Kerberos and ASP NET application
- From: dragonsjmd@xxxxxxxxx
- Date: Tue, 15 Apr 2008 04:36:34 -0700 (PDT)
Hi All
First time poster to this group,and this is my first experience
looking into the intricacies of Kerberos.
Anyway, I've developed a vanilla asp .net application. It has a web
tier which connects to a web service which talks with the SQL server -
a very standard set-up. I have set the web application to use
integrated authentication and hence Kerberos, as retrieving the
information requires two hops.
I have set up IIS and the web config files as recommended by microsoft
(and confirmed across the web). I have set the service principals and
set the delegations correctly. And I was very pleased with myself
when the application worked as expected from my machine. I was also
very happy when it worked from my bosses machine. I wasn't so happy
when it didn't work from my customer's machine (all on the same
network).
That's when my adventure in Kerberos, and pain, began. In a nutshell,
some machines authenticate using Kerberos, while others default to
NTLM and the SQL server won't (rightly) let them in (ERROR message
is : Login failed for user '(null)'. Reason: Not associated with a
trusted SQL Server connection.). We even had the great test case of a
user with 2 similarly configured machines being able to connect
successfully with one but not the other!! Sigh.
As further background:
client is IE7 on Win XP SP2 - and enable integrated authentication
is selected;
web server is on a virtual server running windows 2003
app server is also on this server (for now)
sql server is SQL 2000 on a Win 2003 box.
Now I've tried everything I can glean from the web to see what the
differences between the 2 machines are - and I have come up with
nothing. ZIP. Everything seems to be in order, but obviously
something isn't!! I have run some limited packet sniffing, but that
isn't really my forte - using Netmon, I could see that there was a
Kerberos error (the error code was 0x3e - KDC_ERR_CLIENT_NOT_TRUSTED ,
but that didn't really give me much to go on). I have compared
workstations and accounts in active directory, with no success. I
have compared IE7 properties - nothing.
Has anyone ever had this sort of problem before - ie Kerberos seems to
work for some workstations but not others? Or can anyone suggest some
diagnostics or something that I can run that might lead me down the
right track?
I'm nearing breaking point on this one - am even taking the day off
tomorrow to go fishing to see if something comes up ;-)
Cheers and grateful for ANY help or advice.
James
.
- Follow-Ups:
- Re: Kerberos and ASP NET application
- From: Ken Schaefer
- Re: Kerberos and ASP NET application
- Prev by Date: Re: Kerberos
- Next by Date: Re: Kerberos
- Previous by thread: HTTP 401.2 - No permissions: login failed because of server configuration
- Next by thread: Re: Kerberos and ASP NET application
- Index(es):
Relevant Pages
|
