multiple entries of
the
> >following exists:
> >
> >Error Event ID: 529 - Failure Audit
> > Logon Failure:
> > Reason: Unknown user name or bad password
> > User Name:
> > Domain:
> > Logon Type: 3
> > Logon Process: Kerberos
> > Authentication Package: Kerberos
> > Workstation Name: -
> > Caller User Name: -
> > Caller Domain: -
> > Caller Logon ID: -
> > Caller Process ID: -
> > Transited Services: -
> > Source Network Address: 172.16.87.77
> > Source Port: 0
> >
> >
> >First off - why is the browser prompting for a login name and password in
> >the first place? Shouldn't integrated windows authentication use their
> >Windows credentials? Oh yeah - I have checked - their browsers DO have
the
> >Enable Integrated Windows Authentication setting checked in their browser
> >(which is IE6) advanced settings.
>
> But that doesn't mean IE will pass credentials. If IE suspects the
> site is not in an intranet or trusted zone, it doesn't pass
> credentials. Add your domain to the intranet security zone in IE.
>
> >Secondly, I know I am not typing a bad username or password - it's the
same
> >one I use to log on to Windows in the first place. At first I thought
the
> >account was locked out, but that wasn't it.
>
> Is the web server in the domain? I'm assuming it's a domain account
> you use.
>
> >After spending several hours trying to find some help on the web and in
the
> >MS knowledgebase, I came across a couple of articles (mostly relating to
> >Windows 2000) that talked about Kerberos and Delegation.
> >
> >One article talked about ensuring the computer can be trusted for
> >delegation - so, in Active Directory, I changed the Computer Account for
the
> >Web server (on the Delegation tab) from "Do not trust this computer
> >delegation" to "Trust this computer for delegation to any server
(Kerberos
> >only)". There is a third option, "Trust this computer for delegation to
> >specified services only" where it then offers to Use Kerberos only or Any
> >authentication protocol and you can define services for the account.
Would
> >that option make a difference? What services do I add underneath?
> >
> >I also tried another article suggestion, which was to modify the IIS
> >MetaBase using the adsutil.vbs script to set the "Negotiate,NTLM"
parameter.
> >At first, neither option was set. Then I set both (Negotiate and NTLM).
No
> >change. Then tried just NTLM - still no luck.
> >
> >The same article discussed using the SetSPN resource kit tool to add the
> >HTTP protocol, which I also did, and then I added HOST, but alas, neither
> >setting helped.
> >
> >For some reason, I just can't seem to get Integrated Windows
Authetication
> >to work on this web server (Windows 2003 Web Edition).
> >
> >Basically, I am looking for a checklist of things I can check and
> >doublecheck to see if there is a configuration setting that I am missing
to
> >get this to work.
>
> Have you looked at:
>
> http://www.iisfaq.com/Default.aspx?tabid=2531
>
http://www.microsoft.com/resources/documentation/iis/6/all/proddocs/en-us/sec_auth_aboutauth.mspx
>
> Jeff
- Previous message: Razak: "IIS Folder and file security. Impersonation does not work."
- In reply to: David Slinn: "Re: Windows Authentication problem with IIS6 (Win2k3)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
