Search results matching tag 'Kerberos'

IIS Kerberos

DSoare — Mon, 05 Oct 2009 17:03:32 GMT

Hi,

I have Kerberos authentication turned on for one of our internal web sites. I have fulfilled all of the prerequisites (SPN, IE integrated authentication, and correct security zone) When I try to authenticate to the site from a widows server 2003 machine the authentication works fine. I have also found some XP workstations that work fine. I can see in the wireshark dumps that Kerberos is being used. I have tried to access the site from 3 other windows xp workstations and it generates an internal server error.

I used the monitoring tool in the Authentication & Access Control Diagnostics tool and I can see the error happening:

Successful login:

<AuthMonRow Number="64" tid="0xae4" Date="09/29/2009 23:15:19.294"
Name="AcceptSecurityContext" Result="0x0" ContextAttr="0x802"
Package="Kerberos" UserName="REMOVED"
ClientName="REMOVED"
ServerName="REMOVED"
time_taken="63 ms"
/>

Failed login:

<AuthMonRow Number="53" tid="0x254" Date="09/29/2009 23:15:15.872"
Name="AcceptSecurityContext" Result="0x80090300" ContextAttr="0x0"
Package="" UserName=""
ClientName=""
ServerName=""
time_taken="0 ms"
/>

I looked up the AcceptSecurityContext function and found that the error result is "SEC_E_INSUFFICIENT_MEMORY - The function failed. There is not enough memory available to complete the requested action."

http://msdn.microsoft.com/en-us/library/aa374703%28VS.85%29.aspx

I know that can't be the case, the same user was used on both attempts, and the authentication header was smaller on the failed login.

Any one have some insight\help?

Thanks,

Dwayne.

Re: Windows Authentication Failing in IIS with IE8

WaterWolf12345 — Fri, 25 Sep 2009 15:40:11 GMT

Okay, I enabled kerberos logging as per this article: http://support.microsoft.com/?kbid=262177

There's now a couple of kerberos error messages in my event log, I don't know if they were caused by IIS or not. Error Code: 0xd KDC_ERR_BADOPTION and Error Code: 0xd KDC_ERR_BADOPTION. I'll have to see if I can figure out what they mean.

Kerberos Authentication mystery with IE7

filip.goris@flip.be — Wed, 16 Sep 2009 16:57:17 GMT

We have the most strange situation here when IE7 clients try to authenticate on an IIS6-based intranet application. I hope somebody can help me explain.

Our .asp application is running in domain "belgium.local". Integrated Windows authentication works fine for users in that domain. Users in domain "holland.local" however get a 401 error after a loooong timeout when trying to access the app. Their event logs show LsaSrv errors 40960 and 40961, which tells me it's a Kerberos-thing. There's a mutual trust between belgium.local and holland.local.

We've been troubleshooting in all directions and installed Firefox. Firefox showed us a login box, which told us it was failing over to Basic Authentication. That seemed right since it doesn't use Integrated Authentication until you tell it to. So we told it to use Kerberos by adding domain "belgium.local" to network.negotiate-auth.trusted-uris (which is about the same as enabling Integrated Windows authentication in IE7 and adding the site to my Local Intranet Zone. Cfr. http://grolmsnet.de/kerbtut/firefox.html for example.)

Now here's the odd part. After making this configuration change in Firefox, IE7 running on the same client computer will work too.
"Ah, but that's normal" I hear you say, "because the Kerberos ticket is still there and valid."
The strange thing is it will continue to work after I use Kerbtray to purge the tickets. My ticket for HTTP/app.belgium.local will show up again as soon as I visit the site with IE7. It is as if IE7 uses the Firefox configuration in some way to retrieve a ticket.

The really scary part is this: after I restore the Firefox configuration back to normal (e.g. delete all domains from the network.negotiate-auth.delegation-uris setting), IE7 will continue to work!? It is as if somehow I showed it how to get at ticket when I configured Firefox, and it "remembers" this now.

Can somebody tell me what is happening? I would like to get this to work without installing and removing Firefox on all my clients ;)

IIS Session Timeout problem

Usman Sadjid — Tue, 15 Sep 2009 10:36:52 GMT

Hi,

I am having problems trying to work out if it is possible to share iis session timouts accross web applications in the following scenario: -

In my environment there are 2 IIS Web Servers on the same network domain.

One of the servers will host a .NET web application. The other will host a COTS document management system (OpenText Livelink Enterprise Server) which is not a .NET web application. Both web applications will be using windows authentication.

The COTS system will access the .NET web application such that when a User logs on to the COTS system, the .NET web application is accessed either via a web service or through a .NET aspx webpage. The problem we have is that our client has a requirement in order to maintain iis timeouts accross both applications such that the same timeout period will effectively timeout a user from both the COTS system and the .NET web application at the same time. By timeout, I mean require the user to re-authenticate.

My first question is, is it possible to pass an authentication token through from the COTS web application to the .NET web application in this scenario. Secondly and more importantly, is it possible to handle iis session timeouts as described above? If so, could you please direct me to any articles that may be of use, as I can't seem to find anything.

Any help would be greatly appreciated.

Thanks in advance.

Java-Applet authenticates with NTLM instead of Kerberos, Double-Hob-Issue

Irgi — Thu, 10 Sep 2009 14:09:57 GMT

I have a well running 3-tier web application in a Windows 2003 domain. The Internet-Explorer Clients call aspx-pages ont he webserver. The webserver then performs a DCOM call to a document management server using impersonation. It all works fine using only aspx pages. Checking the thread principal before doing the call to DCOM shows me the correct Windows-User on the client machine and the Authentication-Type "Kerberos".

Here comes the problem:

There is a java-applet (which is a third party thing) in one of the webpages to allow the user to drag documents onto it and then it calls an aspx page to upload the document.

Checking the thread principal before doing the call to DCOM shows me the correct Windows-User on the client machine but the Authentication-Type "NTLM". The thread now tries to call DCOM using the "Anonymous" user (I see this in the eventlog of the server that hosts the DCOM object) and throws an exception when i call Activator.CreateInstance(type). Looks like the classic "Double-Hop-Issue".

Any ideas how to fix this or work around it?

Help with backend failover cluster SPN delegation.

Kapn.K — Tue, 25 Aug 2009 16:30:05 GMT

I have 2 network names. 1 for the cluster and one for the file server resource. When I configure the account, that runs app pools on my nlb, to delegate to the host and cif's service(cluster attached to san), I use the file server name(b/c that's what I specify in IIS file location), right? The person that built the cluster did so w/o creating the computer objects for the cluster name and file server name(we don't have permissions to create the accounts but I can work with the people that do). Can I just create the file server name and spn's for that name and give permission to the cluster service account? Or do I need to create the cluster name object as well?

Thanks,

Steve

One Domain App Pool account/server for Kerberos?

Kapn.K — Mon, 17 Aug 2009 18:57:44 GMT

If I have multiple app pools on a server, and SPN's created for each website(ie: setspn -a http\webapp1.example.com domain\account, and setspn -a http\webapp2.....), Will kerberos still work? I thought I read a while back the I can only have one account that all the app pools would run as or force NTLM. Is this correct? I need kerberos due to remote webroots(on a SAN) and I wish to pass through credentials. Currently, I must request spn's as I am not allowed to create them, myself. Can I only use one domain account per server?

Thanks,

Steve

How many SPN's do I need? NLB/MSCS

Kapn.K — Thu, 09 Jul 2009 21:04:15 GMT

I have nlb groups and multiple sites(each site has own application pool).

I would like to have one account that all the app pools run under.

I couldn't get kerberos working(necessary for remote file-share webroot) using the machine accounts but I was able to with a user account.

Do I need to do this for each site(not machine)?

setspn -A HTTP/website1.domain.com domain\service account

setspn -A HTTP/website2.domain.com domain\service account

Or does that cause the duplicate SPN? If so, do I need a separate service account for each site/app pool?

Thanks,

Steve

NLB iis 6.0 trust for delegation to pass IWA credentials to MSCS file share.

Kapn.K — Fri, 05 Jun 2009 16:58:33 GMT

I have 2 iis 6.0 boxes load balanced and the web files are located on a san that is shared by two clustered file servers. I'm trying to stay away from the "connect as" scenario so that I may leverage my ntfs permissions. In AD, I checked the "trust for delegation" check box for both of the iis machine accounts. All machines are in a 2003 functional level domain. If I uncheck integrated auth for the web site and check basic, I can enter my credentials and it lets me through. I've read the technet stuff but can't seem to figure it out. Any help is greatly appreciated.

Thanks.

Kerberos Delegation with Cross Forest Non-transitive Trust

adweigert — Thu, 16 Apr 2009 13:28:46 GMT

I have two domains in separate forests with a two-way non-transitive trust, a resource domain and a user domain. The resource domain hosts an application and only allows certain users in the user domain to access it. There is an application tier that hosts a web service that the user credentials need to be passed to. If I use a user in the resource domain, kerberos delegation works fine, however for users in the user domain I am seeing their authentication getting forced to NTLM instead of kerberos when access the web server in the resource domain. I hope this makes sense and someone can tell me I cannot do this or that I can and might have a hint at what I might be missing. I am sure SPN and delegation settings are setup correctly, at least for users in the resource domain. ... Adam