Re: Kerberos from XP to IIS hosting ASP.NET 2.0 Web Service help

Hi,

a) If your MS SQL Server is running under a custom /local/ account, then I'm
not sure how Kerberos authentication is supposed to work. The IIS server
needs to get a Kerberos ticket for the remote service (namely SQL Server).
The ticket needs to be encrypted with a password that the remote SQL Server
can decrypt. If SQL Server is running under a domain account, then the SPN
can be registered under the domain account. If the SQL Server is running
under LocalSystem, then the SPN can be registered under the computer account
in AD. If you are running SQL Server in a workgroup, or under a local
account, I don't think Kerberos is going to work

b) No, you are not authenticating to IIS as anonymous. What is happening is
that you are authenticating using whatever credentials you have supplied.
However the next hop (from IIS to SQL Server) is anonymous. This is because
IIS is not able to get an appropriate Kerberos ticket to connect to the
remote server as your user account (remember, IIS doesn't have your
username/password, so it can't just connect as you)

c) If the authentication from XP -> IIS is NTLM, then Kerberos is not going
to work from IIS -> SQL Server. NTLM is not delegatable (i.e. an
authentication by NTLM can not then be delegatable another hop to a remote
service). You need authenticate using Kerberos between XP and IIS. Get it
working using a web browser first, then let's worry about how to get your
application working.

Cheers
Ken

--
IIS Blog: http://www.adOpenStatic.com/cs/blogs/ken


"Brian Cobb" <BrianCobb@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0DD74468-AEE5-4E9F-81A2-AEC269B2B064@xxxxxxxxxxxxxxxx
: Thank you for your response.
:
: The application pool is is running under the local system account.
:
: The SQL SPNs are:
: MSSQLSvc/OAC2:1433
: MSSQLSvc/OAC2.vcaa.ad.uams.edu:1433
: MSOLAPSvc/OAC2
: MSOLAPSvc/OAC2.vcaa.ad.uams.edu
: SMTPSVC/OAC2
: SMTPSVC/OAC2.vcaa.ad.uams.edu
: HOST/OAC2
: HOST/OAC2.vcaa.ad.uams.edu
: The SQL service is NOT running under local system. Instead it is using a
: local account. I don't think this is a problem, though, (yet). I also
: neglected to mention in my first mail that the web app attempts to open a
: connection on the SQL server. It is at that point I see the "Login failed
: for user NT AUTHORITY/Anonymous" message. Maybe I'm mis-interpreting
what's
: happening, but it seems that I am authenticating to the webservice as an
: Anonymous user. And anonymous user can't open a db connection because he
has
: no db rights. Should I replace my local account on the SQL box with a
domain
: account?
:
: I'm not sure which account you mean in item c. If you mean the user login
: it can authenticate only using NTLM. Trying to authenticate via Kerberos
: makes the 401 error happen.
:
:
:
: "Ken Schaefer" wrote:
:
: > Some things that weren't mentioned in your post:
: >
: > a) What user account is the web application pool running under? If it is
: > running under a custom account, you need to register an SPN under that
: > account, not the computer account in AD.
: >
: > b) What SPNs do you have registered for the *SQL Server*? What user
account
: > is SQL Server running under? What port?
: >
: > c) Looking in the IIS server's security event log, have you verified
that
: > the the actual logon is using Kerberos? Or is it using NTLM
: >
: > Cheers
: > Ken
: >
: > --
: > IIS Blog: http://www.adOpenStatic.com/cs/blogs/ken
: >
: >
: > "Brian Cobb" <BrianCobb@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
: > news:A4CBB565-5A23-4868-B185-C98690DC42A8@xxxxxxxxxxxxxxxx
: > :I am trying to get Basic Kerberos Auth to work.
: > :
: > : The client, middle-tier, and back-end servers are all in the same
Windows
: > : 2000 functional level domain. All 3 are trusted for delegation. The
: > account
: > : used for testing has domain admin priviliges on the domain, and admin
: > : priviliges on all 3 boxes. The account is also marked as being
trusted
: > for
: > : delegation.
: > :
: > : The client is an XP machine.
: > :
: > : The middle-tier is Win2003SE running IIS6 and MDAC2.7. The website is
: > named
: > : irr.uams.edu which differs from the computer name, OAC3. These SPNS
are
: > : registered on the server:
: > : HOST/irr.uams.edu
: > : HTTP/OAC3.vcaa.ad.uams.edu
: > : HTTP/OAC3
: > : HTTP/irr.uams.edu
: > : SMTPSVC/OAC3.vcaa.ad.uams.edu
: > : SMTPSVC/OAC3
: > : HOST/OAC3
: > : HOST/OAC3.vcaa.ad.uams.edu
: > : The folder hosting the web service is only accessible via Integrated
Auth
: > : and anonymous access is disabled. IIS is running under the SYSTEM
: > account.
: > : The local security policy allows SYSTEM to Act as part of the
operating
: > : system and to impersonate a client after authentication.
: > :
: > : I have tested connecting with an ASP.NET 2.0 console application and
IE6
: > : from the client machine.
: > :
: > : When I code the console app to use Negotiate authentication, I fail
to
: > : connect to the SQL server with the message "Login failed for user NT
: > : AUTHORITY/Anonymous. In addition the files captured by Network Monitor
: > have
: > : these entries generated by the exchange between client and IIS box:
: > :
: > : Content-Type: text/html
: > : Server: Microsoft-IIS/6.0
: > : WWW-Authenticate: Negotiate
: > : WWW-Authenticate: NTLM
: > : MicrosoftOfficeWebServer: 5.0_Pub
: > : X-Powered-By: ASP.NET
: > :
: > :
: > : When I code the console app to use Kerberos I always get a 401
: > unauthorized
: > : error and the same headers. I have also tried using IE6 (Integrated
: > : Authentication turned on, irr.uams.edu in the local intranet zone,
etc.)
: > with
: > : the same results.
: > :
: > : Servers are all within 5 minutes of each other and DC. Net
engineering
: > : tells me that Kerberos is not blocked. Any ideas on what else I
should
: > check
: > : appreciated.
: > :
: > : Thanks.
: > :
: > :
: >
: >
: >


.

Relevant Pages

  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... I didn't realise the Web Sites folder in IIS manager threw up a global ... sure that Basic Authentication is allowed to function on your server. ... ACCOUNTNAME, this is the account that I am trying to grant access to: ... Account: COMPUTERNAME\ACCOUNTNAME Access type: FULL ...
    (microsoft.public.inetserver.iis.security)
  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... On the IIS directory security tab, anonymous access is disabled, digest ... authentication is disabled, integrated authentication is disabled and basic ... account created has full permissions for the folder and the file that's in it. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... Just as a check I used NET USER /ADD on my test account and as expected ... The password dialog is supposed to appear for Basic authentication ... Thinking more esoterically now -- what are the login rights assigned ... IIS uses a specific login type, ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS 5 Authentication problem- solved
    ... Tom Kaminski IIS MVP ... Can you log in using an administrator account, ... >> Subject: Re: IIS 5 Integrated Windows Authentication ... >> case there is no group, it is just the one server, ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS 6 fails anonymous connection
    ... It sounded like you configured sub-authentication, which on prior IIS ... The reason that you have to have Integrated authentication enabled along ... so there is some sort of configuration problem specific to ... The resources must also be ACL'd for this user account or else you will get ...
    (microsoft.public.inetserver.iis.security)