Re: You are not authorized to view this page
- From: "Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 30 Apr 2007 20:46:13 +1000
Hi,
Yes, if you are running the Web App Pool under an account under the inbuilt default principals (LocalSystem, Local Service, Network Service) you will need to register the SPN properly:
IIS and Kerberos Part 2 - What are Service Principal Names?
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/11/19/606.aspx
Cheers
Ken
"Bob" <someone@xxxxxxxxxxxxx> wrote in message news:%23f8TCguiHHA.4976@xxxxxxxxxxxxxxxxxxxxxxx
Ken,
Some good news. I have solved the problem.
It seems that by using a different user account in the AppPool, then that user and the server need to ahve their "servicePrincipalName" attribute populated in AD.
The commands to acheive this are
setspn -a http/bay18 taipan-dev\kinosweb
setspn -a http/bay18.taipan-dev.my.gov.au taipan-dev\kinosweb
By running these two commands on the domain controller, everything now works as expected
Thanks for your help
"Bob" <someone@xxxxxxxxxxxxx> wrote in message news:OejwXutiHHA.3472@xxxxxxxxxxxxxxxxxxxxxxxKen,
Here is the record from the Sytem Log for Kerberos
30/04/2007 1:36:04 PM Kerberos Error None 3 N/A BAY18 A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 3:36:4.0000 4/30/2007 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: TAIPAN-DEV.MY.GOV.AU
Server Name: host/bay18.taipan-dev.my.gov.au
Target Name: host/bay18.taipan-dev.my.gov.au@xxxxxxxxxxxxxxxxxxxx
Error Text:
File: 9
Line: ae0
Error Data is in record data.
Bob
"Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx> wrote in message news:%23JYZPEtiHHA.5052@xxxxxxxxxxxxxxxxxxxxxxxAre the two machines in the same Windows Active Directory Domain?
If so, I think your options are:
a) enable Kerberos logging on all machines, and see what errors are being reported. Kerberos authN is failing for some reason, but we don't know why. http://support.microsoft.com/?id=262177
b) edit the metabase to remove Kerberos as an available AuthN option (i.e. so that only "NTLM" is offered and not "Negotiate")
Cheers
Ken
"Bob" <someone@xxxxxxxxxxxxx> wrote in message news:uN%23D31siHHA.4516@xxxxxxxxxxxxxxxxxxxxxxxHi Ken,
The AuthN methods is "Windows Integrated", we are not using anonymous, or basic or digest
Here is the event log for the failure. The computer is called BAY18, the domain is called TAIPAN-DEV
Cheers
30/04/2007 12:04:47 PM Security Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM BAY18 "Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 172.17.150.183
Source Port: 2746
"
30/04/2007 12:04:47 PM Security Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM BAY18 "Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 172.17.150.183
Source Port: 2746
"
30/04/2007 12:04:46 PM Security Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM BAY18 "Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 172.17.150.183
Source Port: 2746
"
30/04/2007 12:04:46 PM Security Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM BAY18 "Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 172.17.150.183
Source Port: 2746
"
30/04/2007 12:04:45 PM Security Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM BAY18 "Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 172.17.150.183
Source Port: 2746
"
30/04/2007 12:04:45 PM Security Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM BAY18 "Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 172.17.150.183
Source Port: 2746
"
30/04/2007 12:04:43 PM Security Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM BAY18 "Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 172.17.150.183
Source Port: 2746
"
30/04/2007 12:04:43 PM Security Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM BAY18 "Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 172.17.150.183
Source Port: 2746
"
30/04/2007 12:04:43 PM Security Failure Audit Logon/Logoff 534 NT AUTHORITY\SYSTEM BAY18 "Logon Failure:
Reason: The user has not been granted the requested
logon type at this machine
User Name: IUSR_BAY18
Domain: BAY18
Logon Type: 8
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: BAY18
Caller User Name: kinosweb
Caller Domain: TAIPAN-DEV
Caller Logon ID: (0x0,0x65AD98)
Caller Process ID: 2240
Transited Services: -
Source Network Address: -
Source Port: -
"
30/04/2007 12:04:43 PM Security Success Audit Account Logon 680 BAY18\IUSR_BAY18 BAY18 "Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: IUSR_BAY18
Source Workstation: BAY18
Error Code: 0x0
"Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx> wrote in message news:%23uV7fZsiHHA.1244@xxxxxxxxxxxxxxxxxxxxxxxHi,
On your server, can you enable "Logon Failure" auditing please (Start -> Run -> Secpol.msc). Under Local Policies -> Audit Policies you can enable Failure auditing for Account Logon events, and Logon Events (by default only a "Success" is logged).
Then, in your Windows Security event Logs, you should start getting some more detailed information on why authentication is failing.
Lastly, there are no actual credentials in the log files below. It would appear that perhaps your browser is not actually sending credentials, or IIS isn't see them, or doesn't seem them as valid. What AuthN mechanisms have you configured for the "Reports" directory in IIS? (Basic? IWA? Digest?)
Cheers
Ken
"Bob" <someone@xxxxxxxxxxxxx> wrote in message news:e$oEUlqiHHA.4976@xxxxxxxxxxxxxxxxxxxxxxxHere is the log of the latest attempt. I got prompted for credentials 3 times before being rejected. No, there was no status=200 record to indicate sucess
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2007-04-29 21:55:00
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2007-04-29 21:55:00 W3SVC1 172.17.150.228 GET /reports - 80 - 172.17.150.136 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+InfoPath.2) 401 2 2148074254
2007-04-29 21:55:00 W3SVC1 172.17.150.228 GET /reports - 80 - 172.17.150.136 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+InfoPath.2) 401 1 0
2007-04-29 21:55:00 W3SVC1 172.17.150.228 GET /reports - 80 - 172.17.150.136 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+InfoPath.2) 401 1 0
2007-04-29 21:55:03 W3SVC1 172.17.150.228 GET /reports - 80 - 172.17.150.136 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+InfoPath.2) 401 1 0
2007-04-29 21:55:03 W3SVC1 172.17.150.228 GET /reports - 80 - 172.17.150.136 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+InfoPath.2) 401 1 0
2007-04-29 21:55:03 W3SVC1 172.17.150.228 GET /reports - 80 - 172.17.150.136 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+InfoPath.2) 401 1 0
2007-04-29 21:55:03 W3SVC1 172.17.150.228 GET /reports - 80 - 172.17.150.136 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+InfoPath.2) 401 1 0
2007-04-29 21:55:04 W3SVC1 172.17.150.228 GET /reports - 80 - 172.17.150.136 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+InfoPath.2) 401 1 0
2007-04-29 21:55:04 W3SVC1 172.17.150.228 GET /reports - 80 - 172.17.150.136 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+InfoPath.2) 401 1 0
"Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx> wrote in message news:u2XjyMjiHHA.4668@xxxxxxxxxxxxxxxxxxxxxxx302 = redirect
301 = redirect
Those are not "errors". Instead your browser is being told to make a new request for a different page.
401.1 is an authentication challenge (you are being challenged to provide allowed credentials)
402.2 - IIS does not implement this error code. Please verify what you have in your logfile. If it's, instead, 401.2 then that may be part of a legitimate NTLM authentication. What is the *next* request? Does it have a 200 OK status?
Can you post the entire logfile entries you have (including the one following the entries above)?
Cheers
Ken
--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
"Bob" <someone@xxxxxxxxxxxxx> wrote in message news:uHYXtCUiHHA.5008@xxxxxxxxxxxxxxxxxxxxxxxHi
I have two IIS servers with similar setups,
When I logon to the server and use IE to view the website, everything works as expected on both servers
When I use a different computer to view the same pages, then one works OK, and the other gives me the error in the subject line.
Looking in the log for the IIS server that gives me the error, there are a series of errors
302 0 0
301 0 0
401 1 0
402 2 2148074254
Where should I be looking to resolve the error and get the remote browser sesssion working?
Thanks Heaps
Bob
.
- References:
- You are not authorized to view this page
- From: Bob
- Re: You are not authorized to view this page
- From: Ken Schaefer
- Re: You are not authorized to view this page
- From: Bob
- Re: You are not authorized to view this page
- From: Ken Schaefer
- Re: You are not authorized to view this page
- From: Bob
- Re: You are not authorized to view this page
- From: Ken Schaefer
- Re: You are not authorized to view this page
- From: Bob
- Re: You are not authorized to view this page
- From: Bob
- You are not authorized to view this page
- Prev by Date: Re: You are not authorized to view this page
- Previous by thread: Re: You are not authorized to view this page
- Next by thread: Re: Notify user of SSL 3 requirement
- Index(es):
Relevant Pages
|
