I have been wrestling with IIS6 security settings - I used to be able to do this under older versions of IIS, but I can't seem to get it to work right in IIS6.
We have a Windows 2003 Domain (pure 2K3). I want to use Windows Authentication for our Intranet applications that we write using ASP.NET.
I believe the problem to be something related to the Kerberos technology, but I don't know enough about it to resolve my issue. Basically, when I enable Integrated Windows Authentication as the Authentication method for my application, users (who are logged on locally to the same network as the web server) are prompted for a login and password. After entering the username and password and clicking OK, the login dialog reappears, asking for the info again (even though it's still filled in). Clicking OK again and the same thing happens. The third time you click OK, you get the following error:
- HTTP Error 401.2 - Unauthorized: Access is denied due to server configuration. Internet Information Services (IIS)
Checking the Event log, under the Security category, multiple entries of the following exists:
Error Event ID: 529 - Failure Audit Logon Failure: Reason: Unknown user name or bad password User Name: Domain: Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: - Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 172.16.87.77 Source Port: 0
First off - why is the browser prompting for a login name and password in the first place? Shouldn't integrated windows authentication use their Windows credentials? Oh yeah - I have checked - their browsers DO have the Enable Integrated Windows Authentication setting checked in their browser (which is IE6) advanced settings.
Secondly, I know I am not typing a bad username or password - it's the same one I use to log on to Windows in the first place. At first I thought the account was locked out, but that wasn't it.
After spending several hours trying to find some help on the web and in the MS knowledgebase, I came across a couple of articles (mostly relating to Windows 2000) that talked about Kerberos and Delegation.
One article talked about ensuring the computer can be trusted for delegation - so, in Active Directory, I changed the Computer Account for the Web server (on the Delegation tab) from "Do not trust this computer delegation" to "Trust this computer for delegation to any server (Kerberos only)". There is a third option, "Trust this computer for delegation to specified services only" where it then offers to Use Kerberos only or Any authentication protocol and you can define services for the account. Would that option make a difference? What services do I add underneath?
I also tried another article suggestion, which was to modify the IIS MetaBase using the adsutil.vbs script to set the "Negotiate,NTLM" parameter. At first, neither option was set. Then I set both (Negotiate and NTLM). No change. Then tried just NTLM - still no luck.
The same article discussed using the SetSPN resource kit tool to add the HTTP protocol, which I also did, and then I added HOST, but alas, neither setting helped.
For some reason, I just can't seem to get Integrated Windows Authetication to work on this web server (Windows 2003 Web Edition).
Basically, I am looking for a checklist of things I can check and doublecheck to see if there is a configuration setting that I am missing to get this to work.
If I can provide any more information that I haven't included, please ask...
>I have been wrestling with IIS6 security settings - I used to be able to do >this under older versions of IIS, but I can't seem to get it to work right >in IIS6.
>We have a Windows 2003 Domain (pure 2K3). I want to use Windows >Authentication for our Intranet applications that we write using ASP.NET.
>I believe the problem to be something related to the Kerberos technology, >but I don't know enough about it to resolve my issue. Basically, when I >enable Integrated Windows Authentication as the Authentication method for my >application, users (who are logged on locally to the same network as the web >server) are prompted for a login and password. After entering the username >and password and clicking OK, the login dialog reappears, asking for the >info again (even though it's still filled in). Clicking OK again and the >same thing happens. The third time you click OK, you get the following >error:
> - HTTP Error 401.2 - Unauthorized: Access is denied due to server >configuration. Internet Information Services (IIS)
>Checking the Event log, under the Security category, multiple entries of the >following exists:
>First off - why is the browser prompting for a login name and password in >the first place? Shouldn't integrated windows authentication use their >Windows credentials? Oh yeah - I have checked - their browsers DO have the >Enable Integrated Windows Authentication setting checked in their browser >(which is IE6) advanced settings.
But that doesn't mean IE will pass credentials. If IE suspects the site is not in an intranet or trusted zone, it doesn't pass credentials. Add your domain to the intranet security zone in IE.
>Secondly, I know I am not typing a bad username or password - it's the same >one I use to log on to Windows in the first place. At first I thought the >account was locked out, but that wasn't it.
Is the web server in the domain? I'm assuming it's a domain account you use.
>After spending several hours trying to find some help on the web and in the >MS knowledgebase, I came across a couple of articles (mostly relating to >Windows 2000) that talked about Kerberos and Delegation.
>One article talked about ensuring the computer can be trusted for >delegation - so, in Active Directory, I changed the Computer Account for the >Web server (on the Delegation tab) from "Do not trust this computer >delegation" to "Trust this computer for delegation to any server (Kerberos >only)". There is a third option, "Trust this computer for delegation to >specified services only" where it then offers to Use Kerberos only or Any >authentication protocol and you can define services for the account. Would >that option make a difference? What services do I add underneath?
>I also tried another article suggestion, which was to modify the IIS >MetaBase using the adsutil.vbs script to set the "Negotiate,NTLM" parameter. >At first, neither option was set. Then I set both (Negotiate and NTLM). No >change. Then tried just NTLM - still no luck.
>The same article discussed using the SetSPN resource kit tool to add the >HTTP protocol, which I also did, and then I added HOST, but alas, neither >setting helped.
>For some reason, I just can't seem to get Integrated Windows Authetication >to work on this web server (Windows 2003 Web Edition).
>Basically, I am looking for a checklist of things I can check and >doublecheck to see if there is a configuration setting that I am missing to >get this to work.
Jeff - Thank you SOOOOO much - your suggestion to check out the IIS Operations Guide (which I didn't even know existed) led me to the page titled "Force NTLM Authentication". It showed how to open the IIS MetaBase.xml file in notepad and locate the NTAuthenticationProviders property. Once I found it, this is what it was set to:
NTAuthenticationProviders=""Negotiate, NTLM""
* Note the double quotes on either end.
The page talked about deleting Negotiate part, but I found that my error was actually caused by the double quotation marks - evidently left there by the adsutil.vbs script I had run previously. It "inserted" a quoted string inside the existing quotes - which caused IIS all sorts of grief. I removed the extra quotes, setting it to NTAuthenticationProviders="Negotiate, NTLM". Presto - it worked instantly. For good measure, I also tried NTAuthenticationProviders="NTLM". That also worked great. The only difference being that the dual provider caused the IE login dialog to appear, regardless of the IE setting regarding Enabling Integrated Windows Authentication. I have a hunch that may be related to that fact that my IIS Application Pool runs as a domain user and not as a local machine account, but I'll investigate further later.
There was obviously a bit of luck involved in finding this error - I hope this post helps the next person to encounter this issue and saves them the frustrated I've gone through the past 24 hours.
Still - I can't complain too much - I still prefer a tightly locked-down system that you have to open as opposed to previous IIS incarnations that are causing all kinds of security grievances. I sleep better at night knowing that if it took me this long to get something working, with full Administrator rights, documentation and access, script-kiddies have got their work cut out for them. :)
- Dave
"Jeff Cochran" <jeff.nos...@zina.com> wrote in message
> >I have been wrestling with IIS6 security settings - I used to be able to do > >this under older versions of IIS, but I can't seem to get it to work right > >in IIS6.
> >We have a Windows 2003 Domain (pure 2K3). I want to use Windows > >Authentication for our Intranet applications that we write using ASP.NET.
> >I believe the problem to be something related to the Kerberos technology, > >but I don't know enough about it to resolve my issue. Basically, when I > >enable Integrated Windows Authentication as the Authentication method for my > >application, users (who are logged on locally to the same network as the web > >server) are prompted for a login and password. After entering the username > >and password and clicking OK, the login dialog reappears, asking for the > >info again (even though it's still filled in). Clicking OK again and the > >same thing happens. The third time you click OK, you get the following > >error:
> > - HTTP Error 401.2 - Unauthorized: Access is denied due to server > >configuration. Internet Information Services (IIS)
> >Checking the Event log, under the Security category, multiple entries of the > >following exists:
> >First off - why is the browser prompting for a login name and password in > >the first place? Shouldn't integrated windows authentication use their > >Windows credentials? Oh yeah - I have checked - their browsers DO have the > >Enable Integrated Windows Authentication setting checked in their browser > >(which is IE6) advanced settings.
> But that doesn't mean IE will pass credentials. If IE suspects the > site is not in an intranet or trusted zone, it doesn't pass > credentials. Add your domain to the intranet security zone in IE.
> >Secondly, I know I am not typing a bad username or password - it's the same > >one I use to log on to Windows in the first place. At first I thought the > >account was locked out, but that wasn't it.
> Is the web server in the domain? I'm assuming it's a domain account > you use.
> >After spending several hours trying to find some help on the web and in the > >MS knowledgebase, I came across a couple of articles (mostly relating to > >Windows 2000) that talked about Kerberos and Delegation.
> >One article talked about ensuring the computer can be trusted for > >delegation - so, in Active Directory, I changed the Computer Account for the > >Web server (on the Delegation tab) from "Do not trust this computer > >delegation" to "Trust this computer for delegation to any server (Kerberos > >only)". There is a third option, "Trust this computer for delegation to > >specified services only" where it then offers to Use Kerberos only or Any > >authentication protocol and you can define services for the account. Would > >that option make a difference? What services do I add underneath?
> >I also tried another article suggestion, which was to modify the IIS > >MetaBase using the adsutil.vbs script to set the "Negotiate,NTLM" parameter. > >At first, neither option was set. Then I set both (Negotiate and NTLM). No > >change. Then tried just NTLM - still no luck.
> >The same article discussed using the SetSPN resource kit tool to add the > >HTTP protocol, which I also did, and then I added HOST, but alas, neither > >setting helped.
> >For some reason, I just can't seem to get Integrated Windows Authetication > >to work on this web server (Windows 2003 Web Edition).
> >Basically, I am looking for a checklist of things I can check and > >doublecheck to see if there is a configuration setting that I am missing to > >get this to work.
It happens in the following circumstance: 1. Application Pool Identity is Custom 2. Authentication Protocol is Integrated 3. Server is in a domain
This, together with the default value of NtAuthenticationProviders of Negotiate,NTLM , causes the 401.1 to be returned.
The fix, of course, is to either set NtAuthenticationProviders to be NTLM (to not trigger Kerberos), or use setspn to set a service name under the Custom AppPool Identity.
Many people have asked this exact question, but really, there is not a lot that we can do other than give you documentation that should be read before using Custom App Pool Identity. I've also heard of many people getting tricked by the extra ""s being added to the property value when using ADSUTIL.VBS -- I've personally never had problems setting that property with or without ""s.
-- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. //
"David Slinn" <dsl...@accesscomm.ca> wrote in message
news:%23MarTFKZEHA.996@TK2MSFTNGP12.phx.gbl... Jeff - Thank you SOOOOO much - your suggestion to check out the IIS Operations Guide (which I didn't even know existed) led me to the page titled "Force NTLM Authentication". It showed how to open the IIS MetaBase.xml file in notepad and locate the NTAuthenticationProviders property. Once I found it, this is what it was set to:
NTAuthenticationProviders=""Negotiate, NTLM""
* Note the double quotes on either end.
The page talked about deleting Negotiate part, but I found that my error was actually caused by the double quotation marks - evidently left there by the adsutil.vbs script I had run previously. It "inserted" a quoted string inside the existing quotes - which caused IIS all sorts of grief. I removed the extra quotes, setting it to NTAuthenticationProviders="Negotiate, NTLM". Presto - it worked instantly. For good measure, I also tried NTAuthenticationProviders="NTLM". That also worked great. The only difference being that the dual provider caused the IE login dialog to appear, regardless of the IE setting regarding Enabling Integrated Windows Authentication. I have a hunch that may be related to that fact that my IIS Application Pool runs as a domain user and not as a local machine account, but I'll investigate further later.
There was obviously a bit of luck involved in finding this error - I hope this post helps the next person to encounter this issue and saves them the frustrated I've gone through the past 24 hours.
Still - I can't complain too much - I still prefer a tightly locked-down system that you have to open as opposed to previous IIS incarnations that are causing all kinds of security grievances. I sleep better at night knowing that if it took me this long to get something working, with full Administrator rights, documentation and access, script-kiddies have got their work cut out for them. :)
- Dave
"Jeff Cochran" <jeff.nos...@zina.com> wrote in message
> >I have been wrestling with IIS6 security settings - I used to be able to do > >this under older versions of IIS, but I can't seem to get it to work right > >in IIS6.
> >We have a Windows 2003 Domain (pure 2K3). I want to use Windows > >Authentication for our Intranet applications that we write using ASP.NET.
> >I believe the problem to be something related to the Kerberos technology, > >but I don't know enough about it to resolve my issue. Basically, when I > >enable Integrated Windows Authentication as the Authentication method for my > >application, users (who are logged on locally to the same network as the web > >server) are prompted for a login and password. After entering the username > >and password and clicking OK, the login dialog reappears, asking for the > >info again (even though it's still filled in). Clicking OK again and the > >same thing happens. The third time you click OK, you get the following > >error:
> > - HTTP Error 401.2 - Unauthorized: Access is denied due to server > >configuration. Internet Information Services (IIS)
> >Checking the Event log, under the Security category, multiple entries of the > >following exists:
> >First off - why is the browser prompting for a login name and password in > >the first place? Shouldn't integrated windows authentication use their > >Windows credentials? Oh yeah - I have checked - their browsers DO have the > >Enable Integrated Windows Authentication setting checked in their browser > >(which is IE6) advanced settings.
> But that doesn't mean IE will pass credentials. If IE suspects the > site is not in an intranet or trusted zone, it doesn't pass > credentials. Add your domain to the intranet security zone in IE.
> >Secondly, I know I am not typing a bad username or password - it's the same > >one I use to log on to Windows in the first place. At first I thought the > >account was locked out, but that wasn't it.
> Is the web server in the domain? I'm assuming it's a domain account > you use.
> >After spending several hours trying to find some help on the web and in the > >MS knowledgebase, I came across a couple of articles (mostly relating to > >Windows 2000) that talked about Kerberos and Delegation.
> >One article talked about ensuring the computer can be trusted for > >delegation - so, in Active Directory, I changed the Computer Account for the > >Web server (on the Delegation tab) from "Do not trust this computer > >delegation" to "Trust this computer for delegation to any server (Kerberos > >only)". There is a third option, "Trust this computer for delegation to > >specified services only" where it then offers to Use Kerberos only or Any > >authentication protocol and you can define services for the account. Would > >that option make a difference? What services do I add underneath?
> >I also tried another article suggestion, which was to modify the IIS > >MetaBase using the adsutil.vbs script to set the "Negotiate,NTLM" parameter. > >At first, neither option was set. Then I set both (Negotiate and NTLM). No > >change. Then tried just NTLM - still no luck.
> >The same article discussed using the SetSPN resource kit tool to add the > >HTTP protocol, which I also did, and then I added HOST, but alas, neither > >setting helped.
> >For some reason, I just can't seem to get Integrated Windows Authetication > >to work on this web server (Windows 2003 Web Edition).
> >Basically, I am looking for a checklist of things I can check and > >doublecheck to see if there is a configuration setting that I am missing to > >get this to work.
|
