Re: ASP.NET, IIS 6 Integrated Win Authentication, Domain usage
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: Fri, 6 May 2005 00:18:59 -0700
The IIS6 documentation that shows you how to use "Configurable Worker
Process Identity" and add to IIS_WPG actually explicitly calls out this
scenario and how to correctly configure things. Just read the documentation.
I would give you the URL, but it is currently broken on microsoft.com and I
haven't found the new link.
In the local server case, Integrated Windows authentication uses NTLM and
things work as you describe. In the domain case, Integrated Windows
authentication uses Kerberos by default and you need to do the setspn steps
You basically either:
1. Configure Kerberos correctly to get rid of the popups
2. Configure IIS to use NTLM in a domain (less secure)
Windows Server 2000 did not see this because it didn't give you the
configurability to hang yourself:
1. IIS ran as LocalSystem (no need to setspn)
2. ASP.Net controlled the process identity of the managed code
Windows Server 2003 is different because:
1. IIS runs as the configured process identity (if not
LocalSystem/NetworkService, need to setspn)
2. ASP.Net does not control the process identity
Re: Question 1
> If the web server is in the domain, do I need a domain account to
> use as the mirror account? Is it not possible with a mirrored local
Not an IIS issue. You are talking about Kerberos, Active Directory, and
machine accounts, none of which have anything to do with IIS. :-)
Re: Question 2
> Then, the popup went away. At least for a while :) In a specific
> part of the application, I'm seeing the popup once again! This
> time I see an error telling me that the WebUIValidation.js script
> could not be found.
This is clearly not the same popup as Question1. Lack of permissions result
in access denied failures (like the password popups), not "[resource] could
not be found".
Troubleshooting servers start from log files (since security practices state
that error messages to the user should not be descriptive since that leaks
security information). By default, .js extension should be downloadable, so
you want to find the request for the WebUIValidation.js script in the log
file and report the log line here.
-- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Ethem Azun" <EthemAzun@discussions.microsoft.com> wrote in message news:8DCA9636-7500-4AD3-8CD9-5E3DA9EA15C7@microsoft.com... Hi, First of all, I must say that I'm a developer and I have only general operational knowledge about IIS 6.0. We have two test web servers; one of them is in domain, and the other is not. (Both Win 2003, no service packs, we are still examining sp side-effects). We are trying to install an ASP.NET 1.1 app to both servers. The application was previously running on Win2000 and Win XP Pro with IIS 5.1 without problems. The application uses integrated windows authentication with trusted subdomains (mirror accounts) to connect to a SQL Server running on a Win2k machine. This machine is also in the same domain but the account used for mirroring is not a domain account. On both servers in IIS 6, we created a new Application Pool for our application and assigned the mirror account as the identity to run the pool. The account is also added to the IIS_WPG group on the web servers. When we connect and run the application residing in the server that is not in the domain, everything works fine. (In this case, we connect to the application with local user accounts defined on that server.) If we run it from the server that is in the domain using our domain user accounts, we continously get an authentication popup window. I used the AuthDiag tool and saw an error message saying that the SPN for the mirror account does not exist in the Active directory. But I think this is very normal since the mirror account is not a domain account. Here comes the first question; If the web server is in the domain, do I need a domain account to use as the mirror account? Is it not possible with a mirrored local accounts? I went further and had my admin create a new domain account to use in mirroring. We've also seen that the same problem occurs with the domain account but we've found a solution with the SETSPN.exe tool. We've ran the following; setspn -A HTTP/myserver mydomain\mydomainaccount setspn -A HTTP/myserver.qualifiedname.com mydomain\mydomainaccount Then, the popup went away. At least for a while :) In a specific part of the application, I'm seeing the popup once again! This time I see an error telling me that the WebUIValidation.js script could not be found. I took a look at the permissions and see that IIS_WPG has read & execute on it. I even gave everyone the access to read & execute, but the problem still remains. I hope could explain the problem. I will be very glad if anyone can help, and appreciate any questions. Thanks, Ethem