« Previous Next »

• 05-25-2009, 10:03 AM

  j4sander Joined on 05-25-2009, 1:31 PM Posts 5

  Windows Auth + CNAME Problem Reply Contact I am trying to get a new server up and running on Windows Server 2008 Standard SP1 (aka RTM) /w all updates and IIS7.  Everything looked Ok, but when accessing the server locally, using a DNS CNAME, I get three password prompts followed by a 401.1.  Local Server to "localhost" Ok (NTLM) Local Server to "<Server>" Ok (NTLM) Local Server to "<CNAME>" Fails Remote Client to "<Server>" Ok (Kerberos) Remote Client to "<CNAME>" Ok (Kerberos) Using Fiddler, the failing request is using "<Server>" as the SPN (as expected).  Now, this may not be an IIS specific issue, as the same thing happens with SQL Reporting Services 2008, which does not rely on IIS.  Kerberos/NTLM detected using DelegConfig. Failed Request Tracing generates six logs for once attempt to connect. AUTHENTICATE_REQUEST AUTHENTICATE_REQUEST - Access is denied. (0x80070005) AUTHENTICATE_REQUEST AUTHENTICATE_REQUEST AUTHENTICATE_REQUEST AUTHENTICATE_REQUEST - Access is denied. (0x80070005) Any ideas on what to try next would be greatly appreciated. Thanks! Joe

• 05-25-2009, 1:37 PM

  In reply to

  j4sander Joined on 05-25-2009, 1:31 PM Posts 5	Re: Windows Auth + CNAME Problem Reply Contact  Update:  I have replaced the CNAME with an A record and added the SPN, still no luck.

• 05-25-2009, 4:32 PM

  In reply to

  kateroh Joined on 10-27-2008, 7:19 PM Posts 137

  Re: Windows Auth + CNAME Problem Reply Contact Can you try WFetch to get the resource locally using pre-authentication. When you choose "Negotiate", you can also see whether Kerberos or NTLM authenticates you, because Kerberos auth blobs are much bigger than NTLM blobs. You will see the trace - the initial request will come back with 401, which is expected, and the next request that WFetch will automatically send on your behalf set with Authorization header, should come back with 200. If you will still get 401, there might be some proxy issues. You can try to add an exception for your CNAME to bypass proxy and try again. Thanks, Katerina Rohonyan, SDET, Microsoft IIS Team

• 05-26-2009, 12:34 PM

  In reply to

  j4sander Joined on 05-25-2009, 1:31 PM Posts 5	Re: Windows Auth + CNAME Problem Reply Contact When I try WFetch, I get 401s for pages that work in IE (localhost, etc).  Failed request tracking shows "The token supplied to the function is invalid (0x80090308)" and I get a 401 back with WFetch.

• 05-26-2009, 2:13 PM

  In reply to

  j4sander Joined on 05-25-2009, 1:31 PM Posts 5

  Re: Windows Auth + CNAME Problem Reply Contact It seems that all the problems goes away if I switch the application pool from classic to integrated.  However, the software is requires a classic application pool.  Any idea what the difference there is? SQL Reporting and the Application Pool are running as (different) domain accounts.  SPNs (computer and alias, with and without domain name) are registered to the computer account.

• 05-27-2009, 3:23 PM

  In reply to

  kateroh Joined on 10-27-2008, 7:19 PM Posts 137

  Re: Windows Auth + CNAME Problem Reply Contact Can you please check if your app pools are running under the same identity (should be Network Service in w2k8 Sp1)? Also, you can use this tool to set up correctly IIS and Active Directory: DelegConfig: http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1434. Just unpackage the zip file, create a new website and make it point to the unzipped location. When you will access the default page of this website, it will give you a very useful report that hopefully will help you to spot the problem.   Thanks, Katerina Rohonyan, SDET, Microsoft IIS Team

• 05-27-2009, 3:43 PM

  In reply to

  j4sander Joined on 05-25-2009, 1:31 PM Posts 5

  Re: Windows Auth + CNAME Problem Reply Contact The server has three web sites (different ports) each with their own app pool, as well as SQL 2008 Reporting.  One app pool is for VS TFS 2008, and runs as a domain user.  Reporting does not use IIS, but it is also running as domain user (different than VS TFS).  Both TFS and Reporting are having this problem.  The other two app pools, which run as Network Service, are unaffetced as they use anonymous / ASP.Net Forms authentication. I've tried using DelegConfig but I get "ServicePrincipalName information for the DOMAIN\SERVER$ (NT AUTHORITY\NETWORK SERVICE) account could not be determined." Thanks, Joe

• 05-28-2009, 2:57 PM

  In reply to

  kateroh Joined on 10-27-2008, 7:19 PM Posts 137

  Re: Windows Auth + CNAME Problem Reply Contact Network Service account is a local account and won't be understood by any other machine on the network. So if you are trying to access a resource outside of your local box realm (UNC share or shared config) your process will run as Network Serice identity and most likely fail (unless the other box also has a local Network Service account with the exactly same password). Can you change the app pool identity to be a domain user and see if the site works. Thanks, Katerina Rohonyan, SDET, Microsoft IIS Team