Search results matching tag 'NTLM'

Combine forms and NTLM authentication IIS7

bcdt — Thu, 01 Oct 2009 16:54:09 GMT

Is it possible to combine NTLM authentication and forms authentication on IIS7?

The setup I need to achieve is internal users authenticated via integrated windows authentication and external users authenticated via forms. So only external users have to login via a form; internal, already authenticated users, navigate straight to the site.

I've already tried the approach detailed at:

http://mvolo.com/blogs/serverside/archive/2008/02/11/IIS-7.0-Two_2D00_Level-Authentication-with-Forms-Authentication-and-Windows-Authentication.aspx

but that setup forces all users to authenticate with *both* windows *and* forms authentication, 2 level authentication, not an 'either/or' situation.

I had this working on IIS6 using a IP range check to redirect to the appropriate page as detailed here:

http://beaucrawford.net/post/IIS-ldquo3bmixed-moderdquo3b-authentication-for-ASPNET-Application.aspx

but it breaks in IIS7. I think it's because you can't remove forms auth from the integrated windows page once it's enabled for the site...

The core problem seems to be that anonymous authentication must be disabled for NTLM auth but enabled for forms auth. I read in the Wrox Pro IIS7 book that forms auth is code based, all other authentication types rely on credentials transported in HTTP headers - 302 redirect for forms, 401 challenge for integrated, so they should be incompatible?, but as IIS7 has an integrated pipeline I think I should be able to customize authentication? but if that requires writing a custom HttpModule that's a pretty advanced subject.

Can the pattern Mike used in the first link be modified to achieve what I want? Or is that approach completely wrong for this situation? Perhaps I can achieve this more simply via configuration?

Any suggestions would be much appreciated, as I've worked through 2 wrox IIS7 books and still can't solve this problem.

Re: Windows Authentication Failing in IIS with IE8

WaterWolf12345 — Fri, 25 Sep 2009 15:40:11 GMT

Okay, I enabled kerberos logging as per this article: http://support.microsoft.com/?kbid=262177

There's now a couple of kerberos error messages in my event log, I don't know if they were caused by IIS or not. Error Code: 0xd KDC_ERR_BADOPTION and Error Code: 0xd KDC_ERR_BADOPTION. I'll have to see if I can figure out what they mean.

IIS Session Timeout problem

Usman Sadjid — Tue, 15 Sep 2009 10:36:52 GMT

Hi,

I am having problems trying to work out if it is possible to share iis session timouts accross web applications in the following scenario: -

In my environment there are 2 IIS Web Servers on the same network domain.

One of the servers will host a .NET web application. The other will host a COTS document management system (OpenText Livelink Enterprise Server) which is not a .NET web application. Both web applications will be using windows authentication.

The COTS system will access the .NET web application such that when a User logs on to the COTS system, the .NET web application is accessed either via a web service or through a .NET aspx webpage. The problem we have is that our client has a requirement in order to maintain iis timeouts accross both applications such that the same timeout period will effectively timeout a user from both the COTS system and the .NET web application at the same time. By timeout, I mean require the user to re-authenticate.

My first question is, is it possible to pass an authentication token through from the COTS web application to the .NET web application in this scenario. Secondly and more importantly, is it possible to handle iis session timeouts as described above? If so, could you please direct me to any articles that may be of use, as I can't seem to find anything.

Any help would be greatly appreciated.

Thanks in advance.

Java-Applet authenticates with NTLM instead of Kerberos, Double-Hob-Issue

Irgi — Thu, 10 Sep 2009 14:09:57 GMT

I have a well running 3-tier web application in a Windows 2003 domain. The Internet-Explorer Clients call aspx-pages ont he webserver. The webserver then performs a DCOM call to a document management server using impersonation. It all works fine using only aspx pages. Checking the thread principal before doing the call to DCOM shows me the correct Windows-User on the client machine and the Authentication-Type "Kerberos".

Here comes the problem:

There is a java-applet (which is a third party thing) in one of the webpages to allow the user to drag documents onto it and then it calls an aspx page to upload the document.

Checking the thread principal before doing the call to DCOM shows me the correct Windows-User on the client machine but the Authentication-Type "NTLM". The thread now tries to call DCOM using the "Anonymous" user (I see this in the eventlog of the server that hosts the DCOM object) and throws an exception when i call Activator.CreateInstance(type). Looks like the classic "Double-Hop-Issue".

Any ideas how to fix this or work around it?

ARR proxying to a site requiring Windows (NTLM) auth fails :(

DrSpook — Thu, 30 Jul 2009 16:20:34 GMT

I'm using ARR & URL_ReWrite to successfully proxy http://site/site2/* to http://site2/*, but only if site2 doesn't require windows authentication.

Where site2 requires windows auth, my valid login credentials don't work & I get barfed out with an access denied error.

This proxy will be used by both internal and external users, the latter coming in through ISA Server. We've done the proxying internally rather than on ISA so that we can have single URLs that work for both internal and external users (e.g. our intranet can link to http://intranet/app1 & all users will be sent transparently to http://app1/*).

Any info gratefully received.

Cheers :)

Authentication Fails when "Enable Integrated Windows Authentication" is checked in IE

maltesehamster — Thu, 25 Jun 2009 16:47:11 GMT

Hello,

I have two applications running on a Windows 2003 server. Each runs under a separate application pool, and each application pool runs under a separate domain account.

When users connect to the application, having "Enable Integrated Windows Authentication" turned on in Internet Explorer, they are not able to authenticate. However, if they turn the setting off, they are able to connect no problem.

IIS is configured with a NTAuthenticationProviders of NTLM.

Is there a way to allow users to authenticate regardless of whether they have the "Enable Integrated Windows Authentication" setting turned on or off in IE, yet still have the applications run under separate application pools with separate domain accounts?

Thanks,

Leigh

IIS7 + PHP5.2 + (Optional) NTLM?

rpanning — Mon, 11 May 2009 20:46:34 GMT

We have our Web server running IIS7 and PHP 5.2 on our internal ActiveDirectory domain. What I'd like to get setup is NTLM username to be passed to PHP, if there is one.

So that, if a user is logged into a workstation on our AD domain, their username is passed to IIS > PHP so that I know who is already logged in, for SSO. However, if they are not on the domain (eg. viewing from the outside, Web) that nothing is passed to IIS > PHP and there is no login prompt for the user. Is this possible? Thanks

401 error

LISpeedyG — Sun, 26 Apr 2009 20:40:53 GMT

Hi,

I have been trying to resolve the followign issue for a number of days and have, so far, been unsucessful. Ok, here is some very strange behavior. And, any help[ or direction would be very much appreciated.:

Background

I am currently running Server 2003 with IIS6 and SharePoint 2007
I use the SP front end server to both develop and deploy most of my InfoPath Admin deployed forms.
The forms that are deployed are currently being consumed thru an external facing website. This website is accessible by only authorized users that are authenticated thru Active Directory.
All has been working perfectly until recently.
I was able to develop these forms and deploy them from the InfoPath wizard to an external IP where they are eventually consumed.

Currently on the Front end Web Server:

I am no longer able to log into the external facing IP addresses to the SP sites. In trying to connect to these sites I receive an HTTP 401. The following is an excerpt from the IIS log with the error:

2009-04-24 17:58:32 W3SVC1994479640 192.168.1.165 GET /Sites/XXXXX/ - 3335 - external_ip Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+GTB5;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+InfoPath.2;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 401 2 2148074254

I can, however, log into the same site thru the internal domain. Unfortunately, I can no longer develop InfoPath forms that are consumable from an external facing IP without access to the external IP from the server.
Interestingly, I can still access the external IP from Firefox on the same server.
I can no longer deploy forms using the external web address and associated DB/SP list links. So, forms functionality becomes unusable from external web addresses.
Also, I can still access the external site from the backend SQL Server on the same domain as the Web Server. Note that this SQL server has 8 pending updates that have been applied to the WebServer, i.e. KB:

963027
923561
952004
956572
959426
960803
961373
890830

I have checked the FAQ's for all the pending updates but have not been able to find any relevant IIS issues with Server 2003.

Thanks,

Gus

IIS sending NTLM challenge to incorrect IP

scotthermes — Tue, 07 Apr 2009 21:27:58 GMT

Hi,

I have written .NET console application to push a file to a SharePoint server on Windows 2003 that is using windows integrated authentication (NTLM). It fails on the first try and then works for 20 minutes and then fails again (and so on).

I used Fiddler to look at the HTTP traffic on a failed request and I noticed that I was not getting a challenge response in the HTTP response. I worked with the SharePoint admin to view the IIS logs (it is running IIS 6.0) and we saw the following.

On a successful request, I can see my machine's IP (yyy.yyy.yyy.yyy) and my username

2009-04-01 20:15:02 xxx.xxx.xxx.xxx PUT /test/Shared+Documents/test2009-4-1-15-15-0.xls - 80 MyDomain\MyUserId yyy.yyy.yyy.yyy 200 0 615 487 203

On a failure, it does not show my Id and it shows a different IP.

2009-04-01 20:15:02 xxx.xxx.xxx.xxx PUT /test/Shared+Documents/test2009-4-1-15-15-0.xls - 80 - zzz.zzz.zzz.zzz 200 5 582 301 1843

I also noticed that on a failure, it takes significantly longer to do the DNS lookup (approx 300 ms v. 0 ms)

Interestingly enough, the request does not "fail" in the traditional sense (i.e. Unauthorized or Server not found error) but instead it just does not push the file and instead of a zero byte response it sends back the following:

Where someurl is what the URL would have been if my file was pushed. So, if I was trying to push file “test.txt” to “http://mysite/docs” then someurl would be “http://mysite/docs/text.txt”

We have a proxy at work and I have:

- disabled it in my IE settings

- disabled it in my .NET code

And the result is the same whether I disable or enable.

Any ideas? Any other debugging / troubleshooting tools I should be using to resolve?

Thanks!

Scott Hermes

COMException (0x80072020): An operations error occurred. HELP

grub425 — Thu, 05 Feb 2009 21:39:37 GMT

I have an application that is using LDAP only with Single Sign On running on a windows 2003 server, running iis 6.0My Domain Functional Level: Windows 2003 Server, Forest Functional level: Windows 2003My web.config authentication is set:
<authentication mode="Windows"/>
<identity impersonate="true"/> Users login, retrieve a document and are logged off. In a 2 hrs period 1250 users will login and out of the application and 10 users will fail. The same user will have access documents minutes before the failure and minutes after the failure. Error message:
Warning: GetUserDN('testuser') from 'LDAP://DC=domain,DC=com': System.Runtime.InteropServices.COMException (0x80072020): An operations error occurred. On the web server I will see the user authenticated with NTLM instead of Kerberos

Bad Entry:Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: TESTMACHINE
Logon GUID: -

Vs: Good Entry: Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {ad208202-d700-fcfc-5782-713441f31ef8} If I run and test webpage from the user workstation to retrieve the users credential It returns: You have connected from your browser to IIS using Kerberos authentication and verifies that the SPN is ok.Also the .ini file for the application open a login file which has modify rights for all users but when the login fails using a filemon trace I see an access denied error for the log. Kerberos settings in the domain are: Policy Setting
Enforce user logon restrictions Enabled
Maximum lifetime for service ticket 60 minutes
Maximum lifetime for user ticket 7 hours
Maximum lifetime for user ticket renewal 10 days
Maximum tolerance for computer clock synchronization 5 minutes Server and service accounts have delegation set to trust this computer for delegation to any service (kerberso only). Below I have included the code for the function. Any suggestions on what to try or set to resolve this?

Imports System.DirectoryServices '------------------------------------------------------------------------------------ ' Returns user distinguished and full names for given user account name. '------------------------------------------------------------------------------------ Private Function GetUserDN(ByRef name As String, ByRef outFullName As String) As String GetUserDN = String.Empty Dim logMsg As String Dim adsPath As String = adsPathPrefix & searchNC logMsg = String.Format("Searching '{0}' in '{1}'", name, adsPath) DbugLog(TypeName(Me), logMsg, gc_LogDebug4) Try Dim searchRoot As DirectoryEntry = New DirectoryEntry(adsPath) searchRoot.AuthenticationType = authType ' default is AuthenticationTypes.Secure searchRoot.Options.Referral = refChasingOption ' default is ReferralChasingOption.None Dim searcher As DirectorySearcher = New DirectorySearcher(searchRoot) //// THIS IS A .NET OBJECT, System.DirectoryServices.DirectorySearcher //// searcher.Filter = String.Format("(&(objectClass=user)(objectCategory=person)(sAMAccountName={0}))", name) searcher.PropertiesToLoad.Add("cn") searcher.PropertiesToLoad.Add("distinguishedName") searcher.SearchScope = SearchScope.Subtree Dim result As SearchResult = searcher.FindOne() ///// THIS CALL FAILS ///// If Not result Is Nothing Then outFullName = result.Properties("cn")(0) GetUserDN = result.Properties("distinguishedName")(0) logMsg = String.Format("Found '{0}': CN='{1}', DN='{2}'", name, outFullName, GetUserDN) Else logMsg = String.Format("'{0}' not found", name) End If DbugLog(TypeName(Me), logMsg, gc_LogDebug4) Catch ex As Exception logMsg = ex.ToString() logMsg = String.Format("GetUserDN('{0}') from '{1}': {2}", name, adsPath, logMsg.Remove(logMsg.IndexOf(vbCrLf & vbCrLf))) DbugLog(TypeName(Me), logMsg, gc_LogWarning) End Try End Function

The ”name” parameter is obtained from Windows as the name of the user the current thread is impersonating – the delegated end user. That’s how GetUserDN() is called:

. . .

If authName = "" And authPassword = "" Then ' Single Sign-On userName = System.Security.Principal.WindowsIdentity.GetCurrent.Name logMsg = String.Format("Will authenticate as '{0}' (no input credentials, using thread identity)", userName) userName = userName.Remove(0, userName.LastIndexOf("\"c) + 1) Else userName = authName logMsg = String.Format("Will authenticate as '{0}' (using input credentials)", IIf(authDomain = "", authName, authDomain & "\" & authName)) End If DbugLog(TypeName(Me), logMsg, gc_LogDebug4) ' Bind to rootDSE with authentication rootDSE = BindToObject("rootDSE") If rootDSE Is Nothing Then Exit Function ' ====> Could not bind or authentincate - logon failed. ///// THIS CALL SUCCEEDS SINCE WE ALWAYS ENTER GetUserDN() BELOW //// If searchNC = "" Then ' Find the default naming context. //// THIS IS THE SEARCHBASE, OPTIONALLY SET IN vssystem.ini: [LDAP] SEARCHBASE=your_base_DN //// searchNC = rootDSE.Properties("defaultNamingContext")(0) End If ' Find the user's distinguished and full names Dim fullName As String Dim userDN As String = GetUserDN(userName, fullName) If String.IsNullOrEmpty(userDN) Then Exit Function ' ====> User not found - logon failed.

. . .