Greetings all – think I've got a rib-tickler for ya:
To get an overall idea of the usage of our in-house web-apps, I add in a bit of code which sends me an email whenever someone logs in (yeah – the apps obviously aren’t that busy)
The email just contains the login time and username (as returned by HTTP Context / Windows Principal etc) -> pretty standard stuff.
I noticed that for one particular user in a particular application, the username returned was not that of the actual user logging in. That is:
- - Account that is returned is: “ABC\AdminPhil”
- - Account that should be returned: “ABC\Phil”
Now Phil does use the AdminPhil account for administrative tasks on the domain (eg Server Administration), so its not a completely random account - but he is logged in with the Bill account on his workstation when logging into the app.
Application & Environment details are as follows:
- - Asp.Net 2.0 web app
- - IIS 6 (Win2K3 SP2) – Domain member (SERVERA)
- - IIS: Integrated Auth on V.Dir - Anonymous Disabled – (suspect its using NTLM as I’ve not configured Kerberos?)
- - Client machine: XP Pro SP2
- - Client browser: IE7 (Integrated Auth Selected, but doesn’t alter the outcome either way)
So I initially went through the obvious to make sure it wasn’t an issue on Phil’s workstation (MachineX) or user profile (roaming).
- - Ensured iexplore.exe process was running under ‘ABC\Phil’ account
- - Forced launch of IE using ‘Run-As’ -> SAME RESULT
- - Cleared out old profiles, temp files, etc etc, from MachineX -> SAME RESULT
- - Logged Phil onto different MachineY -.> SAME RESULT
- - IE Run-As ‘ABC\Phil’ on different box MachineY -> SAME RESULT
- - Tried running IE as a different user on Phil's MachineX -> WORKS FINE
- - Even RECREATED Phil’s profile! -> SAME RESULT
Ran ADSIEdit to look at the two accounts thinking there might be some type of SID conflict or similar but all looks fine..
This got me thinking it was something in the code on that app, even thought it was identical to
other apps where it returns the correct user string, so I created simple page with the following code:
******************************************************
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
lblUser.Text = Page.User.Identity.Name
lblWindow.Text = System.Security.Principal.WindowsIdentity.GetCurrent().Name
lblThread.Text = System.Threading.Thread.CurrentPrincipal.Identity.Name
End Sub
******************************************************
Adding this to a fresh page within the existing web-app returns (incorrectly):
- - ABC\AdminPhil
- - NT AUTHORITY\NETWORK SERVICE
- - ABC\AdminPhil
So I created a brand new website on the same server / different app pool / port -> SAME RESULT.
I then deployed the same code to a different server (Win2K3 – IIS6 – Domain Member) -> BINGO: It correctly returns:
- - ABC\Phil
- - NT AUTHORITY\NETWORK SERVICE
- - ABC\Phil
So its Server-Specific. What could make a server in a domain believe IE is presenting credentials / ticket of a different user?
Does it cache these details somewhere in the metabase or the server itself and these have somehow become corrupt - Phil may well have logged into the server using his admin account (AdminPhil) to perform server tasks in the past..
I verified that both accounts did not have the same password in case a identical password hash somehow caused the issue..
I’m about to try the IIS AuthDiag tool to see if it picks up anything. I’ve also read that duplicate SPN’s on the domain might cause issues??.
Any other suggestions?
Thanks in advance,
Andrew