Search results matching tag 'iis authentication'

IIS Session Timeout problem

Usman Sadjid — Tue, 15 Sep 2009 10:36:52 GMT

Hi,

I am having problems trying to work out if it is possible to share iis session timouts accross web applications in the following scenario: -

In my environment there are 2 IIS Web Servers on the same network domain.

One of the servers will host a .NET web application. The other will host a COTS document management system (OpenText Livelink Enterprise Server) which is not a .NET web application. Both web applications will be using windows authentication.

The COTS system will access the .NET web application such that when a User logs on to the COTS system, the .NET web application is accessed either via a web service or through a .NET aspx webpage. The problem we have is that our client has a requirement in order to maintain iis timeouts accross both applications such that the same timeout period will effectively timeout a user from both the COTS system and the .NET web application at the same time. By timeout, I mean require the user to re-authenticate.

My first question is, is it possible to pass an authentication token through from the COTS web application to the .NET web application in this scenario. Secondly and more importantly, is it possible to handle iis session timeouts as described above? If so, could you please direct me to any articles that may be of use, as I can't seem to find anything.

Any help would be greatly appreciated.

Thanks in advance.

Virtual Directory Issue

bosepehr@hotmail.com — Tue, 14 Jul 2009 02:29:09 GMT

Hi everyone,

I'm new to this forum and look forward to learning more about IIS and it's members.

I have a IIS 7 security problem ( at least I think it is a security issue) that have been trying to solve and create a virtual directory, yet unsuccessful!! I'm hoping to find the solution with your help.

I followed all the procedures from http://msdn.microsoft.com/en-us/library/bb763173.aspx and added the permissions to the folder including NETWORK_SERVICE, IIS_IUSRS, IUSR, enabled Directory Browsing, Anonymous Authentication, ASP.NET Impersonation and still get the following error:

3007

A compilation error has occurred.

7/13/2009 5:28:27 PM

7/14/2009 12:28:27 AM

7bd08615fd6a4fe0ad7caf24c1a9cc02

/LM/W3SVC/1/ROOT/DotNetNuke-4-128920049056070000

Full

/DotNetNuke

C:\DotNetNuke\

My-PC

5936

w3wp.exe

NT AUTHORITY\NETWORK SERVICE

HttpCompileException

vbc : (0): error BC30138: Unable to create temp file in path 'C:\Windows\TEMP\': Access is denied.

http://localhost/DotNetNuke/default.aspx

/DotNetNuke/default.aspx

::1

False

NT AUTHORITY\NETWORK SERVICE

False

at System.Web.Compilation.AssemblyBuilder.Compile() at System.Web.Compilation.BuildProvidersCompiler.PerformBuild() at System.Web.Compilation.CodeDirectoryCompiler.GetCodeDirectoryAssembly(VirtualPath virtualDir, CodeDirectoryType dirType, String assemblyName, StringSet excludedSubdirectories, Boolean isDirectoryAllowed) at System.Web.Compilation.BuildManager.CompileCodeDirectory(VirtualPath virtualDir, CodeDirectoryType dirType, String assemblyName, StringSet excludedSubdirectories) at System.Web.Compilation.BuildManager.CompileCodeDirectories() at System.Web.Compilation.BuildManager.EnsureTopLevelFilesCompiled() at System.Web.Hosting.HostingEnvironment.Initialize(ApplicationManager appManager, IApplicationHost appHost, IConfigMapPathFactory configMapPathFactory, HostingEnvironmentParameters hostingParameters)

I really appreciate your help and look forward to reply.

Problems with Kerberos/NTLM persistence

jongrg — Sun, 21 Jun 2009 20:36:42 GMT

I am working on a project trying to improve performance for a web based system running on IIS 6.0 and Win Server 2003. All users are using IE 6

The System consists of different parts. Both classic ASP and ASP.NET. The load on the server is not very heavy and it is a single server (no web farm) environment.
System is utilized by users from different locations all over the world. (e.g. R.S.A.. Japan, Chile…)
Users on remote locations are suffering from latency and in some cases also poor bandwidth. System uses Integrated Windows Authentication with users on a Global Active Directory. By inspecting HTTP traffic and from observing log files we have seen that Kerberos has not been properly configured. User has been forced to re authenticate for each file requested (N.B. Not just every page requested but every file e.g. JS-files, gifs, css-files etc.) This problem we have been able to find a solution for. Setting the EnableKerbAuthPersist entry took care of that problem.

Not all users however authenticates with Kerberos. Users from some locations authenticates with NTLM. I know that there are limitations with Kerberos causing some users to utilize NTLM instead of Kerberos. For example some users may connect to the system behind a proxy or they may belong to a non trusted domain.

For NTML it seems as authentication persistence has been enabled all the time.

Still we have problems with, NTLM users, as well as Kerberos users having to reauthenticate after a sequence of successful requests.

The reauthentication of request does not show a common pattern. We have not been able to find that it occurs after a certain time or after a certain number of bytes downloaded. It seems that reauthentication is always (we think) enforced for the same files for the same user. Other users however are being forced to re authenticate on different files.

We have also noticed that for users authenticating with NTML it seems that persistence does not always work very well at all. At first it looks as persistence is not enabled on the IIS, because the user is being forced to reauthenticate for every request. When the user suddenly is redirected by the application from the part running classic ASP to another part running ASP.NET then suddenly authentication persistency works as expected. I know that the user is not supposed to have to re authenticate as long as the subsequent requests are being done on the same TCP session.

It seems that in our case the TCP session is for some reason being closed. I know that if the user is behind a proxy and the proxy is configured to use session pooling this could cause this behaviour. However I do not think that this is the problem in this case. The reason I find proxy session pooling unlikely to be the cause of the problems is that for the same user (always behind the same proxy) sometimes the persistence works well. If proxy session pooling would be the cause than the user would have to reauthnticate every request and that is not the case.

My questions are:When using IWA is this behaviour the best I could expect?
What are the most likely causes of the TCP sessions being closed?
Is there an IIS configuration that we could do to prevent this?
If not known, what is the best way of finding the causes for this behaviour?

Any help or suggestions would be greatly appreciated.TIA
/Johan

password protect directory

bshedenhelm — Thu, 30 Apr 2009 16:00:15 GMT

I am trying to password protect a directory using IIS-6. I have unchecked anonymous access for the site and I have added my domain group that i want to have access to the root directory of the site. Here is the problem. IIS prompts me to log in if i use the fully qualified name but not if i use just the site name. example: in IE type intranet will go to site using anonymous login but type intranet.example.com and get prompted to login. This only happens with internet explorer, if i try it with firefox or chrome it will prompt me everytime to login.

Im pretty new to IIS, any ideas?

Access this computer from network and IUSR_machine

Michael089 — Tue, 28 Apr 2009 09:29:08 GMT

Hello,

can anyone explain to me why IUSR_machine needs the "Access this computer from network" account right?

As far as I understand IIS's impersonation, the app pool identity (network service or whatever) impersonates this user to access local ressource (e.g. html file) during anonymous http requests.

Furthermore, MS says about "Access this computer from network":

<quote>The ability to interact with remote Windows computers requires the Access this computer from network user right. Examples of such network operations include the replication of Active Directory between domain controllers in a common domain or forest, authentication requests to domain controllers from users and from computers, and access to shared folders, to printers, and to other system services that are located on remote computers on the network.</quote> - see KB823659

Another article on WindowsITPro even states (however, I don't know how reliable this source is):

<quote>However the Access this computer from the network user right has no effect on services such as World Wide Web Publishing, Telnet, and Terminal Services.</quote>

However, I tested removing the user/account right from IUSR_machine by explicitly setting the Deny access this computer from the network option. From that moment on I was not able to access my IIS site and got Logon failures (ID 534) in the event logs, which state that IIS_machine is missing the requested logon type.

Anyone knows why this user right is needed or what to change so that it is no longer needed?

System.Security.SecurityException: Request for the permission of type System.Security.Permissions.StrongNameIdentityPermission

londons_lion007 — Mon, 27 Apr 2009 12:02:47 GMT

Londons_lion007Thursday, April 23, 2009 9:32:35 AM

0 votes

Hi
I have windows 2003 server with sp2 installed and using IIS 6.0 with .net framework 1.1.4322. When i try to view web page through iis i get following err. Can someone suggest me solution. I have gi ven full trust to all level Enterprise, machine and user level then also getting following error msg.

Thanks In advance

Londons_lion007
Security Exception

Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.

Exception Details: System.Security.SecurityException: Request for the permission of type System.Security.Permissions.StrongNameIdentityPermission, mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 failed.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[SecurityException: Request for the permission of type System.Security.Permissions.StrongNameIdentityPermission, mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 failed.]

   System.Xml.XmlTextReader..ctor(String url, XmlNameTable nt) +0

   System.Xml.XmlTextReader..ctor(String url) +65

   System.Web.Configuration.XmlUtil.OpenXmlTextReader() +129

   System.Web.Configuration.HttpConfigurationRecord..ctor(String filename, HttpConfigurationRecord parent, Boolean inheritable, String path, String mappedPhysicalPath) +823

Version Information: Microsoft .NET Framework Version:1.1.4322.2407; ASP.NET Version:1.1.4322.2407

Intergrated Windows Authentication fails if too many groups in AD account

RayJG — Wed, 25 Mar 2009 21:33:39 GMT

Hello all,

I've had this setup working for 2+ years now where IIS and Tomcat are on the same server and configured to eliminate the need for the user to have to log into the application.

We area running, Windows 2003 Server, IIS 6.0 and
Tomcat 5.5.17 (integrated into IIS via the isapi_redirect2.dll)

Last week some users reported that they were getting prompted for credientials, and if they entered their id and pw, they still could not get in.

I am finding these errors in the IIS log

2009-03-25 20:03:26 W3SVC998577302 10.71.2.41 GET /jakarta/isapi_redirector2.dll - 80 ***domain/user Id Ip address commented out*** 1Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 500 0 0

2009-03-25 20:03:26 W3SVC998577302 ******* GET /jakarta/isapi_redirector2.dll - 80 - ********** Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 401 1 0

We discovered that the affected accounts recently had a lot of AD groups added to their account, and that if that account is a member of more than 76 groups, the login process fails as described above.

If we remove a group (any group, or combinations of ) so that the quantity they are a member of is less that 76, the login process works fine.

IIS 7 on vista home premium

jstallard — Thu, 12 Mar 2009 08:06:22 GMT

I am playing around with IIS 7 on vista home premium to setup a website.

I created a test.html page and placed it into the wwwroot directory. I can access it by navigating to localhost. However when accessing from a public network I keep getting the username and password logon window.

I have configured anonymous authentication is enabled with the ISS-IUSR account for anonymous access. with all other authentication disabled.

This did not work, so I Created a local account with a password for the anonymous authentication, with the same results.

Any suggestions on how to configure anonymous access to a web page would be helpful.

Allow local user on SSO forms–based authentication

c21Vince — Wed, 11 Feb 2009 11:27:19 GMT

Hi all,

I'm using IIS5.1 and am setting a forms–based authentication for a multi site platform. For now, I can make it work but still cannot manage to allow a local user to be allowed.

Eventhoug I config the web.config file this way by example:

The local user will just have a blank page without any redirection or direct access.

I could not find any proof what I want to do is doable but I should, shouldn't it?

What am I missing ?

Thanks a lot for any help.

Vince

COMException (0x80072020): An operations error occurred. HELP

grub425 — Thu, 05 Feb 2009 21:39:37 GMT

I have an application that is using LDAP only with Single Sign On running on a windows 2003 server, running iis 6.0My Domain Functional Level: Windows 2003 Server, Forest Functional level: Windows 2003My web.config authentication is set:
<authentication mode="Windows"/>
<identity impersonate="true"/> Users login, retrieve a document and are logged off. In a 2 hrs period 1250 users will login and out of the application and 10 users will fail. The same user will have access documents minutes before the failure and minutes after the failure. Error message:
Warning: GetUserDN('testuser') from 'LDAP://DC=domain,DC=com': System.Runtime.InteropServices.COMException (0x80072020): An operations error occurred. On the web server I will see the user authenticated with NTLM instead of Kerberos

Bad Entry:Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: TESTMACHINE
Logon GUID: -

Vs: Good Entry: Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {ad208202-d700-fcfc-5782-713441f31ef8} If I run and test webpage from the user workstation to retrieve the users credential It returns: You have connected from your browser to IIS using Kerberos authentication and verifies that the SPN is ok.Also the .ini file for the application open a login file which has modify rights for all users but when the login fails using a filemon trace I see an access denied error for the log. Kerberos settings in the domain are: Policy Setting
Enforce user logon restrictions Enabled
Maximum lifetime for service ticket 60 minutes
Maximum lifetime for user ticket 7 hours
Maximum lifetime for user ticket renewal 10 days
Maximum tolerance for computer clock synchronization 5 minutes Server and service accounts have delegation set to trust this computer for delegation to any service (kerberso only). Below I have included the code for the function. Any suggestions on what to try or set to resolve this?

Imports System.DirectoryServices '------------------------------------------------------------------------------------ ' Returns user distinguished and full names for given user account name. '------------------------------------------------------------------------------------ Private Function GetUserDN(ByRef name As String, ByRef outFullName As String) As String GetUserDN = String.Empty Dim logMsg As String Dim adsPath As String = adsPathPrefix & searchNC logMsg = String.Format("Searching '{0}' in '{1}'", name, adsPath) DbugLog(TypeName(Me), logMsg, gc_LogDebug4) Try Dim searchRoot As DirectoryEntry = New DirectoryEntry(adsPath) searchRoot.AuthenticationType = authType ' default is AuthenticationTypes.Secure searchRoot.Options.Referral = refChasingOption ' default is ReferralChasingOption.None Dim searcher As DirectorySearcher = New DirectorySearcher(searchRoot) //// THIS IS A .NET OBJECT, System.DirectoryServices.DirectorySearcher //// searcher.Filter = String.Format("(&(objectClass=user)(objectCategory=person)(sAMAccountName={0}))", name) searcher.PropertiesToLoad.Add("cn") searcher.PropertiesToLoad.Add("distinguishedName") searcher.SearchScope = SearchScope.Subtree Dim result As SearchResult = searcher.FindOne() ///// THIS CALL FAILS ///// If Not result Is Nothing Then outFullName = result.Properties("cn")(0) GetUserDN = result.Properties("distinguishedName")(0) logMsg = String.Format("Found '{0}': CN='{1}', DN='{2}'", name, outFullName, GetUserDN) Else logMsg = String.Format("'{0}' not found", name) End If DbugLog(TypeName(Me), logMsg, gc_LogDebug4) Catch ex As Exception logMsg = ex.ToString() logMsg = String.Format("GetUserDN('{0}') from '{1}': {2}", name, adsPath, logMsg.Remove(logMsg.IndexOf(vbCrLf & vbCrLf))) DbugLog(TypeName(Me), logMsg, gc_LogWarning) End Try End Function

The ”name” parameter is obtained from Windows as the name of the user the current thread is impersonating – the delegated end user. That’s how GetUserDN() is called:

. . .

If authName = "" And authPassword = "" Then ' Single Sign-On userName = System.Security.Principal.WindowsIdentity.GetCurrent.Name logMsg = String.Format("Will authenticate as '{0}' (no input credentials, using thread identity)", userName) userName = userName.Remove(0, userName.LastIndexOf("\"c) + 1) Else userName = authName logMsg = String.Format("Will authenticate as '{0}' (using input credentials)", IIf(authDomain = "", authName, authDomain & "\" & authName)) End If DbugLog(TypeName(Me), logMsg, gc_LogDebug4) ' Bind to rootDSE with authentication rootDSE = BindToObject("rootDSE") If rootDSE Is Nothing Then Exit Function ' ====> Could not bind or authentincate - logon failed. ///// THIS CALL SUCCEEDS SINCE WE ALWAYS ENTER GetUserDN() BELOW //// If searchNC = "" Then ' Find the default naming context. //// THIS IS THE SEARCHBASE, OPTIONALLY SET IN vssystem.ini: [LDAP] SEARCHBASE=your_base_DN //// searchNC = rootDSE.Properties("defaultNamingContext")(0) End If ' Find the user's distinguished and full names Dim fullName As String Dim userDN As String = GetUserDN(userName, fullName) If String.IsNullOrEmpty(userDN) Then Exit Function ' ====> User not found - logon failed.

. . .