Re: Kerberos delegation
- From: "Scott Elgram" <SElgram@xxxxxxxxxxxxxx>
- Date: Fri, 8 Dec 2006 10:16:50 -0800
Mr. Kaplan,
I have followed the authentication all the way through to Sql01. From
client to Web01 it seems to be working fine....for every request I get an
entry in the Web01 security log as a successful logon event for the user,
not 'NT AUTHORITY\ANONYMOUS LOGON'. The problem seems to be when Web01
needs Sql01...the server is not using Kerb only some of the time.
I wish I could update to 2k3...I've been pushing them to do it for some
time but it's just not in the budget so I have to make due with what I have.
I've gone over the SPN's...to my understanding because I am using IIS5 I do
not need an SPN set for the account ASPNET_WP.EXE runs under
(<domain>/IWAM_Web01) so I have only set an SPN for the account SQL runs
under on Sql01 (MSSQLSvc/SQL01.<domain>:1433)
-Scott
"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ulen7riGHHA.1252@xxxxxxxxxxxxxxxxxxxxxxx
If I had to guess, I'd say that some of your web browser users and gettingmight
Kerberos authentication successfully, but some of them are not and are
getting NTLM authentication with IIS. That breaks Kerberos delegation.
To verify this, enable logon auditing on the web box and try to correlate
the failures with security event log logon events that indicate an NTLM
logon.
To fix this may be difficult, as the negotiate protocol is designed to
select NTLM if Kerb isn't available. The first thing to do is to try to
figure out what is different that is preventing Kerb from working. SPN
problems are the root of many Kerberos auth failures, but if everyone uses
the exact same host name in the URL for the web app, that should not be
happening. Sometimes there may be a problem with connecting the DC on the
Kerberos port (88), so that might be another thing to look at.
You can get more flexibility if you can migrate to 2003 server (and 2003
native AD) because then you could use protocol transition on the web tier
and it wouldn't matter why type of authentication the browser client got
(could be basic or digest as well as NTLM or Kerberos). However, that
not be an option for you.be
Best of luck figuring this out. Unfortunately, troubleshooting these can
very painful. There is an excellent document on TechNet called somethingProgramming"
like "Troubleshooting Kerberos Errors" that actually covers all of this
stuff in a lot of detail. I'd suggest finding it and reading it.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
http://www.directoryprogramming.netthe
--
"Scott Elgram" <SElgram@xxxxxxxxxxxxxx> wrote in message
news:O4PHOiiGHHA.3468@xxxxxxxxxxxxxxxxxxxxxxx
Hello,
I'm not sure if this is the right forum for this question but it is
security related so hopefully someone in here can help.
I have two servers,
Web01: Windows 2k Adv. Server running IIS 5.
Sql01: Windows 2k Adv Server Running SQL 7
I am trying to get user credentials to flow through Web01 to Sql01 so
that I can make use of the permissions that are already on the tables.
For
the most part, about 70% of the time, everything is working just peachy
and
there are no issues. However, that remaining 40% people are receiving
System.Data.SqlClient.SqlConnectionPoolManager.GetPooledConnection(SqlConnecfollowing error:
------------------------------------------------------------
Message: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
Stack Trace: at
System.Data.SqlClient.ConnectionPool.GetConnection(Boolean&
isInTransaction)
at
thetionString options, Boolean& isInTransaction)
at System.Data.SqlClient.SqlConnection.Open()
at DataCollections.DirectEdit.AddPractice.Page_Load(Object sender,
EventArgs e)
at System.Web.UI.Control.OnLoad(EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain()
------------------------------------------------------------
If I turn on auditing of successful logons for both Web01 and Sql01 I
can follow the flow down to Sql01 where I find the following entry in
security log:
------------------------------------------------------------
Date: 12/06/2006 Source: Security
Time: 14:52 Category: Logon/Logoff
Type: Success Event ID: 538
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: Sql01
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x6B5095F)
Logon Type: 3
------------------------------------------------------------
If anyone can offer any advice on why this is only happening some of
the
time or how to fix/further trouble shoot this issue would be greatly
appreciated.
Thanks,
--
-Scott
.
- Follow-Ups:
- Re: Kerberos delegation
- From: Joe Kaplan
- Re: Kerberos delegation
- References:
- Kerberos delegation
- From: Scott Elgram
- Re: Kerberos delegation
- From: Joe Kaplan
- Kerberos delegation
- Prev by Date: RE: Smart Card - two readers
- Next by Date: Re: Suspicious network activity
- Previous by thread: Re: Kerberos delegation
- Next by thread: Re: Kerberos delegation
- Index(es):
