We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

Kerberos UPN vs bare username with Web Application Proxy vs IERSS

13 replies

Last post Jul 31, 2018 09:50 AM by Chris Tobler

  • Kerberos UPN vs bare username with Web Application Proxy vs IE

    Feb 02, 2016 10:36 PM|Some Guy|LINK

    I'm having an issue with Kerberos authentication behaving differently for external Web Application Proxy users than for internal Internet Explorer users. I originally asked about this on the Windows Server forums, but it was suggested that I might find more relevant expertise here on the IIS forums.

    I have a third-party web application (non-claims-aware) that runs in IIS using Windows Authentication. The only authentication provider enabled in IIS is "Negotiate." IIS box is Server 2012 R2.

    Internal domain clients access the IIS box directly from Internet Explorer (automatic signin). External clients access it via Web Application Proxy with Kerberos delegation (after signing in to ADFS).

    In both cases, users get authenticated properly. But the application ends up seeing a different username depending on which method the user came in on.

    For internal users, the application sees the username as being just the bare username with no prefix or suffix (e.g. "someguy"). For external users, the application sees the username as being the full UPN (e.g. "someguy@example.com"). Unfortunately, this results in the application's internal logic treating each scenario as a separate user. The third-party developer does not want to change their application. They insist that they just take whatever username string IIS provides them.

    How can I configure WAP and/or IE and/or IIS so that the application receives the username in the same format for both WAP users and internal IE users?

    username kerberos authentication WebApplicationProxy UPN

  • Re: Kerberos UPN vs bare username with Web Application Proxy vs IE

    Feb 05, 2016 04:16 AM|Jean Sun|LINK

    Hi,

    What kind of username(someguy or someguy@example.com) does the Application see for internal users when you use other browsers(chrome, firefox).

    Perhaps this is related to the settings in IE.  Please try navigating to IE -> Internet Options -> Security Settings -> Local Intranet Zone -> User Authentication -> Logon, set it to Prompt for username and password.

     

    Best Regards,

    Jean

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: Kerberos UPN vs bare username with Web Application Proxy vs IE

    Feb 05, 2016 01:11 PM|Some Guy|LINK

    Jean Sun

    What kind of username(someguy or someguy@example.com) does the Application see for internal users when you use other browsers(chrome, firefox).

    For internal Chrome, the application sees me as someguy (bare username). I can't seem to get my Firefox to do Kerberos, so I wasn't able to test with internal Firefox.

    Jean Sun

    Perhaps this is related to the settings in IE.  Please try navigating to IE -> Internet Options -> Security Settings -> Local Intranet Zone -> User Authentication -> Logon, set it to Prompt for username and password.

    With this configuration, I get the manual login prompt, but the application sees me as someguy (bare username) regardless of what I type into the login prompt. I logged in by typing someguy, someguy@example.com, and DOMAIN\someguy -- in all cases the application sees me as someguy. This was with 32-bit IE 11 on 64-bit Windows 7 Ent.

    It seems Web Application Proxy is the only scenario where the application ends up seeing the full UPN.

  • Re: Kerberos UPN vs bare username with Web Application Proxy vs IE

    Feb 06, 2016 10:38 PM|Ken Schaefer|LINK

    If the application is relying on Windows authentication, then there's not really much you can configure on the client - Kerberos will always have the username as DOMAIN\User or user@UPN-suffix in the TGT or AS ticket - there's no other valid way to specify the username (local accounts aren't valid for Kerberos, and a simple username also isn't valid). NTLM also requires the security authority (local server vs. domain) to be specified.

    First I'd look at what package is being used to authenticate the user (Kerberos vs NTLM) - you can enable logon auditing on your IIS server to find out: http://www.adopenstatic.com/cs/blogs/ken/archive/2006/08/02/Two-easy-_2800_easier_3F002900_-ways-to-determine-Kerberos-from-NTLM-in-a-HTTP-capture.aspx

  • Re: Kerberos UPN vs bare username with Web Application Proxy vs IE

    Mar 08, 2016 09:48 PM|Some Guy|LINK

    I have viewed the security eventlog on the IIS box, and it is Kerberos in both scenarios. Viewing the security eventlog makes it obvious that the "Account Name" is clearly being presented differently when using Web Application Proxy compared to when using IE internally.

    When using IE internally, the Account Name is just the bare username:

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          3/8/2016 1:35:10 PM
    Event ID:      4624
    Task Category: Logon
    Level:         Information
    Keywords:      Audit Success
    User:          N/A
    Computer:      iisbox01.example.com
    Description:
    An account was successfully logged on.
    
    Subject:
    	Security ID:		NULL SID
    	Account Name:		-
    	Account Domain:		-
    	Logon ID:		0x0
    
    Logon Type:			3
    
    Impersonation Level:		Impersonation
    
    New Logon:
    	Security ID:		EXAMPLE\someguy
    	Account Name:		someguy
    	Account Domain:		EXAMPLE
    	Logon ID:		0x48D9F2C5
    	Logon GUID:		{a222109f-3cf0-4799-b8a1-0310cbfaaa1a}
    
    Process Information:
    	Process ID:		0x0
    	Process Name:		-
    
    Network Information:
    	Workstation Name:	
    	Source Network Address:	-
    	Source Port:		-
    
    Detailed Authentication Information:
    	Logon Process:		Kerberos
    	Authentication Package:	Kerberos
    	Transited Services:	-
    	Package Name (NTLM only):	-
    	Key Length:		0
    

    When coming in via Web Application Proxy, the Account Name is the full UPN:

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          3/8/2016 1:32:29 PM
    Event ID:      4624
    Task Category: Logon
    Level:         Information
    Keywords:      Audit Success
    User:          N/A
    Computer:      iisbox01.example.com
    Description:
    An account was successfully logged on.
    
    Subject:
    	Security ID:		NULL SID
    	Account Name:		-
    	Account Domain:		-
    	Logon ID:		0x0
    
    Logon Type:			3
    
    Impersonation Level:		Impersonation
    
    New Logon:
    	Security ID:		EXAMPLE\someguy
    	Account Name:		someguy@example.com
    	Account Domain:		EXAMPLE
    	Logon ID:		0x48D85033
    	Logon GUID:		{8f01ed47-feb0-8ba1-854b-33e870a4a6ef}
    
    Process Information:
    	Process ID:		0x0
    	Process Name:		-
    
    Network Information:
    	Workstation Name:	
    	Source Network Address:	-
    	Source Port:		-
    
    Detailed Authentication Information:
    	Logon Process:		Kerberos
    	Authentication Package:	Kerberos
    	Transited Services:	
    		wapbox02$@EXAMPLE.COM
    	Package Name (NTLM only):	-
    	Key Length:		0

    How can I configure Web Application Proxy to not do that? It is stupid.

  • Re: Kerberos UPN vs bare username with Web Application Proxy vs IE

    Mar 10, 2016 01:15 AM|Ken Schaefer|LINK

    Some Guy

    How can I configure Web Application Proxy to not do that? It is stupid

    You may need to look into the doco of your web app proxy - if, because of ADFS, it's receiving the username in UPN format, then it may have no ability to tranform the username into a pre-Windows 2000 (NT style) username.

    Can you check what format the username is being supplied to the WAP?

  • Re: Kerberos UPN vs bare username with Web Application Proxy vs IE

    Mar 10, 2016 09:29 PM|Some Guy|LINK

    Ken Schaefer

    Can you check what format the username is being supplied to the WAP?

    Below is the Security eventlog from the Web Application Proxy server. It seems to see the Account Name presented as just bare username. (This behaviour stays the same regardless of what format I actually type in on the ADFS login page.) Yet the Account Name presented to the IIS box is the full UPN as shown in previous post.

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          2016-03-10 11:38:15 AM
    Event ID:      4624
    Task Category: Logon
    Level:         Information
    Keywords:      Audit Success
    User:          N/A
    Computer:      wapbox02.example.com
    Description:
    An account was successfully logged on.
    
    Subject:
    	Security ID:		NETWORK SERVICE
    	Account Name:		WAPBOX02$
    	Account Domain:		EXAMPLE
    	Logon ID:		0x3E4
    
    Logon Type:			3
    
    Impersonation Level:		Identification
    
    New Logon:
    	Security ID:		EXAMPLE\someguy
    	Account Name:		someguy
    	Account Domain:		EXAMPLE
    	Logon ID:		0x8DDABAD
    	Logon GUID:		{f43a846c-15c1-1b62-11ed-7179b9bbd241}
    
    Process Information:
    	Process ID:		0xbe0
    	Process Name:		C:\Windows\ADFS\AppProxy.exe
    
    Network Information:
    	Workstation Name:	WAPBOX02
    	Source Network Address:	-
    	Source Port:		-
    
    Detailed Authentication Information:
    	Logon Process:		
    	Authentication Package:	Kerberos
    	Transited Services:	-
    	Package Name (NTLM only):	-
    	Key Length:		0
  • Re: Kerberos UPN vs bare username with Web Application Proxy vs IE

    Mar 10, 2016 11:25 PM|Ken Schaefer|LINK

    Some Guy

    Yet the Account Name presented to the IIS box is the full UPN as shown in previous post.

    Is the WAP connecting to the IIS server on the user's behalf? Or, after authenticating the user, allowing a direct connection between user device and IIS server?

    If the former, then I suspect it needs to use Kerberos delegation in order to impersonate the uesr to the IIS server. Can you get a packet capture, and see what user account it's requesting a ticket on behalf of?

  • Re: Kerberos UPN vs bare username with Web Application Proxy vs IE

    Mar 11, 2016 12:07 AM|Some Guy|LINK

    Yes, WAP connects to IIS using Kerberos delegation, as mentioned at top of thread.

    Unfortunately I cannot get packet captures of the Kerberos traffic because that traffic falls under our Windows Firewall policies for IPsec. So all I see is encapsulated IPsec traffic. Is there another method I could use for determining the ticket request?

  • Re: Kerberos UPN vs bare username with Web Application Proxy vs IE

    Mar 11, 2016 12:39 AM|Ken Schaefer|LINK

    Some Guy

    Unfortunately I cannot get packet captures of the Kerberos traffic because that traffic falls under our Windows Firewall policies for IPsec. So all I see is encapsulated IPsec traffic. Is there another method I could use for determining the ticket request?

    I'm not really sure if there are other ways - you probably need to talk to your WAP vendor.

    Alternatively, do you have a dev/test environment that you could disable the IPSec policy in for testing? Or raise an incident against your production system to allow troubleshooting to take place?

  • Re: Kerberos UPN vs bare username with Web Application Proxy vs IE

    Mar 11, 2016 12:49 AM|Some Guy|LINK

    Web Application Proxy is a feature of Server 2012 R2. It does not have a "vendor" AFAIK.

    Excluding the Kerberos traffic from IPsec policies for testing is definitely doable. I will pursue that but it will take some time before I can do it.

  • Re: Kerberos UPN vs bare username with Web Application Proxy vs IE

    Mar 11, 2016 03:47 AM|Ken Schaefer|LINK

    Apologies - I wasn't aware that you were using the inbuilt Windows function - I was interpreting Web Application Proxy to be a generic term to describe 3rd party reverse proxies (like WebSeal etc.) that are used to protect web applications.

  • Re: Kerberos UPN vs bare username with Web Application Proxy vs IE

    Jul 16, 2018 07:37 PM|PsyChE|LINK

    Hi,

    I'm facing the exact same issue, do you manage to solve it ?

    Thx by advance

  • Re: Kerberos UPN vs bare username with Web Application Proxy vs IE

    Jul 31, 2018 09:50 AM|Chris Tobler|LINK

    I have the exact same issue, but with Azure AD App Proxy. Accessing the application from inside in the TGS-REP Kerberos ticket I see the cname-string with my samAccountName. When the Azure AD App Proxy gets the Kerberos ticket, in the TGS-REP I see my UPN as cname-string. The issue is that the application expects to get my samAccountName as the cname-string. How can I change this behavior?