Re: ASP.NET, IIS 6 Integrated Win Authentication, Domain usage

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 05/06/05

  • Next message: David Wang [Msft]: "Re: Please help, directory level protection needed."
    Date: Fri, 6 May 2005 00:18:59 -0700
    
    

    FAQ.

    The IIS6 documentation that shows you how to use "Configurable Worker
    Process Identity" and add to IIS_WPG actually explicitly calls out this
    scenario and how to correctly configure things. Just read the documentation.
    I would give you the URL, but it is currently broken on microsoft.com and I
    haven't found the new link.

    In the local server case, Integrated Windows authentication uses NTLM and
    things work as you describe. In the domain case, Integrated Windows
    authentication uses Kerberos by default and you need to do the setspn steps
    (all documented).

    You basically either:
    1. Configure Kerberos correctly to get rid of the popups
    2. Configure IIS to use NTLM in a domain (less secure)

    Windows Server 2000 did not see this because it didn't give you the
    configurability to hang yourself:
    1. IIS ran as LocalSystem (no need to setspn)
    2. ASP.Net controlled the process identity of the managed code

    Windows Server 2003 is different because:
    1. IIS runs as the configured process identity (if not
    LocalSystem/NetworkService, need to setspn)
    2. ASP.Net does not control the process identity

    Re: Question 1
    > If the web server is in the domain, do I need a domain account to
    > use as the mirror account? Is it not possible with a mirrored local
    > accounts?
    Not an IIS issue. You are talking about Kerberos, Active Directory, and
    machine accounts, none of which have anything to do with IIS. :-)

    Re: Question 2
    > Then, the popup went away. At least for a while :) In a specific
    > part of the application, I'm seeing the popup once again! This
    > time I see an error telling me that the WebUIValidation.js script
    > could not be found.

    This is clearly not the same popup as Question1. Lack of permissions result
    in access denied failures (like the password popups), not "[resource] could
    not be found".

    Troubleshooting servers start from log files (since security practices state
    that error messages to the user should not be descriptive since that leaks
    security information). By default, .js extension should be downloadable, so
    you want to find the request for the WebUIValidation.js script in the log
    file and report the log line here.

    -- 
    //David
    IIS
    http://blogs.msdn.com/David.Wang
    This posting is provided "AS IS" with no warranties, and confers no rights.
    //
    "Ethem Azun" <EthemAzun@discussions.microsoft.com> wrote in message
    news:8DCA9636-7500-4AD3-8CD9-5E3DA9EA15C7@microsoft.com...
    Hi,
    First of all, I must say that I'm a developer and I have only general
    operational knowledge about IIS 6.0.
    We have two test web servers; one of them is in domain, and the other is
    not.
    (Both Win 2003, no service packs, we are still examining sp side-effects).
    We are trying to install an ASP.NET 1.1 app to both servers. The application
    was previously running on Win2000 and Win XP Pro with IIS 5.1 without
    problems. The application uses integrated windows authentication with
    trusted
    subdomains (mirror accounts) to connect to a SQL Server running on a Win2k
    machine. This machine is also in the same domain but the account used for
    mirroring is not a domain account.
    On both servers in IIS 6, we created a new Application Pool for our
    application and assigned the mirror account as the identity to run the pool.
    The account is also added to the IIS_WPG group on the web servers.
    When we connect and run the application residing in the server that is not
    in the domain, everything works fine. (In this case, we connect to the
    application with local user accounts defined on that server.)
    If we run it from the server that is in the domain using our domain user
    accounts, we continously get an authentication popup window. I used the
    AuthDiag tool and saw an error message saying that the SPN for the mirror
    account does not exist in the Active directory. But I think this is very
    normal since the mirror account is not a domain account.
    Here comes the first question;
    If the web server is in the domain, do I need a domain account to use as the
    mirror account? Is it not possible with a mirrored local accounts?
    I went further and had my admin create a new domain account to use in
    mirroring. We've also seen that the same problem occurs with the domain
    account but we've found a solution with the SETSPN.exe tool. We've ran the
    following;
    setspn -A HTTP/myserver mydomain\mydomainaccount
    setspn -A HTTP/myserver.qualifiedname.com mydomain\mydomainaccount
    Then, the popup went away. At least for a while :) In a specific part of the
    application, I'm seeing the popup once again! This time I see an error
    telling me that the WebUIValidation.js script could not be found. I took a
    look at the permissions and see that IIS_WPG has read & execute on it. I
    even
    gave everyone the access to read & execute, but the problem still remains.
    I hope could explain the problem. I will be very glad if anyone can help,
    and appreciate any questions.
    Thanks,
    Ethem
    

  • Next message: David Wang [Msft]: "Re: Please help, directory level protection needed."

    Relevant Pages

    • Re: Re-Post - "the trust relationship between this workstation and the
      ... "the trust relationship between this workstation and the primary domain ... only problem is adding a new user account on the station. ... Client computer must use STRICTLY the INTERNAL DNS server which can ... Attr: subschemaSubentry ...
      (microsoft.public.windows.server.active_directory)
    • Re: Same question, still no answer!!!
      ... Sounds then like we are all paying for a feature set only large companies ... The "proxy server" pc is actually an older box stuffed ... Expectation #1) keep the ethernet more or less as is. ... The kids account would be ...
      (microsoft.public.windowsxp.basics)
    • Re: Re-Post - "the trust relationship between this workstation and the
      ... "the trust relationship between this workstation and the primary domain ... only problem is adding a new user account on the station. ... This would be on the DNS server 172.20.100.2 ... Attr: subschemaSubentry ...
      (microsoft.public.windows.server.active_directory)
    • ASP.NET, IIS 6 Integrated Win Authentication, Domain usage
      ... We have two test web servers; one of them is in domain, ... subdomains to connect to a SQL Server running on a Win2k ... mirroring is not a domain account. ... application and assigned the mirror account as the identity to run the pool. ...
      (microsoft.public.inetserver.iis.security)
    • Sending email to mydomain.com
      ... server will appear as undeliverable. ... This happens because you are using the POP3 connector... ... an NDR when an account doesn't exist). ... >different from the user account names for the exchange ...
      (microsoft.public.windows.server.sbs)