Re: Kerberos logon failure - Windows Server 2003 RTM

From: Henrik Andersson (henrikanderzon_at_hotmail.com)
Date: 05/19/03


Date: 19 May 2003 01:00:40 -0700


"JK [MSFT]" <jk@online.microsoft.com> wrote in message news:<OjGpbvoGDHA.2888@tk2msftngp13.phx.gbl>...
> Ok that implies that you are using protocol transition which means you have
> to satisfy the following requirements.
> 1) Domain must be in Windows 2003 native mode.
> 2) Act as part of operating system(TCB) privilege has to be granted to the
> process that calls WindowsIdentity ON THE FRONTEND machine(where the code
> runs) and not on the domain controller.
> Please the protocol transition whitepaper for more details on these
> requirements
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
> ol/windowsserver2003/plan/constdel.asp
> # 2 is most likely what you are missing. If you still cant get it to work
> can you cut and paste the exact error message from ASP.NET?
>
> "Henrik Andersson" <henrikanderzon@hotmail.com> wrote in message
> news:9ee5c9cf.0305132300.272560a0@posting.google.com...
> > I cannot log in manually with the created user accounts and thats
> > fine. I am not supposed to be able to do this.
> >
> > When I call the WindowsIdentity constructor I supply the user
> > principal name: public WindowsIdentity(string serPrincipalName). Where
> > UPN is Domain\Username.
> >
> > /Henrik
> >
> >
> >
> >
> >
> >
> > "JK [MSFT]" <jk@online.microsoft.com> wrote in message
> news:<OJxc#7ZGDHA.2264@TK2MSFTNGP12.phx.gbl>...
> > > Have you tried logging on manually to see if that works?
> > > Also are you supplying the password to the WindowsIdentity constructor
> or
> > > logging on without the password?
> > >
> > >

Thanks for your answer. The article was very interesting.
seTcbPrivileges has been set on the computer that runs the process but
I still get the same error message (Attached below). I have also
enabled "Impersonate a client after authentication"
(seImpersonatePrivilege) for the service account on the computer that
runs the process.

Here is the asp.net error:
Server Error in '/' Application.
--------------------------------------------------------------------------------
Unable to log on.
Description: An unhandled exception occurred during the execution of
the current web request. Please review the stack trace for more
information about the error and where it originated in the code.

Exception Details: System.ArgumentException: Unable to log on.

Source Error:
An unhandled exception was generated during the execution of the
current web request. Information regarding the origin and location of
the exception can be identified using the exception stack trace below.

Stack Trace:
[ArgumentException: Unable to log on.]
   System.Security.Principal.WindowsIdentity._S4ULogon(String
sUserPrincipalName) +0
   System.Security.Principal.WindowsIdentity..ctor(String
sUserPrincipalName) +30
   Demotest.XML.SSO.HttpAuth.Application_AuthenticateRequest(Object
source, EventArgs e) +465
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute()
+60
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step,
Boolean& completedSynchronously) +87

--------------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:1.1.4322.573;
ASP.NET Version:1.1.4322.573

This is the last two logs from the security log on the computer that
runs the process:
10-------------------------------------------------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 577
Date: 5/13/2003
Time: 12:15:25 PM
User: DEMO\UserImp
Computer: DEMOAUT01
Description:
Privileged Service Called:
         Server: NT Local Security Authority / Authentication Service
         Service: LsaRegisterLogonProcess()
         Primary User Name: DEMOAUT01$
         Primary Domain: OIODEMO
         Primary Logon ID: (0x0,0x3E7)
         Client User Name: UserImp
         Client Domain: DEMO
         Client Logon ID: (0x0,0x16264E)
         Privileges: SeTcbPrivilege

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-------------------------------------------------------------------

11-------------------------------------------------------------------
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: 5/13/2003
Time: 12:15:25 PM
User: NT AUTHORITY\SYSTEM
Computer: DEMOAUT01
Description:
Logon Failure:
         Reason: An error occurred during logon
         User Name:
         Domain:
         Logon Type: 3
         Logon Process: CLRdW_
         Authentication Package: Kerberos
         Workstation Name: DEMOAUT01
         Status code: 0xC0000062
         Substatus code: 0x0
         Caller User Name: UserImp
         Caller Domain: DEMO
         Caller Logon ID: (0x0,0x16264E)
         Caller Process ID: 1912
         Transited Services: -
         Source Network Address: -
         Source Port: -

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-------------------------------------------------------------------



Relevant Pages

  • Re: Updated info
    ... An unhandled exception occurred during the execution of the current web request. ... Information regarding the origin and location of the exception can be identified using the exception stack trace below. ... We've opened ports 443 and 4125 in the Netopia router but still can't get a RWW logon prompt. ...
    (microsoft.public.windows.server.sbs)
  • Re: ASP.NET 2.0 Web Page Problem?
    ... Based on the stack trace you've shown the problem is when the Operations_HBMBlockStatus page's Repeater1 ItemCreated event is being raised. ... You sister site might be hiding the exception by logging it or ignoring them somehow, I'd need to see the code to say for sure. ... I have obtained a scripted database and compiled ASP.NET 2.0 application from a sister site that I'm trying to implement locally. ... An unhandled exception occurred during the execution of the current web request. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: hexadecimal value 0x01, is an invalid character
    ... An unhandled exception occurred during the execution of the ... > current web request. ... > exception can be identified using the exception stack trace below. ... > postDataKey, NameValueCollection values) ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: yes my first web application with database :)
    ... Well I also tried to get the Bdp version working. ... An unhandled exception occurred during the execution of the ... current web request. ... exception can be identified using the exception stack trace below. ...
    (borland.public.delphi.language.objectpascal)
  • Re: yes my first web application with database :)
    ... An unhandled exception occurred during the execution of the ... current web request. ... exception can be identified using the exception stack trace below. ... > Source Error: ...
    (borland.public.delphi.language.objectpascal)