RE: Kerberos & NTLM on IIS 6
From: Ethem Azun (EthemAzun_at_discussions.microsoft.com)
Date: 05/23/05
- Next message: Ethem Azun: "SetSPN.Exe"
- Previous message: wosully: "Re: Guestbook in Frontpage"
- In reply to: pj_servadmin: "RE: Kerberos & NTLM on IIS 6"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 23 May 2005 00:05:02 -0700
Hi pj,
I'll try to re-formulate the question and re-post it. The spn's are as
follows;
setspn -A HTTP/servername domain\newaccountname
setspn -A HTTP/servername.domain.com domain\newaccountname
setspn -A HTTPS/servername domain\newaccountname
setspn -A HTTPS/servername.domain.com domain\newaccountname
Do you see any problems with it?
Thanks,
Ethem
"pj_servadmin" wrote:
> Well I'm pretty much all out of ideas, without knowing a lot more about your
> system. Is reporting services the SQL server reporting services? There is
> actually a section for that or maybe even the SQL server security newsgroup,
> as I don't know what to tell you next, and none of the Microsoft experts
> stopped by yet either.
>
> When setting up sql server for sharepoint (which we ended up not doing), I
> remember that SQL server does not get an SPN added by default (I think), so
> that actually might be your problem.
>
> Out of curiousity, what were the setspn.exe lines you ran to configure the
> SPN's?
>
> (sorry I can't help more)
>
> "Ethem Azun" wrote:
>
> >
> > Hi pj,
> >
> > Thanks for the reply. I continued my research on this topic and found the
> > following (please correct me if I'm wrong.)
> >
> > 1) NTLM / Kerberos selection cannot be done per application, can only be
> > done per web site. So, the answer to my last question seems to be "no".
> >
> > 2) As you also said, the problem occurs because I'm trying to run two apps
> > in a website under different accounts. The Network Service account which runs
> > the RS is not known by AD and does not seem to have an SPN. The other domain
> > account is known by AD and has a valid SPN, that's why the Web App works. My
> > "solution" was to make RS work under this account too, then everything seems
> > fine. But this is very ugly. I thought at least the default Network Services
> > account would be known by the AD as a special account. In the following site
> > (
> > http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/523ae943-5e6a-4200-9103-9808baa00157.mspx ) the last section gives more insight.
> >
> > 3) Since I registered the domain account and server to have an SPN for http
> > and https, whenever I create a virtual directory with Network Services as the
> > running account, I see the auth window, so I think it's really not possible
> > to use the different accounts on the same site.
> >
> > 4) I think I'm trying to implement a very basic scenario so I must be wrong
> > somewhere. It should not be this complicated. (I hope.)
> >
> > Thanks,
> >
> > Ethem
> >
> > "pj_servadmin" wrote:
> >
> > > Ethem,
> > >
> > > I do not have a whole lot of time, but I will try to help you with what I do
> > > know.
> > >
> > > The error message you are getting is the same one I get when the logging in
> > > user is an AD account only (aka network service has no idea who you are, or
> > > even the concept of the domain). This error message would not show up if you
> > > were logged in locally, because you had already been authenticated, and you
> > > have a kerberos ticket.
> > >
> > > To answer the last question: yes, the metabase property is called
> > > "NTAuthenticationProviders" and here is the Microsoft doc. You will notice
> > > your answer is in the configurable locations section.
> > >
> > > http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/ea7cd846-33da-49c9-927f-d4e76d6309ac.mspx
> > >
> > > And to try and answer the middle questions, it almost sounds like you have
> > > not configured the SPNs for the service. To get headed in the right
> > > direction, you must ask who will be consuming the reporting services? If it
> > > is only going to be locally consumed then there shouldn't be a problem, but
> > > if a remote host needs to consume it, the only way the remote host will be
> > > able to find it is through what amounts to a 'service catalog' which is
> > > populated by setting SPNs. (I also forget the exact specifics, but there is a
> > > huge list of default SPNs that, if not specifically configured, get folded
> > > into "HOST")
> > >
> > > Hope this helps, and hopefully one of the Microsoft experts stops by and can
> > > answer your questions more fully.
> > >
> > > "Ethem Azun" wrote:
> > >
> > > > Hi,
> > > >
> > > > I have an IIS 6 on Win2003 registered on a domain.
> > > >
> > > > I'm running the following applications on this machine,
> > > >
> > > > - an ASP.NET Web App
> > > > - Reporting Services Interface
> > > > - Reporting Services Server
> > > >
> > > > All of the applications above use Windows Integrated Security. The ASP.NET
> > > > application works in its own Application Pool with a domain user account. The
> > > > SPNs are configured to use this account correctly and Kerberos auth works
> > > > without any problems. I also see this through the Event Log messages that
> > > > users can log in using Kerberos.
> > > >
> > > > On the other hand, Reporting Services works on the default application pool,
> > > > with Network Services account. When I try to access it, I keep seeing the
> > > > challange window.
> > > >
> > > > The following behaviors are observed;
> > > >
> > > > 1) When connected to Reporting Services on the local server through
> > > > localhost (http://localhost/Reports), I don't see the popup. (I'm logged in
> > > > with a domain account which has local admin rights on the server.)
> > > > 2) When connected to RS on the local server or from outside using the
> > > > NetBIOS name (http://servername/Reports), I see the popup, I try to login
> > > > with the same cridentials, doesn't wok.
> > > >
> > > > On the security event log , I see the following failure for Reporting
> > > > Services;
> > > >
> > > > Logon Failure:
> > > > Reason: Unknown user name or bad password
> > > > User Name:
> > > > Domain:
> > > > Logon Type: 3
> > > > Logon Process: Kerberos
> > > > Authentication Package: Kerberos
> > > > Workstation Name: -
> > > > Caller User Name: -
> > > > Caller Domain: -
> > > > Caller Logon ID: -
> > > > Caller Process ID: -
> > > > Transited Services: -
> > > > Source Network Address: 172.16.96.215
> > > > Source Port: 3942
> > > >
> > > > But for the Web Application, I see that the logon works correctly and the
> > > > above fields are filled. I tried running RS also with the domain account that
> > > > the web app uses, but it wasn't very happy with it. (some extra permissions I
> > > > suppose.) Should this be the direction? Or is it because SPNs are set with
> > > > the domain account and not the Network Services account?
> > > >
> > > > Another question, is it possible to set Kerberos and NTLM usage per
> > > > application on the same IIS Server?
> > > >
> > > > I would be very glad of any help.
> > > >
> > > > Thanks,
> > > >
> > > > Ethem
- Next message: Ethem Azun: "SetSPN.Exe"
- Previous message: wosully: "Re: Guestbook in Frontpage"
- In reply to: pj_servadmin: "RE: Kerberos & NTLM on IIS 6"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
