| Author | Messages | |
bbernie1@xxxx.yyy
 | | 05/17/2006 9:18 AM |
| OK¦I've got a nice issue here and I've been bashing my head against my desk to the point where I need help.
I'm writing a very directory intensive application in C# with ASP.Net 2.0. If I authenticate to the webpage via NTLM my directory calls will fail, this is because of the NTLM double hop (trying to pass it from the client to IIS and do stuff to Active Directory). Sooooo I say I'll use Kerberos instead, I figured if I enabled the computer object for the IIS box to be trusted for delegation and give it an HTTP SPN it should work. It will work locally from the webserver, but not from any client. My guess is it wants to the client computers to be trusted as well to support the mutual auth (I hope I'm wrong). Any suggestions?
-Brandon | | | |
| tonyszko
Posts:140
| | 05/17/2006 10:29 AM |
| Bernier, Brandon (.) wrote:
OK¦I've got a nice issue here and I've been bashing my head against my
desk to the point where I need help.
I'm writing a very directory intensive application in C# with ASP.Net
2.0. If I authenticate to the webpage via NTLM my directory calls will
fail, this is because of the NTLM double hop (trying to pass it from the
client to IIS and do stuff to Active Directory). Sooooo I say I'll use
Kerberos instead, I figured if I enabled the computer object for the IIS
box to be trusted for delegation and give it an HTTP SPN it should work.
It will work locally from the webserver, but not from any client. My
guess is it wants to the client computers to be trusted as well to
support the mutual auth (I hope I'm wrong). Any suggestions?
This is example regarding WMI but it should work in general for other
connections as well:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/connecting_to_a_3rd_computer-delegation.asp
If You have some problems with setting this up You may try to use
AuthDiag as first troubleshooting tool for IIS:
http://www.microsoft.com/downloads/details.aspx?FamilyID=e90fe777-4a21-4066-bd22-b931f7572e9a&DisplayLang=en
--
Tomasz Onyszko
http://www.w2k.pl/blog/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| ken
Posts:171
| | 05/17/2006 11:46 AM |
| There™s lots of information missing from your post.
If you are using a FQDN or IP address to access the site, then
the site must be in IE™s Intranet Security zone (not Internet zone). IE
doesn™t attempt Kerberos authentication for sites in the Internet zone.
You haven™t mentioned what security contexts you are
running your website under. If your web application is running under a custom
account, all applications accessible at the same FQDN must also be running
under that account (even if they are in a different web app pool). And you need
to register the SPN under that custom account. If you are using the default
Network Service account, then you do not need to register a HTTP SPN unless you
are using a non-default port.
So, perhaps you can give us the following configuration details?
a)
Is website in Intranet security zone in IE?
b)
Is Enable Integrated Windows AuthN enabled in IE?
c)
Is IIS computer account trusted for delegation in AD?
d)
What is the URL you are using to access the site, what SPN did
you register and where?
e)
The other applications accessible at the FQDN/IP address “
are they also running under the same user context?
f)
In the Security event log, what logon failure events do you see?
Can you cut-n-paste them here please?
Cheers
Ken
--
My
IIS Blog: www.adOpenStatic.com/cs/blogs/ken
Tech.Ed
Boston 2006 See you there: Everything the web administrator needs to know about
MOM 2005
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Bernier,
Brandon (.)
Sent: Thursday, 18 May 2006 6:51 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] [OT] IIS6 - Kerb/NTLM
OK¦I've got a nice
issue here and I've been bashing my head against my desk to the point where I
need help.
I'm writing a very directory
intensive application in C# with ASP.Net 2.0. If I authenticate to the webpage
via NTLM my directory calls will fail, this is because of the NTLM double hop
(trying to pass it from the client to IIS and do stuff to Active Directory).
Sooooo I say I'll use Kerberos instead, I figured if I enabled the computer
object for the IIS box to be trusted for delegation and give it an HTTP SPN it
should work. It will work locally from the webserver, but not from any client.
My guess is it wants to the client computers to be trusted as well to support
the mutual auth (I hope I'm wrong). Any suggestions?
-Brandon | | | |
| bbernie1@xxxx.yyy
| | 05/18/2006 1:01 AM |
| I am running the application pool for this website as "Network Service".
It is not explicitly defined in my IE Intranet Security Zone, but we
have a proxy script that enables "bypass from proxy server" and we have
that condition in IE security zone enabled, so yes its there. I know it
is using Kerberos (unless .Net is wrong) because I do a catch that poops
out the user context
System.Security.Principal.WindowsIdentity.GetCurrent().ImpersonationLeve
l.ToString();
System.Security.Principal.WindowsIdentity.GetCurrent().AuthenticationTyp
e;
and
HttpContext.Current.User.Identity.Name.ToString();
A.) Yes
B.) Yes
C.) Yes
D.) Until development is completed it is accessed under the server FQDN,
I registered an HTTP SPN as followings "setspn -a servername.com
servername".
E.) Yes
F.) I'm not getting any related failures on either the IIS server or the
DC it contacting.
My network traces show it trying to authing as NTLM...I thought if it
can use kerb it does that first then NTLM...I'm going to add
NTAuthenticationProviders=Negotiate in the metabase for this site so it
forces kerb or nothing. Thanks again!
-Brandon
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Ken Schaefer
Sent: Wednesday, May 17, 2006 7:45 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM
There's lots of information missing from your post.
If you are using a FQDN or IP address to access the site, then the site
must be in IE's Intranet Security zone (not Internet zone). IE doesn't
attempt Kerberos authentication for sites in the Internet zone.
You haven't mentioned what security contexts you are running your
website under. If your web application is running under a custom
account, all applications accessible at the same FQDN must also be
running under that account (even if they are in a different web app
pool). And you need to register the SPN under that custom account. If
you are using the default Network Service account, then you do not need
to register a HTTP SPN unless you are using a non-default port.
So, perhaps you can give us the following configuration details?
a) Is website in Intranet security zone in IE?
b) Is "Enable Integrated Windows AuthN" enabled in IE?
c) Is IIS computer account trusted for delegation in AD?
d) What is the URL you are using to access the site, what SPN did
you register and where?
e) The other applications accessible at the FQDN/IP address - are
they also running under the same user context?
f) In the Security event log, what logon failure events do you
see? Can you cut-n-paste them here please?
Cheers
Ken
--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
Tech.Ed Boston 2006 See you there: Everything the web administrator
needs to know about MOM 2005
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Bernier,
Brandon (.)
Sent: Thursday, 18 May 2006 6:51 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] [OT] IIS6 - Kerb/NTLM
OK...I've got a nice issue here and I've been bashing my head against my
desk to the point where I need help.
I'm writing a very directory intensive application in C# with ASP.Net
2.0. If I authenticate to the webpage via NTLM my directory calls will
fail, this is because of the NTLM double hop (trying to pass it from the
client to IIS and do stuff to Active Directory). Sooooo I say I'll use
Kerberos instead, I figured if I enabled the computer object for the IIS
box to be trusted for delegation and give it an HTTP SPN it should work.
It will work locally from the webserver, but not from any client. My
guess is it wants to the client computers to be trusted as well to
support the mutual auth (I hope I'm wrong). Any suggestions?
-Brandon
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| bbernie1@xxxx.yyy
| | 05/18/2006 1:16 AM |
| I forgot one detail. I am accessing this site from a computer that is
joined up to a different forest. That metabase key
NTAuthenticationProviders also didn't do what I was hoping for.
-Brandon
-----Original Message-----
From: Bernier, Brandon (.)
Sent: Thursday, May 18, 2006 8:56 AM
To: 'ActiveDir@xxxxxxxxxxxxxxxxxx'
Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM
I am running the application pool for this website as "Network Service".
It is not explicitly defined in my IE Intranet Security Zone, but we
have a proxy script that enables "bypass from proxy server" and we have
that condition in IE security zone enabled, so yes its there. I know it
is using Kerberos (unless .Net is wrong) because I do a catch that poops
out the user context
System.Security.Principal.WindowsIdentity.GetCurrent().ImpersonationLeve
l.ToString();
System.Security.Principal.WindowsIdentity.GetCurrent().AuthenticationTyp
e;
and
HttpContext.Current.User.Identity.Name.ToString();
A.) Yes
B.) Yes
C.) Yes
D.) Until development is completed it is accessed under the server FQDN,
I registered an HTTP SPN as followings "setspn -a servername.com
servername".
E.) Yes
F.) I'm not getting any related failures on either the IIS server or the
DC it contacting.
My network traces show it trying to authing as NTLM...I thought if it
can use kerb it does that first then NTLM...I'm going to add
NTAuthenticationProviders=Negotiate in the metabase for this site so it
forces kerb or nothing. Thanks again!
-Brandon
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Ken Schaefer
Sent: Wednesday, May 17, 2006 7:45 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM
There's lots of information missing from your post.
If you are using a FQDN or IP address to access the site, then the site
must be in IE's Intranet Security zone (not Internet zone). IE doesn't
attempt Kerberos authentication for sites in the Internet zone.
You haven't mentioned what security contexts you are running your
website under. If your web application is running under a custom
account, all applications accessible at the same FQDN must also be
running under that account (even if they are in a different web app
pool). And you need to register the SPN under that custom account. If
you are using the default Network Service account, then you do not need
to register a HTTP SPN unless you are using a non-default port.
So, perhaps you can give us the following configuration details?
a) Is website in Intranet security zone in IE?
b) Is "Enable Integrated Windows AuthN" enabled in IE?
c) Is IIS computer account trusted for delegation in AD?
d) What is the URL you are using to access the site, what SPN did
you register and where?
e) The other applications accessible at the FQDN/IP address - are
they also running under the same user context?
f) In the Security event log, what logon failure events do you
see? Can you cut-n-paste them here please?
Cheers
Ken
--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
Tech.Ed Boston 2006 See you there: Everything the web administrator
needs to know about MOM 2005
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Bernier,
Brandon (.)
Sent: Thursday, 18 May 2006 6:51 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] [OT] IIS6 - Kerb/NTLM
OK...I've got a nice issue here and I've been bashing my head against my
desk to the point where I need help.
I'm writing a very directory intensive application in C# with ASP.Net
2.0. If I authenticate to the webpage via NTLM my directory calls will
fail, this is because of the NTLM double hop (trying to pass it from the
client to IIS and do stuff to Active Directory). Sooooo I say I'll use
Kerberos instead, I figured if I enabled the computer object for the IIS
box to be trusted for delegation and give it an HTTP SPN it should work.
It will work locally from the webserver, but not from any client. My
guess is it wants to the client computers to be trusted as well to
support the mutual auth (I hope I'm wrong). Any suggestions?
-Brandon
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| ken
Posts:171
| | 05/19/2006 2:32 AM |
| : -----Original Message-----
: From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-
: owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Bernier, Brandon (.)
: Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM
:
: I am running the application pool for this website as "Network
: Service".
: It is not explicitly defined in my IE Intranet Security Zone, but we
: have a proxy script that enables "bypass from proxy server" and we
: have that condition in IE security zone enabled, so yes its there.
I would recommend against making assumptions for reasons that are listed
below. Verify by looking at the icon in IE
: I know it is using Kerberos (unless .Net is wrong) because I do a
: catch that poops out the user context
:
: System.Security.Principal.WindowsIdentity.GetCurrent().ImpersonationLe
: ve
: l.ToString();
: System.Security.Principal.WindowsIdentity.GetCurrent().AuthenticationT
: yp
: e;
How do you know this is Kerberos and not NTLM?!? I think you are making an
assumption here as well. As you say below, your packet capture is showing
NTLM. You could look in the Windows Security event long on the IIS box to
find out which package is being used to authenticate the user.
: D.) Until development is completed it is accessed under the server FQDN,
: I registered an HTTP SPN as followings "setspn -a servername.com
servername".
Remove this SPN, it is not necessary. If you are running as Network Service,
the HOST SPN will be fine.
: My network traces show it trying to authing as NTLM...I thought if it
: can use kerb it does that first then NTLM
This is an incorrect assumption. There is no fall back. If IE is using NTLM,
then Kerberos is not being attempted at all. This is why I want you to verify
that IE thinks the site is in the Intranet security zone.
: ...I'm going to add
: NTAuthenticationProviders=Negotiate in the metabase for this site so
: it forces kerb or nothing. Thanks again!
This is another assumption. The Negotiate HTTP header does not force
Kerberos. It is a fancy way of telling the client that Kerberos is available
(and so is NTLM, and the browser needs to choose which out of the two it
wants to use). If you already have the Negotiate header in there, then IE is
deliberately choosing to use NTLM, and editing this property will not help
you.
If Negotiate is not there at all (and only NTLM is there), then you will need
to add it, and that may fix your problem.
Cheers
Ken
:
: -Brandon
:
: ________________________________
:
: From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
: [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Ken Schaefer
: Sent: Wednesday, May 17, 2006 7:45 PM
: To: ActiveDir@xxxxxxxxxxxxxxxxxx
: Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM
:
:
:
: There's lots of information missing from your post.
:
:
:
: If you are using a FQDN or IP address to access the site, then the
: site
: must be in IE's Intranet Security zone (not Internet zone). IE doesn't
: attempt Kerberos authentication for sites in the Internet zone.
:
:
:
: You haven't mentioned what security contexts you are running your
: website under. If your web application is running under a custom
: account, all applications accessible at the same FQDN must also be
: running under that account (even if they are in a different web app
: pool). And you need to register the SPN under that custom account. If
: you are using the default Network Service account, then you do not
: need
: to register a HTTP SPN unless you are using a non-default port.
:
:
:
: So, perhaps you can give us the following configuration details?
:
: a) Is website in Intranet security zone in IE?
:
: b) Is "Enable Integrated Windows AuthN" enabled in IE?
:
: c) Is IIS computer account trusted for delegation in AD?
:
: d) What is the URL you are using to access the site, what SPN did
: you register and where?
:
: e) The other applications accessible at the FQDN/IP address - are
: they also running under the same user context?
:
: f) In the Security event log, what logon failure events do you
: see? Can you cut-n-paste them here please?
:
:
:
: Cheers
:
: Ken
:
:
:
: --
:
: My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
:
: Tech.Ed Boston 2006 See you there: Everything the web administrator
: needs to know about MOM 2005
:
: ________________________________
:
: From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
: [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Bernier,
: Brandon (.)
: Sent: Thursday, 18 May 2006 6:51 AM
: To: ActiveDir@xxxxxxxxxxxxxxxxxx
: Subject: [ActiveDir] [OT] IIS6 - Kerb/NTLM
:
:
:
:
:
: OK...I've got a nice issue here and I've been bashing my head against
: my
: desk to the point where I need help.
:
: I'm writing a very directory intensive application in C# with ASP.Net
: 2.0. If I authenticate to the webpage via NTLM my directory calls will
: fail, this is because of the NTLM double hop (trying to pass it from
: the
: client to IIS and do stuff to Active Directory). Sooooo I say I'll use
: Kerberos instead, I figured if I enabled the computer object for the
: IIS
: box to be trusted for delegation and give it an HTTP SPN it should
: work.
: It will work locally from the webserver, but not from any client. My
: guess is it wants to the client computers to be trusted as well to
: support the mutual auth (I hope I'm wrong). Any suggestions?
:
: -Brandon
:
:
: List info : http://www.activedir.org/List.aspx
: List FAQ : http://www.activedir.org/ListFAQ.aspx
: List archive: http://www.mail-
: archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| ken
Posts:171
| | 05/19/2006 2:42 AM |
| Well, you need to ensure that referrals are happening properly (so that the
DC in your domain is referring you to the correct KDC in the foreign domain
in the foreign forest)
Cheers
Ken
: -----Original Message-----
: From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-
: owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Bernier, Brandon (.)
: Sent: Thursday, 18 May 2006 11:10 PM
: To: ActiveDir@xxxxxxxxxxxxxxxxxx
: Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM
:
: I forgot one detail. I am accessing this site from a computer that is
: joined up to a different forest. That metabase key
: NTAuthenticationProviders also didn't do what I was hoping for.
:
: -Brandon
:
: -----Original Message-----
: From: Bernier, Brandon (.)
: Sent: Thursday, May 18, 2006 8:56 AM
: To: 'ActiveDir@xxxxxxxxxxxxxxxxxx'
: Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM
:
: I am running the application pool for this website as "Network
: Service".
: It is not explicitly defined in my IE Intranet Security Zone, but we
: have a proxy script that enables "bypass from proxy server" and we
: have
: that condition in IE security zone enabled, so yes its there. I know
: it
: is using Kerberos (unless .Net is wrong) because I do a catch that
: poops
: out the user context
:
: System.Security.Principal.WindowsIdentity.GetCurrent().ImpersonationLe
: ve
: l.ToString();
: System.Security.Principal.WindowsIdentity.GetCurrent().AuthenticationT
: yp
: e;
:
: and
:
: HttpContext.Current.User.Identity.Name.ToString();
:
: A.) Yes
: B.) Yes
: C.) Yes
: D.) Until development is completed it is accessed under the server
: FQDN,
: I registered an HTTP SPN as followings "setspn -a servername.com
: servername".
: E.) Yes
: F.) I'm not getting any related failures on either the IIS server or
: the
: DC it contacting.
:
: My network traces show it trying to authing as NTLM...I thought if it
: can use kerb it does that first then NTLM...I'm going to add
: NTAuthenticationProviders=Negotiate in the metabase for this site so
: it
: forces kerb or nothing. Thanks again!
:
: -Brandon
:
: ________________________________
:
: From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
: [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Ken Schaefer
: Sent: Wednesday, May 17, 2006 7:45 PM
: To: ActiveDir@xxxxxxxxxxxxxxxxxx
: Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM
:
:
:
: There's lots of information missing from your post.
:
:
:
: If you are using a FQDN or IP address to access the site, then the
: site
: must be in IE's Intranet Security zone (not Internet zone). IE doesn't
: attempt Kerberos authentication for sites in the Internet zone.
:
:
:
: You haven't mentioned what security contexts you are running your
: website under. If your web application is running under a custom
: account, all applications accessible at the same FQDN must also be
: running under that account (even if they are in a different web app
: pool). And you need to register the SPN under that custom account. If
: you are using the default Network Service account, then you do not
: need
: to register a HTTP SPN unless you are using a non-default port.
:
:
:
: So, perhaps you can give us the following configuration details?
:
: a) Is website in Intranet security zone in IE?
:
: b) Is "Enable Integrated Windows AuthN" enabled in IE?
:
: c) Is IIS computer account trusted for delegation in AD?
:
: d) What is the URL you are using to access the site, what SPN did
: you register and where?
:
: e) The other applications accessible at the FQDN/IP address - are
: they also running under the same user context?
:
: f) In the Security event log, what logon failure events do you
: see? Can you cut-n-paste them here please?
:
:
:
: Cheers
:
: Ken
:
:
:
: --
:
: My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
:
: Tech.Ed Boston 2006 See you there: Everything the web administrator
: needs to know about MOM 2005
:
: ________________________________
:
: From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
: [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Bernier,
: Brandon (.)
: Sent: Thursday, 18 May 2006 6:51 AM
: To: ActiveDir@xxxxxxxxxxxxxxxxxx
: Subject: [ActiveDir] [OT] IIS6 - Kerb/NTLM
:
:
:
:
:
: OK...I've got a nice issue here and I've been bashing my head against
: my
: desk to the point where I need help.
:
: I'm writing a very directory intensive application in C# with ASP.Net
: 2.0. If I authenticate to the webpage via NTLM my directory calls will
: fail, this is because of the NTLM double hop (trying to pass it from
: the
: client to IIS and do stuff to Active Directory). Sooooo I say I'll use
: Kerberos instead, I figured if I enabled the computer object for the
: IIS
: box to be trusted for delegation and give it an HTTP SPN it should
: work.
: It will work locally from the webserver, but not from any client. My
: guess is it wants to the client computers to be trusted as well to
: support the mutual auth (I hope I'm wrong). Any suggestions?
:
: -Brandon
:
:
: List info : http://www.activedir.org/List.aspx
: List FAQ : http://www.activedir.org/ListFAQ.aspx
: List archive: http://www.mail-
: archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| bbernie1@xxxx.yyy
| | 05/19/2006 12:00 PM |
| Ken,
Thanks for the help. The problem was someone felt the need to audit
computers objects in my testlab and was walking behind me turning off
that specific computer for delegation. Grrrrrr.
-Brandon
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Ken Schaefer
Sent: Thursday, May 18, 2006 10:41 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM
Well, you need to ensure that referrals are happening properly (so that
the DC in your domain is referring you to the correct KDC in the foreign
domain in the foreign forest)
Cheers
Ken
: -----Original Message-----
: From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-
: owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Bernier, Brandon (.)
: Sent: Thursday, 18 May 2006 11:10 PM
: To: ActiveDir@xxxxxxxxxxxxxxxxxx
: Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM
:
: I forgot one detail. I am accessing this site from a computer that is
: joined up to a different forest. That metabase key
: NTAuthenticationProviders also didn't do what I was hoping for.
:
: -Brandon
:
: -----Original Message-----
: From: Bernier, Brandon (.)
: Sent: Thursday, May 18, 2006 8:56 AM
: To: 'ActiveDir@xxxxxxxxxxxxxxxxxx'
: Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM
:
: I am running the application pool for this website as "Network
: Service".
: It is not explicitly defined in my IE Intranet Security Zone, but we
: have a proxy script that enables "bypass from proxy server" and we
: have
: that condition in IE security zone enabled, so yes its there. I know
: it
: is using Kerberos (unless .Net is wrong) because I do a catch that
: poops
: out the user context
:
:
System.Security.Principal.WindowsIdentity.GetCurrent().ImpersonationLe
: ve
: l.ToString();
:
System.Security.Principal.WindowsIdentity.GetCurrent().AuthenticationT
: yp
: e;
:
: and
:
: HttpContext.Current.User.Identity.Name.ToString();
:
: A.) Yes
: B.) Yes
: C.) Yes
: D.) Until development is completed it is accessed under the server
: FQDN,
: I registered an HTTP SPN as followings "setspn -a servername.com
: servername".
: E.) Yes
: F.) I'm not getting any related failures on either the IIS server or
: the
: DC it contacting.
:
: My network traces show it trying to authing as NTLM...I thought if it
: can use kerb it does that first then NTLM...I'm going to add
: NTAuthenticationProviders=Negotiate in the metabase for this site so
: it
: forces kerb or nothing. Thanks again!
:
: -Brandon
:
: ________________________________
:
: From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
: [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Ken Schaefer
: Sent: Wednesday, May 17, 2006 7:45 PM
: To: ActiveDir@xxxxxxxxxxxxxxxxxx
: Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM
:
:
:
: There's lots of information missing from your post.
:
:
:
: If you are using a FQDN or IP address to access the site, then the
: site
: must be in IE's Intranet Security zone (not Internet zone). IE
doesn't
: attempt Kerberos authentication for sites in the Internet zone.
:
:
:
: You haven't mentioned what security contexts you are running your
: website under. If your web application is running under a custom
: account, all applications accessible at the same FQDN must also be
: running under that account (even if they are in a different web app
: pool). And you need to register the SPN under that custom account. If
: you are using the default Network Service account, then you do not
: need
: to register a HTTP SPN unless you are using a non-default port.
:
:
:
: So, perhaps you can give us the following configuration details?
:
: a) Is website in Intranet security zone in IE?
:
: b) Is "Enable Integrated Windows AuthN" enabled in IE?
:
: c) Is IIS computer account trusted for delegation in AD?
:
: d) What is the URL you are using to access the site, what SPN
did
: you register and where?
:
: e) The other applications accessible at the FQDN/IP address -
are
: they also running under the same user context?
:
: f) In the Security event log, what logon failure events do you
: see? Can you cut-n-paste them here please?
:
:
:
: Cheers
:
: Ken
:
:
:
: --
:
: My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
:
: Tech.Ed Boston 2006 See you there: Everything the web administrator
: needs to know about MOM 2005
:
: ________________________________
:
: From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
: [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Bernier,
: Brandon (.)
: Sent: Thursday, 18 May 2006 6:51 AM
: To: ActiveDir@xxxxxxxxxxxxxxxxxx
: Subject: [ActiveDir] [OT] IIS6 - Kerb/NTLM
:
:
:
:
:
: OK...I've got a nice issue here and I've been bashing my head against
: my
: desk to the point where I need help.
:
: I'm writing a very directory intensive application in C# with ASP.Net
: 2.0. If I authenticate to the webpage via NTLM my directory calls
will
: fail, this is because of the NTLM double hop (trying to pass it from
: the
: client to IIS and do stuff to Active Directory). Sooooo I say I'll
use
: Kerberos instead, I figured if I enabled the computer object for the
: IIS
: box to be trusted for delegation and give it an HTTP SPN it should
: work.
: It will work locally from the webserver, but not from any client. My
: guess is it wants to the client computers to be trusted as well to
: support the mutual auth (I hope I'm wrong). Any suggestions?
:
: -Brandon
:
:
: List info : http://www.activedir.org/List.aspx
: List FAQ : http://www.activedir.org/ListFAQ.aspx
: List archive: http://www.mail-
: archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| ken
Posts:171
| | 05/20/2006 1:35 AM |
| Wow - that would be frustrating. Glad you got it sorted.
Cheers
Ken
--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
Tech.Ed Boston 2006 See you there: Everything the web administrator needs to
know about MOM 2005
: -----Original Message-----
: From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-
: owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Bernier, Brandon (.)
: Sent: Friday, 19 May 2006 9:57 PM
: To: ActiveDir@xxxxxxxxxxxxxxxxxx
: Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM
:
: Ken,
:
: Thanks for the help. The problem was someone felt the need to audit
: computers objects in my testlab and was walking behind me turning off
: that specific computer for delegation. Grrrrrr.
:
: -Brandon
:
: -----Original Message-----
: From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
: [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Ken Schaefer
: Sent: Thursday, May 18, 2006 10:41 PM
: To: ActiveDir@xxxxxxxxxxxxxxxxxx
: Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM
:
: Well, you need to ensure that referrals are happening properly (so
: that
: the DC in your domain is referring you to the correct KDC in the
: foreign
: domain in the foreign forest)
:
: Cheers
: Ken
:
:
: : -----Original Message-----
: : From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-
: : owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Bernier, Brandon (.)
: : Sent: Thursday, 18 May 2006 11:10 PM
: : To: ActiveDir@xxxxxxxxxxxxxxxxxx
: : Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM
: :
: : I forgot one detail. I am accessing this site from a computer that
: is
: : joined up to a different forest. That metabase key
: : NTAuthenticationProviders also didn't do what I was hoping for.
: :
: : -Brandon
: :
: : -----Original Message-----
: : From: Bernier, Brandon (.)
: : Sent: Thursday, May 18, 2006 8:56 AM
: : To: 'ActiveDir@xxxxxxxxxxxxxxxxxx'
: : Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM
: :
: : I am running the application pool for this website as "Network
: : Service".
: : It is not explicitly defined in my IE Intranet Security Zone, but
: we
: : have a proxy script that enables "bypass from proxy server" and we
: : have
: : that condition in IE security zone enabled, so yes its there. I
: know
: : it
: : is using Kerberos (unless .Net is wrong) because I do a catch that
: : poops
: : out the user context
: :
: :
: System.Security.Principal.WindowsIdentity.GetCurrent().ImpersonationLe
: : ve
: : l.ToString();
: :
: System.Security.Principal.WindowsIdentity.GetCurrent().AuthenticationT
: : yp
: : e;
: :
: : and
: :
: : HttpContext.Current.User.Identity.Name.ToString();
: :
: : A.) Yes
: : B.) Yes
: : C.) Yes
: : D.) Until development is completed it is accessed under the server
: : FQDN,
: : I registered an HTTP SPN as followings "setspn -a servername.com
: : servername".
: : E.) Yes
: : F.) I'm not getting any related failures on either the IIS server
: or
: : the
: : DC it contacting.
: :
: : My network traces show it trying to authing as NTLM...I thought if
: it
: : can use kerb it does that first then NTLM...I'm going to add
: : NTAuthenticationProviders=Negotiate in the metabase for this site
: so
: : it
: : forces kerb or nothing. Thanks again!
: :
: : -Brandon
: :
: : ________________________________
: :
: : From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
: : [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Ken
: Schaefer
: : Sent: Wednesday, May 17, 2006 7:45 PM
: : To: ActiveDir@xxxxxxxxxxxxxxxxxx
: : Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM
: :
: :
: :
: : There's lots of information missing from your post.
: :
: :
: :
: : If you are using a FQDN or IP address to access the site, then the
: : site
: : must be in IE's Intranet Security zone (not Internet zone). IE
: doesn't
: : attempt Kerberos authentication for sites in the Internet zone.
: :
: :
: :
: : You haven't mentioned what security contexts you are running your
: : website under. If your web application is running under a custom
: : account, all applications accessible at the same FQDN must also be
: : running under that account (even if they are in a different web app
: : pool). And you need to register the SPN under that custom account.
: If
: : you are using the default Network Service account, then you do not
: : need
: : to register a HTTP SPN unless you are using a non-default port.
: :
: :
: :
: : So, perhaps you can give us the following configuration details?
: :
: : a) Is website in Intranet security zone in IE?
: :
: : b) Is "Enable Integrated Windows AuthN" enabled in IE?
: :
: : c) Is IIS computer account trusted for delegation in AD?
: :
: : d) What is the URL you are using to access the site, what SPN
: did
: : you register and where?
: :
: : e) The other applications accessible at the FQDN/IP address -
: are
: : they also running under the same user context?
: :
: : f) In the Security event log, what logon failure events do
: you
: : see? Can you cut-n-paste them here please?
: :
: :
: :
: : Cheers
: :
: : Ken
: :
: :
: :
: : --
: :
: : My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
: :
: : Tech.Ed Boston 2006 See you there: Everything the web administrator
: : needs to know about MOM 2005
: :
: : ________________________________
: :
: : From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
: : [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Bernier,
: : Brandon (.)
: : Sent: Thursday, 18 May 2006 6:51 AM
: : To: ActiveDir@xxxxxxxxxxxxxxxxxx
: : Subject: [ActiveDir] [OT] IIS6 - Kerb/NTLM
: :
: :
: :
: :
: :
: : OK...I've got a nice issue here and I've been bashing my head
: against
: : my
: : desk to the point where I need help.
: :
: : I'm writing a very directory intensive application in C# with
: ASP.Net
: : 2.0. If I authenticate to the webpage via NTLM my directory calls
: will
: : fail, this is because of the NTLM double hop (trying to pass it
: from
: : the
: : client to IIS and do stuff to Active Directory). Sooooo I say I'll
: use
: : Kerberos instead, I figured if I enabled the computer object for
: the
: : IIS
: : box to be trusted for delegation and give it an HTTP SPN it should
: : work.
: : It will work locally from the webserver, but not from any client.
: My
: : guess is it wants to the client computers to be trusted as well to
: : support the mutual auth (I hope I'm wrong). Any suggestions?
: :
: : -Brandon
: :
: :
: : List info : http://www.activedir.org/List.aspx
: : List FAQ : http://www.activedir.org/ListFAQ.aspx
: : List archive: http://www.mail-
: : archive.com/activedir%40mail.activedir.org/
: List info : http://www.activedir.org/List.aspx
: List FAQ : http://www.activedir.org/ListFAQ.aspx
: List archive:
: http://www.mail-archive.com/activedir%40mail.activedir.org/
:
:
: List info : http://www.activedir.org/List.aspx
: List FAQ : http://www.activedir.org/ListFAQ.aspx
: List archive: http://www.mail-
: archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
|