Previous Next

• 08-18-2008, 6:43 AM

  ncruz Joined on 07-31-2008, 12:39 PM Posts 9

  Kerberos troubleshotting Reply Contact Hello everyone, For the past week I've been trying to implement a solution using kerberos to a double hop issue that developed in the office. My scenario is a mixed windows based environment with the front-end running IIS 7.0 under Windows Server 2008, the middle-tiers running Windows Server 2003 with IIS 6.0 and finally the back-end working with Windows Server 2003, IIS 6.0 and MSSQL 2005. All virtual machines. I've been trying to debug this by enabling kerberos catching with the event viewer and using DelegConf tool to achive "all green" status in each tier, but still I've been unsuccessfull in getting everything to work properly. I've been using an old microsoft webcast as a base but no luck. As anyone messed with kerberos, IIS 7.0 and Windows Server recently? Could anyone suggest a good/proper set-up for debugging this? Thanks in advance, Nuno Cruz

  Tags: IIS 7.0Windows 2008 ServerKerberos

• 08-21-2008, 6:55 AM

  In reply to

  ncruz Joined on 07-31-2008, 12:39 PM Posts 9

  Re: Kerberos troubleshotting Reply Contact Hello again, I've decided to take notes on the steps I took in hope that someone could pinpoint flaws or mistakes with what I've done regarding implementing kerberos. The scenario is described in the post above, so please refer to it for context. Ok, here goes: In the AD, created a domain account named "kerberossvc" to be used on the middle tier computer. In the Back-End (SQL), made sure that the expected user account had permissions to access the database (i'll use impersonation in the middle-tier). Also created the SPNs for the account running sqlserver, both for computername and FQDN using port 1433 (like, setspn -A MSSQLsvc/FQDN:1433 SqlServerAccount). In the middle-tier computer, added the kerberossvc account to the IIS_WPG group. Also gave "adjust memory quotas" and "replace process-level token" rights to it and in IIS associated the account with the AppPool runnig the default website. In the site's web.config added <authentication mode="windows"/> and <identity impersonation="true"/> lines. Created the computer name and the FQDN SPNs for the AppPool account (like, setspn -A HTTP/FQDN domain\kerberossvc). In the IIS, made the site auth protocol be "windows integrated" only. Back in the AD, went to the users and computers, selected the middle-tier machine, delegation tab and selected "trust this computer... (kerberos only)". I know I should use constrain delegation but I'm trying to avoid probable pithfalls at this stage. Finally, in the front-end computer, in IIS default website, allowed for ASP.impersonation, windows integrated and anonymous auth. This site AppPool is run by a machine account (networkservice). Back in the AD configured the front-end computer to "trust this computer... specified services only" + "use any aut protocol" and added the SPNs created for the kerberossvc account as the services allowed here. This was basically what I did. What I was expecting was that, for example, I used JonSmith account and it would be "carrying" my user credentials from tier to tier to the back-end (and yes, JonSmith has permissions to access the target SQL database). What happens is a "dead stop in your tracks!" like the following event (captured in the front-end): An account failed to log on. Subject:    Security ID: NULL SID    Account Name: -    Account Domain: -    Logon ID: 0x0    Logon Type: 3    Account For Which Logon Failed: Account For Which Logon Failed:  Security ID:  NULL SID  Account Name:    Account Domain:   Failure Information:  Failure Reason:  Unknown user name or bad password.  Status:   0xc000006d  Sub Status:  0xc000006a Process Information:  Caller Process ID: 0x0  Caller Process Name: - Network Information:  Workstation Name: -  Source Network Address: 10.0.0.100  Source Port:  49182 Detailed Authentication Information:  Logon Process:  Kerberos  Authentication Package: Kerberos  Transited Services: -  Package Name (NTLM only): -  Key Length:  0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. So yeah.. I'm pretty sure I'm messing up somewhere. Btw, my testing as been done all in intranet environment and I'm forcing my test client machine to connect to the front-end by means of modifying the HOST file (I'm not really sure if this is relevant but I'm mentioning it anyway). I'm hoping some of you can provide me with some insight here. Thanks for the time reading this. Best regards, Nuno Cruz

• 09-02-2008, 2:52 PM

  In reply to

  gedwards Joined on 09-02-2008, 6:46 PM Posts 2

  Re: Kerberos troubleshotting Reply Contact I'm not sure if this will help, but on my W2008 server w/ IIS7, we're running WSS 3.0. We created a DNS name for the application, and also an SPN for this. It's reported as a duplicate SPN, but is needed for things to work. My understanding is that Kerberos is handled somewhat differently, in the kernel on W2008. We also turned off the windows firewall, and the service too. Greg E

• 09-04-2008, 5:41 AM

  In reply to

  ncruz Joined on 07-31-2008, 12:39 PM Posts 9

  Re: Kerberos troubleshotting Reply Contact Hi Greg, Thanks for the time to reply (and to register to do so :P) I was getting to feel a bit lonely here :) During testing I've stumble upon the "Kernel Mode Authentication" feature. I know that disabling this is probably a bad idea and, from what I've read, I should configure this over at the system.webServer/security/authentication/Windows-Authentication section but I found that disabling this will allow me to reach the target machine and also access the backend using kerberos (as seen in the event viewer). But even with this there's a problem with my setup since I can only make through while on the intranet, so exterior access to my target machine prompts me with invalid credentials. It's funny that you mentioned WSS 3.0 because I'm trying to setup this up for MOSS. If it's ok with you I'll probably also try to reach you by email in search for a lilltle more insight.