IIS Server - NLB - Kerberos Authentication

This is Interesting: Free IT Magazines  
Home > Archive > IIS Server > July 2005 > NLB - Kerberos Authentication





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author NLB - Kerberos Authentication
Kyle

2005-06-07, 5:58 pm

I already posted this on the WIN2K3 forum.

I am trying to load balance my intranet site. Right now I have it configured
for 2 server's. The NLB setup went fine. I tested it with a simple HTML
page and evrything works fine. I try to get my intranet site up and running
and I can't get it to work. We use kerberos authentication. I have done all
the required things such as setting the SPN's and delegating for authority,
and yet still page can not be displayed. I have 1 server by itself running
the intranet site, with kerberos enabled and evrything works fine. I
downloaded Microsoft's Authentication Tool and it gives me several errors,
such as:

AppPool not started
Wrong credentials for AppPoolIdentity

Well, I know the AppPool is started. As far as the credentials, I have my
perm's mirroring my production server.

Any suggestions would be helpful.

Thanks,

Kyle


Ken Schaefer

2005-06-08, 7:48 am

"try to get my intranet site up and running and I can't get it to work"

Please elaborate on what you mean by "can't get it to work". What isn't
working, and what are the symptoms you see?

Cheers
Ken

--
IIS Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com


"Kyle" <Kyle@discussions.microsoft.com> wrote in message
news:CCCF3812-84FE-4B67-8499-E4FF717EDB6F@microsoft.com...
:I already posted this on the WIN2K3 forum.
:
: I am trying to load balance my intranet site. Right now I have it
configured
: for 2 server's. The NLB setup went fine. I tested it with a simple HTML
: page and evrything works fine. I try to get my intranet site up and
running
: and I can't get it to work. We use kerberos authentication. I have done
all
: the required things such as setting the SPN's and delegating for
authority,
: and yet still page can not be displayed. I have 1 server by itself running
: the intranet site, with kerberos enabled and evrything works fine. I
: downloaded Microsoft's Authentication Tool and it gives me several errors,
: such as:
:
: AppPool not started
: Wrong credentials for AppPoolIdentity
:
: Well, I know the AppPool is started. As far as the credentials, I have my
: perm's mirroring my production server.
:
: Any suggestions would be helpful.
:
: Thanks,
:
: Kyle
:
:


Kyle

2005-06-08, 7:48 am

I keep getting "Page Cannot Be Dsiplayed". I have checked all my
permissions, etc. Everything seems to be in order.

"Ken Schaefer" wrote:

> "try to get my intranet site up and running and I can't get it to work"
>
> Please elaborate on what you mean by "can't get it to work". What isn't
> working, and what are the symptoms you see?
>
> Cheers
> Ken
>
> --
> IIS Blog: www.adopenstatic.com/cs/blogs/ken/
> Web: www.adopenstatic.com
>
>
> "Kyle" <Kyle@discussions.microsoft.com> wrote in message
> news:CCCF3812-84FE-4B67-8499-E4FF717EDB6F@microsoft.com...
> :I already posted this on the WIN2K3 forum.
> :
> : I am trying to load balance my intranet site. Right now I have it
> configured
> : for 2 server's. The NLB setup went fine. I tested it with a simple HTML
> : page and evrything works fine. I try to get my intranet site up and
> running
> : and I can't get it to work. We use kerberos authentication. I have done
> all
> : the required things such as setting the SPN's and delegating for
> authority,
> : and yet still page can not be displayed. I have 1 server by itself running
> : the intranet site, with kerberos enabled and evrything works fine. I
> : downloaded Microsoft's Authentication Tool and it gives me several errors,
> : such as:
> :
> : AppPool not started
> : Wrong credentials for AppPoolIdentity
> :
> : Well, I know the AppPool is started. As far as the credentials, I have my
> : perm's mirroring my production server.
> :
> : Any suggestions would be helpful.
> :
> : Thanks,
> :
> : Kyle
> :
> :
>
>
>
Ken Schaefer

2005-06-08, 7:48 am

Hi,

Look further down the error page that you are seeing. Do you see a HTTP
status code (e.g. 404 File Not Found), or do you see "Can not find server or
DNS error"? The former indicates that the request has reached IIS and IIS is
returning a status code. The latter indicates that the request never
reached IIS (or IIS is not responding for some reason)

Chers
Ken

--
IIS Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com


"Kyle" <Kyle@discussions.microsoft.com> wrote in message
news:0E57541B-CF45-4532-ABF8-1D6E176C62E9@microsoft.com...
:I keep getting "Page Cannot Be Dsiplayed". I have checked all my
: permissions, etc. Everything seems to be in order.
:
: "Ken Schaefer" wrote:
:
: > "try to get my intranet site up and running and I can't get it to work"
: >
: > Please elaborate on what you mean by "can't get it to work". What isn't
: > working, and what are the symptoms you see?
: >
: > Cheers
: > Ken
: >
: > --
: > IIS Blog: www.adopenstatic.com/cs/blogs/ken/
: > Web: www.adopenstatic.com
: >
: >
: > "Kyle" <Kyle@discussions.microsoft.com> wrote in message
: > news:CCCF3812-84FE-4B67-8499-E4FF717EDB6F@microsoft.com...
: > :I already posted this on the WIN2K3 forum.
: > :
: > : I am trying to load balance my intranet site. Right now I have it
: > configured
: > : for 2 server's. The NLB setup went fine. I tested it with a simple
HTML
: > : page and evrything works fine. I try to get my intranet site up and
: > running
: > : and I can't get it to work. We use kerberos authentication. I have
done
: > all
: > : the required things such as setting the SPN's and delegating for
: > authority,
: > : and yet still page can not be displayed. I have 1 server by itself
running
: > : the intranet site, with kerberos enabled and evrything works fine. I
: > : downloaded Microsoft's Authentication Tool and it gives me several
errors,
: > : such as:
: > :
: > : AppPool not started
: > : Wrong credentials for AppPoolIdentity
: > :
: > : Well, I know the AppPool is started. As far as the credentials, I
have my
: > : perm's mirroring my production server.
: > :
: > : Any suggestions would be helpful.
: > :
: > : Thanks,
: > :
: > : Kyle
: > :
: > :
: >
: >
: >


Kyle

2005-06-08, 7:48 am

It has: Cannot find server or DNS Error

I have an ALIAS setup and an A record. It seems like its still trying to
authenticate some how.

"Ken Schaefer" wrote:

> Hi,
>
> Look further down the error page that you are seeing. Do you see a HTTP
> status code (e.g. 404 File Not Found), or do you see "Can not find server or
> DNS error"? The former indicates that the request has reached IIS and IIS is
> returning a status code. The latter indicates that the request never
> reached IIS (or IIS is not responding for some reason)
>
> Chers
> Ken
>
> --
> IIS Blog: www.adopenstatic.com/cs/blogs/ken/
> Web: www.adopenstatic.com
>
>
> "Kyle" <Kyle@discussions.microsoft.com> wrote in message
> news:0E57541B-CF45-4532-ABF8-1D6E176C62E9@microsoft.com...
> :I keep getting "Page Cannot Be Dsiplayed". I have checked all my
> : permissions, etc. Everything seems to be in order.
> :
> : "Ken Schaefer" wrote:
> :
> : > "try to get my intranet site up and running and I can't get it to work"
> : >
> : > Please elaborate on what you mean by "can't get it to work". What isn't
> : > working, and what are the symptoms you see?
> : >
> : > Cheers
> : > Ken
> : >
> : > --
> : > IIS Blog: www.adopenstatic.com/cs/blogs/ken/
> : > Web: www.adopenstatic.com
> : >
> : >
> : > "Kyle" <Kyle@discussions.microsoft.com> wrote in message
> : > news:CCCF3812-84FE-4B67-8499-E4FF717EDB6F@microsoft.com...
> : > :I already posted this on the WIN2K3 forum.
> : > :
> : > : I am trying to load balance my intranet site. Right now I have it
> : > configured
> : > : for 2 server's. The NLB setup went fine. I tested it with a simple
> HTML
> : > : page and evrything works fine. I try to get my intranet site up and
> : > running
> : > : and I can't get it to work. We use kerberos authentication. I have
> done
> : > all
> : > : the required things such as setting the SPN's and delegating for
> : > authority,
> : > : and yet still page can not be displayed. I have 1 server by itself
> running
> : > : the intranet site, with kerberos enabled and evrything works fine. I
> : > : downloaded Microsoft's Authentication Tool and it gives me several
> errors,
> : > : such as:
> : > :
> : > : AppPool not started
> : > : Wrong credentials for AppPoolIdentity
> : > :
> : > : Well, I know the AppPool is started. As far as the credentials, I
> have my
> : > : perm's mirroring my production server.
> : > :
> : > : Any suggestions would be helpful.
> : > :
> : > : Thanks,
> : > :
> : > : Kyle
> : > :
> : > :
> : >
> : >
> : >
>
>
>
Ken Schaefer

2005-06-08, 5:58 pm

Hi,

I doubt there is authentication attempting to happen. If so, you would see
the initial request logged in the IIS log (with 401 status). I suspect that
the client is not getting to the server at all -or- the server is not
responding to the request.

If you use a tool like WFetch (from the IIS Resource Kit) [1], you can see
whether IIS is sending back anything at all. If there's an authentication
attempt you will see IIS coming back with a 401 and WWW-Authenticate:
headers indicating what auth mechanisms are supported.

Cheers
Ken

[1]
http://www.microsoft.com/downloads/...&DisplayLang=en

--
IIS Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com

"Kyle" <Kyle@discussions.microsoft.com> wrote in message
news:7F52307A-7005-481B-8813-1593C8699501@microsoft.com...
: It has: Cannot find server or DNS Error
:
: I have an ALIAS setup and an A record. It seems like its still trying to
: authenticate some how.
:
: "Ken Schaefer" wrote:
:
: > Hi,
: >
: > Look further down the error page that you are seeing. Do you see a HTTP
: > status code (e.g. 404 File Not Found), or do you see "Can not find
server or
: > DNS error"? The former indicates that the request has reached IIS and
IIS is
: > returning a status code. The latter indicates that the request never
: > reached IIS (or IIS is not responding for some reason)
: >
: > Chers
: > Ken
: >
: > --
: > IIS Blog: www.adopenstatic.com/cs/blogs/ken/
: > Web: www.adopenstatic.com
: >
: >
: > "Kyle" <Kyle@discussions.microsoft.com> wrote in message
: > news:0E57541B-CF45-4532-ABF8-1D6E176C62E9@microsoft.com...
: > :I keep getting "Page Cannot Be Dsiplayed". I have checked all my
: > : permissions, etc. Everything seems to be in order.
: > :
: > : "Ken Schaefer" wrote:
: > :
: > : > "try to get my intranet site up and running and I can't get it to
work"
: > : >
: > : > Please elaborate on what you mean by "can't get it to work". What
isn't
: > : > working, and what are the symptoms you see?
: > : >
: > : > Cheers
: > : > Ken
: > : >
: > : > --
: > : > IIS Blog: www.adopenstatic.com/cs/blogs/ken/
: > : > Web: www.adopenstatic.com
: > : >
: > : >
: > : > "Kyle" <Kyle@discussions.microsoft.com> wrote in message
: > : > news:CCCF3812-84FE-4B67-8499-E4FF717EDB6F@microsoft.com...
: > : > :I already posted this on the WIN2K3 forum.
: > : > :
: > : > : I am trying to load balance my intranet site. Right now I have it
: > : > configured
: > : > : for 2 server's. The NLB setup went fine. I tested it with a
simple
: > HTML
: > : > : page and evrything works fine. I try to get my intranet site up
and
: > : > running
: > : > : and I can't get it to work. We use kerberos authentication. I
have
: > done
: > : > all
: > : > : the required things such as setting the SPN's and delegating for
: > : > authority,
: > : > : and yet still page can not be displayed. I have 1 server by itself
: > running
: > : > : the intranet site, with kerberos enabled and evrything works fine.
I
: > : > : downloaded Microsoft's Authentication Tool and it gives me several
: > errors,
: > : > : such as:
: > : > :
: > : > : AppPool not started
: > : > : Wrong credentials for AppPoolIdentity
: > : > :
: > : > : Well, I know the AppPool is started. As far as the credentials, I
: > have my
: > : > : perm's mirroring my production server.
: > : > :
: > : > : Any suggestions would be helpful.
: > : > :
: > : > : Thanks,
: > : > :
: > : > : Kyle
: > : > :
: > : > :
: > : >
: > : >
: > : >
: >
: >
: >


Kyle

2005-06-08, 5:58 pm

I used wfetch and came up with the following:

Using Kerberos Auth. (This is what we use)

0x80090303 (The specified target is unknown or unreachable): Unable to
InitializeSecurityContext

Using anon auth.

RESPONSE: **************\n
HTTP/1.1 302 Object moved\r\n
Connection: close\r\n
Date: Wed, 08 Jun 2005 14:45:50 GMT\r\n
Server: Microsoft-IIS/6.0\r\n
X-Powered-By: ASP.NET\r\n
WWWConnect::Close("test","80")\n
closed source port: 2882\r\n
finished.

So it looks to be a kerberos issue.


"Ken Schaefer" wrote:

> Hi,
>
> I doubt there is authentication attempting to happen. If so, you would see
> the initial request logged in the IIS log (with 401 status). I suspect that
> the client is not getting to the server at all -or- the server is not
> responding to the request.
>
> If you use a tool like WFetch (from the IIS Resource Kit) [1], you can see
> whether IIS is sending back anything at all. If there's an authentication
> attempt you will see IIS coming back with a 401 and WWW-Authenticate:
> headers indicating what auth mechanisms are supported.
>
> Cheers
> Ken
>
> [1]
> http://www.microsoft.com/downloads/...&DisplayLang=en
>
> --
> IIS Blog: www.adopenstatic.com/cs/blogs/ken/
> Web: www.adopenstatic.com
>
> "Kyle" <Kyle@discussions.microsoft.com> wrote in message
> news:7F52307A-7005-481B-8813-1593C8699501@microsoft.com...
> : It has: Cannot find server or DNS Error
> :
> : I have an ALIAS setup and an A record. It seems like its still trying to
> : authenticate some how.
> :
> : "Ken Schaefer" wrote:
> :
> : > Hi,
> : >
> : > Look further down the error page that you are seeing. Do you see a HTTP
> : > status code (e.g. 404 File Not Found), or do you see "Can not find
> server or
> : > DNS error"? The former indicates that the request has reached IIS and
> IIS is
> : > returning a status code. The latter indicates that the request never
> : > reached IIS (or IIS is not responding for some reason)
> : >
> : > Chers
> : > Ken
> : >
> : > --
> : > IIS Blog: www.adopenstatic.com/cs/blogs/ken/
> : > Web: www.adopenstatic.com
> : >
> : >
> : > "Kyle" <Kyle@discussions.microsoft.com> wrote in message
> : > news:0E57541B-CF45-4532-ABF8-1D6E176C62E9@microsoft.com...
> : > :I keep getting "Page Cannot Be Dsiplayed". I have checked all my
> : > : permissions, etc. Everything seems to be in order.
> : > :
> : > : "Ken Schaefer" wrote:
> : > :
> : > : > "try to get my intranet site up and running and I can't get it to
> work"
> : > : >
> : > : > Please elaborate on what you mean by "can't get it to work". What
> isn't
> : > : > working, and what are the symptoms you see?
> : > : >
> : > : > Cheers
> : > : > Ken
> : > : >
> : > : > --
> : > : > IIS Blog: www.adopenstatic.com/cs/blogs/ken/
> : > : > Web: www.adopenstatic.com
> : > : >
> : > : >
> : > : > "Kyle" <Kyle@discussions.microsoft.com> wrote in message
> : > : > news:CCCF3812-84FE-4B67-8499-E4FF717EDB6F@microsoft.com...
> : > : > :I already posted this on the WIN2K3 forum.
> : > : > :
> : > : > : I am trying to load balance my intranet site. Right now I have it
> : > : > configured
> : > : > : for 2 server's. The NLB setup went fine. I tested it with a
> simple
> : > HTML
> : > : > : page and evrything works fine. I try to get my intranet site up
> and
> : > : > running
> : > : > : and I can't get it to work. We use kerberos authentication. I
> have
> : > done
> : > : > all
> : > : > : the required things such as setting the SPN's and delegating for
> : > : > authority,
> : > : > : and yet still page can not be displayed. I have 1 server by itself
> : > running
> : > : > : the intranet site, with kerberos enabled and evrything works fine.
> I
> : > : > : downloaded Microsoft's Authentication Tool and it gives me several
> : > errors,
> : > : > : such as:
> : > : > :
> : > : > : AppPool not started
> : > : > : Wrong credentials for AppPoolIdentity
> : > : > :
> : > : > : Well, I know the AppPool is started. As far as the credentials, I
> : > have my
> : > : > : perm's mirroring my production server.
> : > : > :
> : > : > : Any suggestions would be helpful.
> : > : > :
> : > : > : Thanks,
> : > : > :
> : > : > : Kyle
> : > : > :
> : > : > :
> : > : >
> : > : >
> : > : >
> : >
> : >
> : >
>
>
>
Ken Schaefer

2005-06-08, 8:48 pm

Hi,

Unable to initialize security context, in this case, probably means that
your client computer is unable to contact a KDC to obtain a Ticket granting
ticket or service ticket for the service in question.

However, that's not what I'm asking you to do. What I want you to do is make
an anonymous request to the server. Because that's the way a browser works.
First it makes an anonymous request, and then the server should reply with:
401 Access Denied
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM

the WWW-Authenticate: Negotiate

means that the server supports Kerberos as an authentication protocol, and
the client should make a new request using one of the supported
authentication mechanisms (if it doesn't support Kerberos, it can use the
next one on the list, namely NTLM, if it supports NTLM).

Now, when you make an anonymous request - what do you see? IIS is actually
sending back a 302 - Object Moved status, not a 401 (Access Denied).
However, the response does not appear to be valid, because there is no
Location: header which indicates where the content has moved to. I think
something else is up with your configuration rather than just Kerberos
configuration.

Cheers
Ken

--
IIS Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com


"Kyle" <Kyle@discussions.microsoft.com> wrote in message
news:E6D91347-1604-4AE4-89AA-EC193F94BA33@microsoft.com...
:I used wfetch and came up with the following:
:
: Using Kerberos Auth. (This is what we use)
:
: 0x80090303 (The specified target is unknown or unreachable): Unable to
: InitializeSecurityContext
:
: Using anon auth.
:
: RESPONSE: **************\n
: HTTP/1.1 302 Object moved\r\n
: Connection: close\r\n
: Date: Wed, 08 Jun 2005 14:45:50 GMT\r\n
: Server: Microsoft-IIS/6.0\r\n
: X-Powered-By: ASP.NET\r\n
: WWWConnect::Close("test","80")\n
: closed source port: 2882\r\n
: finished.
:
: So it looks to be a kerberos issue.
:
:
: "Ken Schaefer" wrote:
:
: > Hi,
: >
: > I doubt there is authentication attempting to happen. If so, you would
see
: > the initial request logged in the IIS log (with 401 status). I suspect
that
: > the client is not getting to the server at all -or- the server is not
: > responding to the request.
: >
: > If you use a tool like WFetch (from the IIS Resource Kit) [1], you can
see
: > whether IIS is sending back anything at all. If there's an
authentication
: > attempt you will see IIS coming back with a 401 and WWW-Authenticate:
: > headers indicating what auth mechanisms are supported.
: >
: > Cheers
: > Ken
: >
: > [1]
: >
http://www.microsoft.com/downloads/...&DisplayLang=en
: >
: > --
: > IIS Blog: www.adopenstatic.com/cs/blogs/ken/
: > Web: www.adopenstatic.com
: >
: > "Kyle" <Kyle@discussions.microsoft.com> wrote in message
: > news:7F52307A-7005-481B-8813-1593C8699501@microsoft.com...
: > : It has: Cannot find server or DNS Error
: > :
: > : I have an ALIAS setup and an A record. It seems like its still trying
to
: > : authenticate some how.
: > :
: > : "Ken Schaefer" wrote:
: > :
: > : > Hi,
: > : >
: > : > Look further down the error page that you are seeing. Do you see a
HTTP
: > : > status code (e.g. 404 File Not Found), or do you see "Can not find
: > server or
: > : > DNS error"? The former indicates that the request has reached IIS
and
: > IIS is
: > : > returning a status code. The latter indicates that the request
never
: > : > reached IIS (or IIS is not responding for some reason)
: > : >
: > : > Chers
: > : > Ken
: > : >
: > : > --
: > : > IIS Blog: www.adopenstatic.com/cs/blogs/ken/
: > : > Web: www.adopenstatic.com
: > : >
: > : >
: > : > "Kyle" <Kyle@discussions.microsoft.com> wrote in message
: > : > news:0E57541B-CF45-4532-ABF8-1D6E176C62E9@microsoft.com...
: > : > :I keep getting "Page Cannot Be Dsiplayed". I have checked all my
: > : > : permissions, etc. Everything seems to be in order.
: > : > :
: > : > : "Ken Schaefer" wrote:
: > : > :
: > : > : > "try to get my intranet site up and running and I can't get it
to
: > work"
: > : > : >
: > : > : > Please elaborate on what you mean by "can't get it to work".
What
: > isn't
: > : > : > working, and what are the symptoms you see?
: > : > : >
: > : > : > Cheers
: > : > : > Ken
: > : > : >
: > : > : > --
: > : > : > IIS Blog: www.adopenstatic.com/cs/blogs/ken/
: > : > : > Web: www.adopenstatic.com
: > : > : >
: > : > : >
: > : > : > "Kyle" <Kyle@discussions.microsoft.com> wrote in message
: > : > : > news:CCCF3812-84FE-4B67-8499-E4FF717EDB6F@microsoft.com...
: > : > : > :I already posted this on the WIN2K3 forum.
: > : > : > :
: > : > : > : I am trying to load balance my intranet site. Right now I
have it
: > : > : > configured
: > : > : > : for 2 server's. The NLB setup went fine. I tested it with a
: > simple
: > : > HTML
: > : > : > : page and evrything works fine. I try to get my intranet site
up
: > and
: > : > : > running
: > : > : > : and I can't get it to work. We use kerberos authentication.
I
: > have
: > : > done
: > : > : > all
: > : > : > : the required things such as setting the SPN's and delegating
for
: > : > : > authority,
: > : > : > : and yet still page can not be displayed. I have 1 server by
itself
: > : > running
: > : > : > : the intranet site, with kerberos enabled and evrything works
fine.
: > I
: > : > : > : downloaded Microsoft's Authentication Tool and it gives me
several
: > : > errors,
: > : > : > : such as:
: > : > : > :
: > : > : > : AppPool not started
: > : > : > : Wrong credentials for AppPoolIdentity
: > : > : > :
: > : > : > : Well, I know the AppPool is started. As far as the
credentials, I
: > : > have my
: > : > : > : perm's mirroring my production server.
: > : > : > :
: > : > : > : Any suggestions would be helpful.
: > : > : > :
: > : > : > : Thanks,
: > : > : > :
: > : > : > : Kyle
: > : > : > :
: > : > : > :
: > : > : >
: > : > : >
: > : > : >
: > : >
: > : >
: > : >
: >
: >
: >


Kyle

2005-06-09, 5:58 pm

This is all very perplexing. When i use wfetch, and set to anon accesss, I
don't get that error. I set it to Negotiate, Kerberos. I am using a host
header. I checked the log files of my production server, and the log files
of the NLB servers, and compared the two. It is not passing the
username\password credentials into the NLB environment.

"Ken Schaefer" wrote:

> Hi,
>
> Unable to initialize security context, in this case, probably means that
> your client computer is unable to contact a KDC to obtain a Ticket granting
> ticket or service ticket for the service in question.
>
> However, that's not what I'm asking you to do. What I want you to do is make
> an anonymous request to the server. Because that's the way a browser works.
> First it makes an anonymous request, and then the server should reply with:
> 401 Access Denied
> WWW-Authenticate: Negotiate
> WWW-Authenticate: NTLM
>
> the WWW-Authenticate: Negotiate
>
> means that the server supports Kerberos as an authentication protocol, and
> the client should make a new request using one of the supported
> authentication mechanisms (if it doesn't support Kerberos, it can use the
> next one on the list, namely NTLM, if it supports NTLM).
>
> Now, when you make an anonymous request - what do you see? IIS is actually
> sending back a 302 - Object Moved status, not a 401 (Access Denied).
> However, the response does not appear to be valid, because there is no
> Location: header which indicates where the content has moved to. I think
> something else is up with your configuration rather than just Kerberos
> configuration.
>
> Cheers
> Ken
>
> --
> IIS Blog: www.adopenstatic.com/cs/blogs/ken/
> Web: www.adopenstatic.com
>
>
> "Kyle" <Kyle@discussions.microsoft.com> wrote in message
> news:E6D91347-1604-4AE4-89AA-EC193F94BA33@microsoft.com...
> :I used wfetch and came up with the following:
> :
> : Using Kerberos Auth. (This is what we use)
> :
> : 0x80090303 (The specified target is unknown or unreachable): Unable to
> : InitializeSecurityContext
> :
> : Using anon auth.
> :
> : RESPONSE: **************\n
> : HTTP/1.1 302 Object moved\r\n
> : Connection: close\r\n
> : Date: Wed, 08 Jun 2005 14:45:50 GMT\r\n
> : Server: Microsoft-IIS/6.0\r\n
> : X-Powered-By: ASP.NET\r\n
> : WWWConnect::Close("test","80")\n
> : closed source port: 2882\r\n
> : finished.
> :
> : So it looks to be a kerberos issue.
> :
> :
> : "Ken Schaefer" wrote:
> :
> : > Hi,
> : >
> : > I doubt there is authentication attempting to happen. If so, you would
> see
> : > the initial request logged in the IIS log (with 401 status). I suspect
> that
> : > the client is not getting to the server at all -or- the server is not
> : > responding to the request.
> : >
> : > If you use a tool like WFetch (from the IIS Resource Kit) [1], you can
> see
> : > whether IIS is sending back anything at all. If there's an
> authentication
> : > attempt you will see IIS coming back with a 401 and WWW-Authenticate:
> : > headers indicating what auth mechanisms are supported.
> : >
> : > Cheers
> : > Ken
> : >
> : > [1]
> : >
> http://www.microsoft.com/downloads/...&DisplayLang=en
> : >
> : > --
> : > IIS Blog: www.adopenstatic.com/cs/blogs/ken/
> : > Web: www.adopenstatic.com
> : >
> : > "Kyle" <Kyle@discussions.microsoft.com> wrote in message
> : > news:7F52307A-7005-481B-8813-1593C8699501@microsoft.com...
> : > : It has: Cannot find server or DNS Error
> : > :
> : > : I have an ALIAS setup and an A record. It seems like its still trying
> to
> : > : authenticate some how.
> : > :
> : > : "Ken Schaefer" wrote:
> : > :
> : > : > Hi,
> : > : >
> : > : > Look further down the error page that you are seeing. Do you see a
> HTTP
> : > : > status code (e.g. 404 File Not Found), or do you see "Can not find
> : > server or
> : > : > DNS error"? The former indicates that the request has reached IIS
> and
> : > IIS is
> : > : > returning a status code. The latter indicates that the request
> never
> : > : > reached IIS (or IIS is not responding for some reason)
> : > : >
> : > : > Chers
> : > : > Ken
> : > : >
> : > : > --
> : > : > IIS Blog: www.adopenstatic.com/cs/blogs/ken/
> : > : > Web: www.adopenstatic.com
> : > : >
> : > : >
> : > : > "Kyle" <Kyle@discussions.microsoft.com> wrote in message
> : > : > news:0E57541B-CF45-4532-ABF8-1D6E176C62E9@microsoft.com...
> : > : > :I keep getting "Page Cannot Be Dsiplayed". I have checked all my
> : > : > : permissions, etc. Everything seems to be in order.
> : > : > :
> : > : > : "Ken Schaefer" wrote:
> : > : > :
> : > : > : > "try to get my intranet site up and running and I can't get it
> to
> : > work"
> : > : > : >
> : > : > : > Please elaborate on what you mean by "can't get it to work".
> What
> : > isn't
> : > : > : > working, and what are the symptoms you see?
> : > : > : >
> : > : > : > Cheers
> : > : > : > Ken
> : > : > : >
> : > : > : > --
> : > : > : > IIS Blog: www.adopenstatic.com/cs/blogs/ken/
> : > : > : > Web: www.adopenstatic.com
> : > : > : >
> : > : > : >
> : > : > : > "Kyle" <Kyle@discussions.microsoft.com> wrote in message
> : > : > : > news:CCCF3812-84FE-4B67-8499-E4FF717EDB6F@microsoft.com...
> : > : > : > :I already posted this on the WIN2K3 forum.
> : > : > : > :
> : > : > : > : I am trying to load balance my intranet site. Right now I
> have it
> : > : > : > configured
> : > : > : > : for 2 server's. The NLB setup went fine. I tested it with a
> : > simple
> : > : > HTML
> : > : > : > : page and evrything works fine. I try to get my intranet site
> up
> : > and
> : > : > : > running
> : > : > : > : and I can't get it to work. We use kerberos authentication.
> I
> : > have
> : > : > done
> : > : > : > all
> : > : > : > : the required things such as setting the SPN's and delegating
> for
> : > : > : > authority,
> : > : > : > : and yet still page can not be displayed. I have 1 server by
> itself
> : > : > running
> : > : > : > : the intranet site, with kerberos enabled and evrything works
> fine.
> : > I
> : > : > : > : downloaded Microsoft's Authentication Tool and it gives me
> several
> : > : > errors,
> : > : > : > : such as:
> : > : > : > :
> : > : > : > : AppPool not started
> : > : > : > : Wrong credentials for AppPoolIdentity
> : > : > : > :
> : > : > : > : Well, I know the AppPool is started. As far as the
> credentials, I
> : > : > have my
> : > : > : > : perm's mirroring my production server.
> : > : > : > :
> : > : > : > : Any suggestions would be helpful.
> : > : > : > :
> : > : > : > : Thanks,
> : > : > : > :
> : > : > : > : Kyle
> : > : > : > :
> : > : > : > :
> : > : > : >
> : > : > : >
> : > : > : >
> : > : >
> : > : >
> : > : >
> : >
> : >
> : >
>
>
>
Ken Schaefer

2005-06-14, 2:49 am

Hi,

What I want you to do is:
a) Configure IIS to use Kerberos authentication
-and-
b) Use WFetch to send an anonymous request

IIS should respond with a 401 status and list the acceptable authentication
mechanisms (.e.g WWW-Authenticate: Negotiate). Can you confirm that is
what's happening? It is unclear from your post exactly what you are doing.

If IIS is sending back a 302 header, then it is redirecting you somewhere
else. It is not demanding that you authenticate. And the problem is not with
Kerberos configuration.

Cheers
Ken

--
IIS Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com


"Kyle" <Kyle@discussions.microsoft.com> wrote in message
news:11712171-A0C1-4DF5-9C1A-459CC287882C@microsoft.com...
: This is all very perplexing. When i use wfetch, and set to anon accesss,
I
: don't get that error. I set it to Negotiate, Kerberos. I am using a host
: header. I checked the log files of my production server, and the log
files
: of the NLB servers, and compared the two. It is not passing the
: username\password credentials into the NLB environment.
:
: "Ken Schaefer" wrote:
:
: > Hi,
: >
: > Unable to initialize security context, in this case, probably means that
: > your client computer is unable to contact a KDC to obtain a Ticket
granting
: > ticket or service ticket for the service in question.
: >
: > However, that's not what I'm asking you to do. What I want you to do is
make
: > an anonymous request to the server. Because that's the way a browser
works.
: > First it makes an anonymous request, and then the server should reply
with:
: > 401 Access Denied
: > WWW-Authenticate: Negotiate
: > WWW-Authenticate: NTLM
: >
: > the WWW-Authenticate: Negotiate
: >
: > means that the server supports Kerberos as an authentication protocol,
and
: > the client should make a new request using one of the supported
: > authentication mechanisms (if it doesn't support Kerberos, it can use
the
: > next one on the list, namely NTLM, if it supports NTLM).
: >
: > Now, when you make an anonymous request - what do you see? IIS is
actually
: > sending back a 302 - Object Moved status, not a 401 (Access Denied).
: > However, the response does not appear to be valid, because there is no
: > Location: header which indicates where the content has moved to. I think
: > something else is up with your configuration rather than just Kerberos
: > configuration.
: >
: > Cheers
: > Ken
: >
: > --
: > IIS Blog: www.adopenstatic.com/cs/blogs/ken/
: > Web: www.adopenstatic.com
: >
: >
: > "Kyle" <Kyle@discussions.microsoft.com> wrote in message
: > news:E6D91347-1604-4AE4-89AA-EC193F94BA33@microsoft.com...
: > :I used wfetch and came up with the following:
: > :
: > : Using Kerberos Auth. (This is what we use)
: > :
: > : 0x80090303 (The specified target is unknown or unreachable): Unable to
: > : InitializeSecurityContext
: > :
: > : Using anon auth.
: > :
: > : RESPONSE: **************\n
: > : HTTP/1.1 302 Object moved\r\n
: > : Connection: close\r\n
: > : Date: Wed, 08 Jun 2005 14:45:50 GMT\r\n
: > : Server: Microsoft-IIS/6.0\r\n
: > : X-Powered-By: ASP.NET\r\n
: > : WWWConnect::Close("test","80")\n
: > : closed source port: 2882\r\n
: > : finished.
: > :
: > : So it looks to be a kerberos issue.
: > :
: > :
: > : "Ken Schaefer" wrote:
: > :
: > : > Hi,
: > : >
: > : > I doubt there is authentication attempting to happen. If so, you
would
: > see
: > : > the initial request logged in the IIS log (with 401 status). I
suspect
: > that
: > : > the client is not getting to the server at all -or- the server is
not
: > : > responding to the request.
: > : >
: > : > If you use a tool like WFetch (from the IIS Resource Kit) [1], you
can
: > see
: > : > whether IIS is sending back anything at all. If there's an
: > authentication
: > : > attempt you will see IIS coming back with a 401 and
WWW-Authenticate:
: > : > headers indicating what auth mechanisms are supported.
: > : >
: > : > Cheers
: > : > Ken
: > : >
: > : > [1]
: > : >
: >
http://www.microsoft.com/downloads/...&DisplayLang=en
: > : >
: > : > --
: > : > IIS Blog: www.adopenstatic.com/cs/blogs/ken/
: > : > Web: www.adopenstatic.com
: > : >
: > : > "Kyle" <Kyle@discussions.microsoft.com> wrote in message
: > : > news:7F52307A-7005-481B-8813-1593C8699501@microsoft.com...
: > : > : It has: Cannot find server or DNS Error
: > : > :
: > : > : I have an ALIAS setup and an A record. It seems like its still
trying
: > to
: > : > : authenticate some how.
: > : > :
: > : > : "Ken Schaefer" wrote:
: > : > :
: > : > : > Hi,
: > : > : >
: > : > : > Look further down the error page that you are seeing. Do you see
a
: > HTTP
: > : > : > status code (e.g. 404 File Not Found), or do you see "Can not
find
: > : > server or
: > : > : > DNS error"? The former indicates that the request has reached
IIS
: > and
: > : > IIS is
: > : > : > returning a status code. The latter indicates that the request
: > never
: > : > : > reached IIS (or IIS is not responding for some reason)
: > : > : >
: > : > : > Chers
: > : > : > Ken
: > : > : >
: > : > : > --
: > : > : > IIS Blog: www.adopenstatic.com/cs/blogs/ken/
: > : > : > Web: www.adopenstatic.com
: > : > : >
: > : > : >
: > : > : > "Kyle" <Kyle@discussions.microsoft.com> wrote in message
: > : > : > news:0E57541B-CF45-4532-ABF8-1D6E176C62E9@microsoft.com...
: > : > : > :I keep getting "Page Cannot Be Dsiplayed". I have checked all
my
: > : > : > : permissions, etc. Everything seems to be in order.
: > : > : > :
: > : > : > : "Ken Schaefer" wrote:
: > : > : > :
: > : > : > : > "try to get my intranet site up and running and I can't get
it
: > to
: > : > work"
: > : > : > : >
: > : > : > : > Please elaborate on what you mean by "can't get it to work".
: > What
: > : > isn't
: > : > : > : > working, and what are the symptoms you see?
: > : > : > : >
: > : > : > : > Cheers
: > : > : > : > Ken
: > : > : > : >
: > : > : > : > --
: > : > : > : > IIS Blog: www.adopenstatic.com/cs/blogs/ken/
: > : > : > : > Web: www.adopenstatic.com
: > : > : > : >
: > : > : > : >
: > : > : > : > "Kyle" <Kyle@discussions.microsoft.com> wrote in message
: > : > : > : > news:CCCF3812-84FE-4B67-8499-E4FF717EDB6F@microsoft.com...
: > : > : > : > :I already posted this on the WIN2K3 forum.
: > : > : > : > :
: > : > : > : > : I am trying to load balance my intranet site. Right now I
: > have it
: > : > : > : > configured
: > : > : > : > : for 2 server's. The NLB setup went fine. I tested it
with a
: > : > simple
: > : > : > HTML
: > : > : > : > : page and evrything works fine. I try to get my intranet
site
: > up
: > : > and
: > : > : > : > running
: > : > : > : > : and I can't get it to work. We use kerberos
authentication.
: > I
: > : > have
: > : > : > done
: > : > : > : > all
: > : > : > : > : the required things such as setting the SPN's and
delegating
: > for
: > : > : > : > authority,
: > : > : > : > : and yet still page can not be displayed. I have 1 server
by
: > itself
: > : > : > running
: > : > : > : > : the intranet site, with kerberos enabled and evrything
works
: > fine.
: > : > I
: > : > : > : > : downloaded Microsoft's Authentication Tool and it gives me
: > several
: > : > : > errors,
: > : > : > : > : such as:
: > : > : > : > :
: > : > : > : > : AppPool not started
: > : > : > : > : Wrong credentials for AppPoolIdentity
: > : > : > : > :
: > : > : > : > : Well, I know the AppPool is started. As far as the
: > credentials, I
: > : > : > have my
: > : > : > : > : perm's mirroring my production server.
: > : > : > : > :
: > : > : > : > : Any suggestions would be helpful.
: > : > : > : > :
: > : > : > : > : Thanks,
: > : > : > : > :
: > : > : > : > : Kyle
: > : > : > : > :
: > : > : > : > :
: > : > : > : >
: > : > : > : >
: > : > : > : >
: > : > : >
: > : > : >
: > : > : >
: > : >
: > : >
: > : >
: >
: >
: >


Kyle

2005-06-14, 7:53 am

Thanks Ken-

I had already set IIS to negotiate kerberos:
cscript adsutil.vbs set w3svc/NTAuthenticationProviders “KERBEROS”

To run an ANON request, what verb should I use ? Should I use the IP
address of my NLB cluster as the host OR my host header ?

Below is using the IP address and GET:

started....WWWConnect::Connect("10.10.100.85","80")\nIP =
"10.10.100.85:80"\nsource port: 1537\r\n
REQUEST: **************\nGET HTTP/1.1\r\n
Host: 10.10.100.85\r\n
Accept: */*\r\n
\r\n
RESPONSE: **************\nHTTP/1.1 400 Bad Request\r\n
Content-Type: text/html\r\n
Date: Tue, 14 Jun 2005 11:58:56 GMT\r\n
Connection: close\r\n
Content-Length: 34\r\n
\r\n
<h1>Bad Request (Invalid
URL)</h1>WWWConnect::Close("10.10.100.85","80")\nclosed source port: 1537\r\n
finished.

Thanks,

Kyle


"Ken Schaefer" wrote:

> Hi,
>
> What I want you to do is:
> a) Configure IIS to use Kerberos authentication
> -and-
> b) Use WFetch to send an anonymous request
>
> IIS should respond with a 401 status and list the acceptable authentication
> mechanisms (.e.g WWW-Authenticate: Negotiate). Can you confirm that is
> what's happening? It is unclear from your post exactly what you are doing.
>
> If IIS is sending back a 302 header, then it is redirecting you somewhere
> else. It is not demanding that you authenticate. And the problem is not with
> Kerberos configuration.
>
> Cheers
> Ken
>
> --
> IIS Blog: www.adopenstatic.com/cs/blogs/ken/
> Web: www.adopenstatic.com
>
>
> "Kyle" <Kyle@discussions.microsoft.com> wrote in message
> news:11712171-A0C1-4DF5-9C1A-459CC287882C@microsoft.com...
> : This is all very perplexing. When i use wfetch, and set to anon accesss,
> I
> : don't get that error. I set it to Negotiate, Kerberos. I am using a host
> : header. I checked the log files of my production server, and the log
> files
> : of the NLB servers, and compared the two. It is not passing the
> : username\password credentials into the NLB environment.
> :
> : "Ken Schaefer" wrote:
> :
> : > Hi,
> : >
> : > Unable to initialize security context, in this case, probably means that
> : > your client computer is unable to contact a KDC to obtain a Ticket
> granting
> : > ticket or service ticket for the service in question.
> : >
> : > However, that's not what I'm asking you to do. What I want you to do is
> make
> : > an anonymous request to the server. Because that's the way a browser
> works.
> : > First it makes an anonymous request, and then the server should reply
> with:
> : > 401 Access Denied
> : > WWW-Authenticate: Negotiate
> : > WWW-Authenticate: NTLM
> : >
> : > the WWW-Authenticate: Negotiate
> : >
> : > means that the server supports Kerberos as an authentication protocol,
> and
> : > the client should make a new request using one of the supported
> : > authentication mechanisms (if it doesn't support Kerberos, it can use
> the
> : > next one on the list, namely NTLM, if it supports NTLM).
> : >
> : > Now, when you make an anonymous request - what do you see? IIS is
> actually
> : > sending back a 302 - Object Moved status, not a 401 (Access Denied).
> : > However, the response does not appear to be valid, because there is no
> : > Location: header which indicates where the content has moved to. I think
> : > something else is up with your configuration rather than just Kerberos
> : > configuration.
> : >
> : > Cheers
> : > Ken
> : >
> : > --
> : > IIS Blog: www.adopenstatic.com/cs/blogs/ken/
> : > Web: www.adopenstatic.com
> : >
> : >
> : > "Kyle" <Kyle@discussions.microsoft.com> wrote in message
> : > news:E6D91347-1604-4AE4-89AA-EC193F94BA33@microsoft.com...
> : > :I used wfetch and came up with the following:
> : > :
> : > : Using Kerberos Auth. (This is what we use)
> : > :
> : > : 0x80090303 (The specified target is unknown or unreachable): Unable to
> : > : InitializeSecurityContext
> : > :
> : > : Using anon auth.
> : > :
> : > : RESPONSE: **************\n
> : > : HTTP/1.1 302 Object moved\r\n
> : > : Connection: close\r\n
> : > : Date: Wed, 08 Jun 2005 14:45:50 GMT\r\n
> : > : Server: Microsoft-IIS/6.0\r\n
> : > : X-Powered-By: ASP.NET\r\n
> : > : WWWConnect::Close("test","80")\n
> : > : closed source port: 2882\r\n
> : > : finished.
> : > :
> : > : So it looks to be a kerberos issue.
> : > :
> : > :
> : > : "Ken Schaefer" wrote:
> : > :
> : > : > Hi,
> : > : >
> : > : > I doubt there is authentication attempting to happen. If so, you
> would
> : > see
> : > : > the initial request logged in the IIS log (with 401 status). I
> suspect
> : > that
> : > : > the client is not getting to the server at all -or- the server is
> not
> : > : > responding to the request.
> : > : >
> : > : > If you use a tool like WFetch (from the IIS Resource Kit) [1], you
> can
> : > see
> : > : > whether IIS is sending back anything at all. If there's an
> : > authentication
> : > : > attempt you will see IIS coming back with a 401 and
> WWW-Authenticate:
> : > : > headers indicating what auth mechanisms are supported.
> : > : >
> : > : > Cheers
> : > : > Ken
> : > : >
> : > : > [1]
> : > : >
> : >
> http://www.microsoft.com/downloads/...&DisplayLang=en
> : > : >
> : > : > --
> : > : > IIS Blog: www.adopenstatic.com/cs/blogs/ken/
> : > : > Web: www.adopenstatic.com
> : > : >
> : > : > "Kyle" <Kyle@discussions.microsoft.com> wrote in message
> : > : > news:7F52307A-7005-481B-8813-1593C8699501@microsoft.com...
> : > : > : It has: Cannot find server or DNS Error
> : > : > :
> : > : > : I have an ALIAS setup and an A record. It seems like its still
> trying
> : > to
> : > : > : authenticate some how.
> : > : > :
> : > : > : "Ken Schaefer" wrote:
> : > : > :
> : > : > : > Hi,
> : > : > : >
> : > : > : > Look further down the error page that you are seeing. Do you see
> a
> : > HTTP
> : > : > : > status code (e.g. 404 File Not Found), or do you see "Can not
> find
> : > : > server or
> : > : > : > DNS error"? The former indicates that the request has reached
> IIS
> : > and
> : > : > IIS is
> : > : > : > returning a status code. The latter indicates that the request
> : > never
> : > : > : > reached IIS (or IIS is not responding for some reason)
> : > : > : >
> : > : > : > Chers
> : > : > : > Ken
> : > : > : >
> : > : > : > --
> : > : > : > IIS Blog: www.adopenstatic.com/cs/blogs/ken/
> : > : > : > Web: www.adopenstatic.com
> : > : > : >
> : > : > : >
> : > : > : > "Kyle" <Kyle@discussions.microsoft.com> wrote in message
> : > : > : > news:0E57541B-CF45-4532-ABF8-1D6E176C62E9@microsoft.com...
> : > : > : > :I keep getting "Page Cannot Be Dsiplayed". I have checked all
> my
> : > : > : > : permissions, etc. Everything seems to be in order.
> : > : > : > :
> : > : > : > : "Ken Schaefer" wrote:
> : > : > : > :
> : > : > : > : > "try to get my intranet site up and running and I can't get
> it
> : > to
> : > : > work"
> : > : > : > : >
> : > : > : > : > Please elaborate on what you mean by "can't get it to work".
> : > What
> : > : > isn't
> : > : > : > : > working, and what are the symptoms you see?
> : > : > : > : >
> : > : > : > : > Cheers
> : > : > : > : > Ken
> : > : > : > : >
> : > : > : > : > --
> : > : > : > : > IIS Blog: www.adopenstatic.com/cs/blogs/ken/
> : > : > : > : > Web: www.adopenstatic.com
> : > : > : > : >
> : > : > : > : >
> : > : > : > : > "Kyle" <Kyle@discussions.microsoft.com> wrote in message
> : > : > : > : > news:CCCF3812-84FE-4B67-8499-E4FF717EDB6F@microsoft.com...
> : > : > : > : > :I already posted this on the WIN2K3 forum.
> : > : > : > : > :
> : > : > : > : > : I am trying to load balance my intranet site. Right now I
> : > have it
> : > : > : > : > configured
> : > : > : > : > : for 2 server's. The NLB setup went fine. I tested it
> with a
> : > : > simple
> : > : > : > HTML
> : > : > : > : > : page and evrything works fine. I try to get my intranet
> site
> : > up
> : > : > and
> : > : > : > : > running
> : > : > : > : > : and I can't get it to work. We use kerberos
> authentication.
> : > I
> : > : > have
> : > : > : > done
> : > : > : > : > all
> : > : > : > : > : the required things such as setting the SPN's and
> delegating
> : > for
> : > : > : > : > authority,
> : > : > : > : > : and yet still page can not be displayed. I have 1 server
> by
> : > itself
> : > : > : > running
> : > : > : > : > : the intranet site, with kerberos enabled and evrything
> works
> : > fine.
> : > : > I
> : > : > : > : > : downloaded Microsoft's Authentication Tool and it gives me
> : > several
> : > : > : > errors,
> : > : > : > : > : such as:
> : > : > : > : > :
> : > : > : > : > : AppPool not started
> : > : > : > : > : Wrong credentials for AppPoolIdentity
> : > : > : > : > :
> : > : > : > : > : Well, I know the AppPool is started. As far as the
> : > credentials, I
> : > : > : > have my
> : > : > : > : > : perm's mirroring my production server.
> : > : > : > : > :
> : > : > : > : > : Any suggestions would be helpful.
> : > : > : > : > :
> : > : > : > : > : Thanks,
> : > : > : > : > :
> : > : > : > : > : Kyle
> : > : > : > : > :
> : > : > : > : > :
> : > : > : > : >
> : > : > : > : >
> : > : > : > : >
> : > : > : >
> : > : > : >
> : > : > : >
> : > : >
> : > : >
> : > : >
> : >
> : >
> : >
>
>
>
Ken Schaefer

2005-07-04, 2:48 am

That property you set isn't valid. you need to set it to "Negotiate" not
"Kerberos"

Cheers
Ken

--
IIS Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com

"Kyle" <Kyle@discussions.microsoft.com> wrote in message
news:2F61558B-CCE6-405C-B8FF-200E5425967B@microsoft.com...
: Thanks Ken-
:
: I had already set IIS to negotiate kerberos:
: cscript adsutil.vbs set w3svc/NTAuthenticationProviders "KERBEROS"
:
: To run an ANON request, what verb should I use ? Should I use the IP
: address of my NLB cluster as the host OR my host header ?
:
: Below is using the IP address and GET:
:
: started....WWWConnect::Connect("10.10.100.85","80")\nIP =
: "10.10.100.85:80"\nsource port: 1537\r\n
: REQUEST: **************\nGET HTTP/1.1\r\n
: Host: 10.10.100.85\r\n
: Accept: */*\r\n
: \r\n
: RESPONSE: **************\nHTTP/1.1 400 Bad Request\r\n
: Content-Type: text/html\r\n
: Date: Tue, 14 Jun 2005 11:58:56 GMT\r\n
: Connection: close\r\n
: Content-Length: 34\r\n
: \r\n
: <h1>Bad Request (Invalid
: URL)</h1>WWWConnect::Close("10.10.100.85","80")\nclosed source port:
1537\r\n
: finished.
:
: Thanks,
:
: Kyle
:
:
: "Ken Schaefer" wrote:
:
: > Hi,
: >
: > What I want you to do is:
: > a) Configure IIS to use Kerberos authentication
: > -and-
: > b) Use WFetch to send an anonymous request
: >
: > IIS should respond with a 401 status and list the acceptable
authentication
: > mechanisms (.e.g WWW-Authenticate: Negotiate). Can you confirm that is
: > what's happening? It is unclear from your post exactly what you are
doing.
: >
: > If IIS is sending back a 302 header, then it is redirecting you
somewhere
: > else. It is not demanding that you authenticate. And the problem is not
with
: > Kerberos configuration.
: >
: > Cheers
: > Ken
: >
: > --
: > IIS Blog: www.adopenstatic.com/cs/blogs/ken/
: > Web: www.adopenstatic.com
: >
: >
: > "Kyle" <Kyle@discussions.microsoft.com> wrote in message
: > news:11712171-A0C1-4DF5-9C1A-459CC287882C@microsoft.com...
: > : This is all very perplexing. When i use wfetch, and set to anon
accesss,
: > I
: > : don't get that error. I set it to Negotiate, Kerberos. I am using a
host
: > : header. I checked the log files of my production server, and the log
: > files
: > : of the NLB servers, and compared the two. It is not passing the
: > : username\password credentials into the NLB environment.
: > :
: > : "Ken Schaefer" wrote:
: > :
: > : > Hi,
: > : >
: > : > Unable to initialize security context, in this case, probably means
that
: > : > your client computer is unable to contact a KDC to obtain a Ticket
: > granting
: > : > ticket or service ticket for the service in question.
: > : >
: > : > However, that's not what I'm asking you to do. What I want you to do
is
: > make
: > : > an anonymous request to the server. Because that's the way a browser
: > works.
: > : > First it makes an anonymous request, and then the server should
reply
: > with:
: > : > 401 Access Denied
: > : > WWW-Authenticate: Negotiate
: > : > WWW-Authenticate: NTLM
: > : >
: > : > the WWW-Authenticate: Negotiate
: > : >
: > : > means that the server supports Kerberos as an authentication
protocol,
: > and
: > : > the client should make a new request using one of the supported
: > : > authentication mechanisms (if it doesn't support Kerberos, it can
use
: > the
: > : > next one on the list, namely NTLM, if it supports NTLM).
: > : >
: > : > Now, when you make an anonymous request - what do you see? IIS is
: > actually
: > : > sending back a 302 - Object Moved status, not a 401 (Access Denied).
: > : > However, the response does not appear to be valid, because there is
no
: > : > Location: header which indicates where the content has moved to. I
think
: > : > something else is up with your configuration rather than just
Kerberos
: > : > configuration.
: > : >
: > : > Cheers
: > : > Ken
: > : >
: > : > --
: > : > IIS Blog: www.adopenstatic.com/cs/blogs/ken/
: > : > Web: www.adopenstatic.com
: > : >
: > : >
: > : > "Kyle" <Kyle@discussions.microsoft.com> wrote in message
: > : > news:E6D91347-1604-4AE4-89AA-EC193F94BA33@microsoft.com...
: > : > :I used wfetch and came up with the following:
: > : > :
: > : > : Using Kerberos Auth. (This is what we use)
: > : > :
: > : > : 0x80090303 (The specified target is unknown or unreachable):
Unable to
: > : > : InitializeSecurityContext
: > : > :
: > : > : Using anon auth.
: > : > :
: > : > : RESPONSE: **************\n
: > : > : HTTP/1.1 302 Object moved\r\n
: > : > : Connection: close\r\n
: > : > : Date: Wed, 08 Jun 2005 14:45:50 GMT\r\n
: > : > : Server: Microsoft-IIS/6.0\r\n
: > : > : X-Powered-By: ASP.NET\r\n
: > : > : WWWConnect::Close("test","80")\n
: > : > : closed source port: 2882\r\n
: > : > : finished.
: > : > :
: > : > : So it looks to be a kerberos issue.
: > : > :
: > : > :
: > : > : "Ken Schaefer" wrote:
: > : > :
: > : > : > Hi,
: > : > : >
: > : > : > I doubt there is authentication attempting to happen. If so, you
: > would
: > : > see
: > : > : > the initial request logged in the IIS log (with 401 status). I
: > suspect
: > : > that
: > : > : > the client is not getting to the server at all -or- the server
is
: > not
: > : > : > responding to the request.
: > : > : >
: > : > : > If you use a tool like WFetch (from the IIS Resource Kit) [1],
you
: > can
: > : > see
: > : > : > whether IIS is sending back anything at all. If there's an
: > : > authentication
: > : > : > attempt you will see IIS coming back with a 401 and
: > WWW-Authenticate:
: > : > : > headers indicating what auth mechanisms are supported.
: > : > : >
: > : > : > Cheers
: > : > : > Ken
: > : > : >
: > : > : > [1]
: > : > : >
: > : >
: >
http://www.microsoft.com/downloads/...&DisplayLang=en
: > : > : >
: > : > : > --
: > : > : > IIS Blog: www.adopenstatic.com/cs/blogs/ken/
: > : > : > Web: www.adopenstatic.com
: > : > : >
: > : > : > "Kyle" <Kyle@discussions.microsoft.com> wrote in message
: > : > : > news:7F52307A-7005-481B-8813-1593C8699501@microsoft.com...
: > : > : > : It has: Cannot find server or DNS Error
: > : > : > :
: > : > : > : I have an ALIAS setup and an A record. It seems like its
still
: > trying
: > : > to
: > : > : > : authenticate some how.
: > : > : > :
: > : > : > : "Ken Schaefer" wrote:
: > : > : > :
: > : > : > : > Hi,
: > : > : > : >
: > : > : > : > Look further down the error page that you are seeing. Do you
see
: > a
: > : > HTTP
: > : > : > : > status code (e.g. 404 File Not Found), or do you see "Can
not
: > find
: > : > : > server or
: > : > : > : > DNS error"? The former indicates that the request has
reached
: > IIS
: > : > and
: > : > : > IIS is
: > : > : > : > returning a status code. The latter indicates that the
request
: > : > never
: > : > : > : > reached IIS (or IIS is not responding for some reason)
: > : > : > : >
: > : > : > : > Chers
: > : > : > : > Ken
: > : > : > : >
: > : > : > : > --
: > : > : > : > IIS Blog: www.adopenstatic.com/cs/blogs/ken/
: > : > : > : > Web: www.adopenstatic.com
: > : > : > : >
: > : > : > : >
: > : > : > : > "Kyle" <Kyle@discussions.microsoft.com> wrote in message
: > : > : > : > news:0E57541B-CF45-4532-ABF8-1D6E176C62E9@microsoft.com...
: > : > : > : > :I keep getting "Page Cannot Be Dsiplayed". I have checked
all
: > my
: > : > : > : > : permissions, etc. Everything seems to be in order.
: > : > : > : > :
: > : > : > : > : "Ken Schaefer" wrote:
: > : > : > : > :
: > : > : > : > : > "try to get my intranet site up and running and I can't
get
: > it
: > : > to
: > : > : > work"
: > : > : > : > : >
: > : > : > : > : > Please elaborate on what you mean by "can't get it to
work".
: > : > What
: > : > : > isn't
: > : > : > : > : > working, and what are the symptoms you see?
: > : > : > : > : >
: > : > : > : > : > Cheers
: > : > : > : > : > Ken
: > : > : > : > : >
: > : > : > : > : > --
: > : > : > : > : > IIS Blog: www.adopenstatic.com/cs/blogs/ken/
: > : > : > : > : > Web: www.adopenstatic.com
: > : > : > : > : >
: > : > : > : > : >
: > : > : > : > : > "Kyle" <Kyle@discussions.microsoft.com> wrote in message
: > : > : > : > : >
news:CCCF3812-84FE-4B67-8499-E4FF717EDB6F@microsoft.com...
: > : > : > : > : > :I already posted this on the WIN2K3 forum.
: > : > : > : > : > :
: > : > : > : > : > : I am trying to load balance my intranet site. Right
now I
: > : > have it
: > : > : > : > : > configured
: > : > : > : > : > : for 2 server's. The NLB setup went fine. I tested it
: > with a
: > : > : > simple
: > : > : > : > HTML
: > : > : > : > : > : page and evrything works fine. I try to get my
intranet
: > site
: > : > up
: > : > : > and
: > : > : > : > : > running
: > : > : > : > : > : and I can't get it to work. We use kerberos
: > authentication.
: > : > I
: > : > : > have
: > : > : > : > done
: > : > : > : > : > all
: > : > : > : > : > : the required things such as setting the SPN's and
: > delegating
: > : > for
: > : > : > : > : > authority,
: > : > : > : > : > : and yet still page can not be displayed. I have 1
server
: > by
: > : > itself
: > : > : > : > running
: > : > : > : > : > : the intranet site, with kerberos enabled and evrything
: > works
: > : > fine.
: > : > : > I
: > : > : > : > : > : downloaded Microsoft's Authentication Tool and it
gives me
: > : > several
: > : > : > : > errors,
: > : > : > : > : > : such as:
: > : > : > : > : > :
: > : > : > : > : > : AppPool not started
: > : > : > : > : > : Wrong credentials for AppPoolIdentity
: > : > : > : > : > :
: > : > : > : > : > : Well, I know the AppPool is started. As far as the
: > : > credentials, I
: > : > : > : > have my
: > : > : > : > : > : perm's mirroring my production server.
: > : > : > : > : > :
: > : > : > : > : > : Any suggestions would be helpful.
: > : > : > : > : > :
: > : > : > : > : > : Thanks,
: > : > : > : > : > :
: > : > : > : > : > : Kyle
: > : > : > : > : > :
: > : > : > : > : > :
: > : > : > : > : >
: > : > : > : > : >
: > : > : > : > : >
: > : > : > : >
: > : > : > : >
: > : > : > : >
: > : > : >
: > : > : >
: > : > : >
: > : >
: > : >
: > : >
: >
: >
: >


Ken Schaefer

2005-07-04, 2:48 am

Also, the GET may be incorrect- you do not appear to be requesting anything
(hence "invalid URL" response from IIS).

Do something like:

GET /yourPageNameHere.htm HTTP/1.1

Cheers
Ken

--
IIS Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com


"Kyle" <Kyle@discussions.microsoft.com> wrote in message
news:2F61558B-CCE6-405C-B8FF-200E5425967B@microsoft.com...
: Thanks Ken-
:
: I had already set IIS to negotiate kerberos:
: cscript adsutil.vbs set w3svc/NTAuthenticationProviders "KERBEROS"
:
: To run an ANON request, what verb should I use ? Should I use the IP
: address of my NLB cluster as the host OR my host header ?
:
: Below is using the IP address and GET:
:
: started....WWWConnect::Connect("10.10.100.85","80")\nIP =
: "10.10.100.85:80"\nsource port: 1537\r\n
: REQUEST: **************\nGET HTTP/1.1\r\n
: Host: 10.10.100.85\r\n
: Accept: */*\r\n
: \r\n
: RESPONSE: **************\nHTTP/1.1 400 Bad Request\r\n
: Content-Type: text/html\r\n
: Date: Tue, 14 Jun 2005 11:58:56 GMT\r\n
: Connection: close\r\n
: Content-Length: 34\r\n
: \r\n
: <h1>Bad Request (Invalid
: URL)</h1>WWWConnect::Close("10.10.100.85","80")\nclosed source port:
1537\r\n
: finished.
:
: Thanks,
:
: Kyle
:
:
: "Ken Schaefer" wrote:
:
: > Hi,
: >
: > What I want you to do is:
: > a) Configure IIS to use Kerberos authentication
: > -and-
: > b) Use WFetch to send an anonymous request
: >
: > IIS should respond with a 401 status and list the acceptable
authentication
: > mechanisms (.e.g WWW-Authenticate: Negotiate). Can you confirm that is
: > what's happening? It is unclear from your post exactly what you are
doing.
: >
: > If IIS is sending back a 302 header, then it is redirecting you
somewhere
: > else. It is not demanding that you authenticate. And the problem is not
with
: > Kerberos configuration.
: >
: > Cheers
: > Ken
: >
: > --
: > IIS Blog: www.adopenstatic.com/cs/blogs/ken/
: > Web: www.adopenstatic.com
: >
: >
: > "Kyle" <Kyle@discussions.microsoft.com> wrote in message
: > news:11712171-A0C1-4DF5-9C1A-459CC287882C@microsoft.com...
: > : This is all very perplexing. When i use wfetch, and set to anon
accesss,
: > I
: > : don't get that error. I set it to Negotiate, Kerberos. I am using a
host
: > : header. I checked the log files of my production server, and the log
: > files
: > : of the NLB servers, and compared the two. It is not passing the
: > : username\password credentials into the NLB environment.
: > :
: > : "Ken Schaefer" wrote:
: > :
: > : > Hi,
: > : >
: > : > Unable to initialize security context, in this case, probably means
that
: > : > your client computer is unable to contact a KDC to obtain a Ticket
: > granting
: > : > ticket or service ticket for the service in question.
: > : >
: > : > However, that's not what I'm asking you to do. What I want you to do
is
: > make
: > : > an anonymous request to the server. Because that's the way a browser
: > works.
: > : > First it makes an anonymous request, and then the server should
reply
: > with:
: > : > 401 Access Denied
: > : > WWW-Authenticate: Negotiate
: > : > WWW-Authenticate: NTLM
: > : >
: > : > the WWW-Authenticate: Negotiate
: > : >
: > : > means that the server supports Kerberos as an authentication
protocol,
: > and
: > : > the client should make a new request using one of the supported
: > : > authentication mechanisms (if it doesn't support Kerberos, it can
use
: > the
: > : > next one on the list, namely NTLM, if it supports NTLM).
: > : >
: > : > Now, when you make an anonymous request - what do you see? IIS is
: > actually
: > : > sending back a 302 - Object Moved status, not a 401 (Access Denied).
: > : > However, the response does not appear to be valid, because there is
no
: > : > Location: header which indicates where the content has moved to. I
think
: > : > something else is up with your configuration rather than just
Kerberos
: > : > configuration.
: > : >
: > : > Cheers
: > : > Ken
: > : >
: > : > --
: > : > IIS Blog: www.adopenstatic.com/cs/blogs/ken/
: > : > Web: www.adopenstatic.com
: > : >
: > : >
: > : > "Kyle" <Kyle@discussions.microsoft.com> wrote in message
: > : > news:E6D91347-1604-4AE4-89AA-EC193F94BA33@microsoft.com...
: > : > :I used wfetch and came up with the following:
: > : > :
: > : > : Using Kerberos Auth. (This is what we use)
: > : > :
: > : > : 0x80090303 (The specified target is unknown or unreachable):
Unable to
: > : > : InitializeSecurityContext
: > : > :
: > : > : Using anon auth.
: > : > :
: > : > : RESPONSE: **************\n
: > : > : HTTP/1.1 302 Object moved\r\n
: > : > : Connection: close\r\n
: > : > : Date: Wed, 08 Jun 2005 14:45:50 GMT\r\n
: > : > : Server: Microsoft-IIS/6.0\r\n
: > : > : X-Powered-By: ASP.NET\r\n
: > : > : WWWConnect::Close("test","80")\n
: > : > : closed source port: 2882\r\n
: > : > : finished.
: > : > :
: > : > : So it looks to be a kerberos issue.
: > : > :
: > : > :
: > : > : "Ken Schaefer" wrote:
: > : > :
: > : > : > Hi,
: > : > : >
: > : > : > I doubt there is authentication attempting to happen. If so, you
: > would
: > : > see
: > : > : > the initial request logged in the IIS log (with 401 status). I
: > suspect
: > : > that
: > : > : > the client is not getting to the server at all -or- the server
is
: > not
: > : > : > responding to the request.
: > : > : >
: > : > : > If you use a tool like WFetch (from the IIS Resource Kit) [1],
you
: > can
: > : > see
: > : > : > whether IIS is sending back anything at all. If there's an
: > : > authentication
: > : > : > attempt you will see IIS coming back with a 401 and
: > WWW-Authenticate:
: > : > : > headers indicating what auth mechanisms are supported.
: > : > : >
: > : > : > Cheers
: > : > : > Ken
: > : > : >
: > : > : > [1]
: > : > : >
: > : >
: >
http://www.microsoft.com/downloads/...&DisplayLang=en
: > : > : >
: > : > : > --
: > : > : > IIS Blog: www.adopenstatic.com/cs/blogs/ken/
: > : > : > Web: www.adopenstatic.com
: > : > : >
: > : > : > "Kyle" <Kyle@discussions.microsoft.com> wrote in message
: > : > : > news:7F52307A-7005-481B-8813-1593C8699501@microsoft.com...
: > : > : > : It has: Cannot find server or DNS Error
: > : > : > :
: > : > : > : I have an ALIAS setup and an A record. It seems like its
still
: > trying
: > : > to
: > : > : > : authenticate some how.
: > : > : > :
: > : > : > : "Ken Schaefer" wrote:
: > : > : > :
: > : > : > : > Hi,
: > : > : > : >
: > : > : > : > Look further down the error page that you are seeing. Do you
see
: > a
: > : > HTTP
: > : > : > : > status code (e.g. 404 File Not Found), or do you see "Can
not
: > find
: > : > : > server or
: > : > : > : > DNS error"? The former indicates that the request has
reached
: > IIS
: > : > and
: > : > : > IIS is
: > : > : > : > returning a status code. The latter indicates that the
request
: > : > never
: > : > : > : > reached IIS (or IIS is not responding for some reason)
: > : > : > : >
: > : > : > : > Chers
: > : > : > : > Ken
: > : > : > : >
: > : > : > : > --
: > : > : > : > IIS Blog: www.adopenstatic.com/cs/blogs/ken/
: > : > : > : > Web: www.adopenstatic.com
: > : > : > : >
: > : > : > : >
: > : > : > : > "Kyle" <Kyle@discussions.microsoft.com> wrote in message
: > : > : > : > news:0E57541B-CF45-4532-ABF8-1D6E176C62E9@microsoft.com...
: > : > : > : > :I keep getting "Page Cannot Be Dsiplayed". I have checked
all
: > my
: > : > : > : > : permissions, etc. Everything seems to be in order.
: > : > : > : > :
: > : > : > : > : "Ken Schaefer" wrote:
: > : > : > : > :
: > : > : > : > : > "try to get my intranet site up and running and I can't
get
: > it
: > : > to
: > : > : > work"
: > : > : > : > : >
: > : > : > : > : > Please elaborate on what you mean by "can't get it to
work".
: > : > What
: > : > : > isn't
: > : > : > : > : > working, and what are the symptoms you see?
: > : > : > : > : >
: > : > : > : > : > Cheers
: > : > : > : > : > Ken
: > : > : > : > : >
: > : > : > : > : > --
: > : > : > : > : > IIS Blog: www.adopenstatic.com/cs/blogs/ken/
: > : > : > : > : > Web: www.adopenstatic.com
: > : > : > : > : >
: > : > : > : > : >
: > : > : > : > : > "Kyle" <Kyle@discussions.microsoft.com> wrote in message
: > : > : > : > : >
news:CCCF3812-84FE-4B67-8499-E4FF717EDB6F@microsoft.com...
: > : > : > : > : > :I already posted this on the WIN2K3 forum.
: > : > : > : > : > :
: > : > : > : > : > : I am trying to load balance my intranet site. Right
now I
: > : > have it
: > : > : > : > : > configured
: > : > : > : > : > : for 2 server's. The NLB setup went fine. I tested it
: > with a
: > : > : > simple
: > : > : > : > HTML
: > : > : > : > : > : page and evrything works fine. I try to get my
intranet
: > site
: > : > up
: > : > : > and
: > : > : > : > : > running
: > : > : > : > : > : and I can't get it to work. We use kerberos
: > authentication.
: > : > I
: > : > : > have
: > : > : > : > done
: > : > : > : > : > all
: > : > : > : > : > : the required things such as setting the SPN's and
: > delegating
: > : > for
: > : > : > : > : > authority,
: > : > : > : > : > : and yet still page can not be displayed. I have 1
server
: > by
: > : > itself
: > : > : > : > running
: > : > : > : > : > : the intranet site, with kerberos enabled and evrything
: > works
: > : > fine.
: > : > : > I
: > : > : > : > : > : downloaded Microsoft's Authentication Tool and it
gives me
: > : > several
: > : > : > : > errors,
: > : > : > : > : > : such as:
: > : > : > : > : > :
: > : > : > : > : > : AppPool not started
: > : > : > : > : > : Wrong credentials for AppPoolIdentity
: > : > : > : > : > :
: > : > : > : > : > : Well, I know the AppPool is started. As far as the
: > : > credentials, I
: > : > : > : > have my
: > : > : > : > : > : perm's mirroring my production server.
: > : > : > : > : > :
: > : > : > : > : > : Any suggestions would be helpful.
: > : > : > : > : > :
: > : > : > : > : > : Thanks,
: > : > : > : > : > :
: > : > : > : > : > : Kyle
: > : > : > : > : > :
: > : > : > : > : > :
: > : > : > : > : >
: > : > : > : > : >
: > : > : > : > : >
: > : > : > : >
: > : > : > : >
: > : > : > : >
: > : > : >
: > : > : >
: > : > : >
: > : >
: > : >
: > : >
: >
: >
: >


Kyle

2005-07-05, 5:57 pm

Ken-

I gave up on trying to use Windows Auth in a NLB environment. It just
doesn't want to work.

Thanks,

Kyle

"Ken Schaefer" wrote:

> Also, the GET may be incorrect- you do not appear to be requesting anything
> (hence "invalid URL" response from IIS).
>
> Do something like:
>
> GET /yourPageNameHere.htm HTTP/1.1
>
> Cheers
> Ken
>
> --
> IIS Blog: www.adopenstatic.com/cs/blogs/ken/
> Web: www.adopenstatic.com
>
>
> "Kyle" <Kyle@discussions.microsoft.com> wrote in message
> news:2F61558B-CCE6-405C-B8FF-200E5425967B@microsoft.com...
> : Thanks Ken-
> :
> : I had already set IIS to negotiate kerberos:
> : cscript adsutil.vbs set w3svc/NTAuthenticationProviders "KERBEROS"
> :
> : To run an ANON request, what verb should I use ? Should I use the IP
> : address of my NLB cluster as the host OR my host header ?
> :
> : Below is using the IP address and GET:
> :
> : started....WWWConnect::Connect("10.10.100.85","80")\nIP =
> : "10.10.100.85:80"\nsource port: 1537\r\n
> : REQUEST: **************\nGET HTTP/1.1\r\n
> : Host: 10.10.100.85\r\n
> : Accept: */*\r\n
> : \r\n
> : RESPONSE: **************\nHTTP/1.1 400 Bad Request\r\n
> : Content-Type: text/html\r\n
> : Date: Tue, 14 Jun 2005 11:58:56 GMT\r\n
> : Connection: close\r\n
> : Content-Length: 34\r\n
> : \r\n
> : <h1>Bad Request (Invalid
> : URL)</h1>WWWConnect::Close("10.10.100.85","80")\nclosed source port:
> 1537\r\n
> : finished.
> :
> : Thanks,
> :
> : Kyle
> :
> :
> : "Ken Schaefer" wrote:
> :
> : > Hi,
> : >
> : > What I want you to do is:
> : > a) Configure IIS to use Kerberos authentication
> : > -and-
> : > b) Use WFetch to send an anonymous request
> : >
> : > IIS should respond with a 401 status and list the acceptable
> authentication
> : > mechanisms (.e.g WWW-Authenticate: Negotiate). Can you confirm that is
> : > what's happening? It is unclear from your post exactly what you are
> doing.
> : >
> : > If IIS is sending back a 302 header, then it is redirecting you
> somewhere
> : > else. It is not demanding that you authenticate. And the problem is not
> with
> : > Kerberos configuration.
> : >
> : > Cheers
> : > Ken
> : >
> : > --
> : > IIS Blog: www.adopenstatic.com/cs/blogs/ken/
> : > Web: www.adopenstatic.com
> : >
> : >
> : > "Kyle" <Kyle@discussions.microsoft.com> wrote in message
> : > news:11712171-A0C1-4DF5-9C1A-459CC287882C@microsoft.com...
> : > : This is all very perplexing. When i use wfetch, and set to anon
> accesss,
> : > I
> : > : don't get that error. I set it to Negotiate, Kerberos. I am using a
> host
> : > : header. I checked the log files of my production server, and the log
> : > files
> : > : of the NLB servers, and compared the two. It is not passing the
> : > : username\password credentials into the NLB environment.
> : > :
> : > : "Ken Schaefer" wrote:
> : > :
> : > : > Hi,
> : > : >
> : > : > Unable to initialize security context, in this case, probably means
> that
> : > : > your client computer is unable to contact a KDC to obtain a Ticket
> : > granting
> : > : > ticket or service ticket for the service in question.
> : > : >
> : > : > However, that's not what I'm asking you to do. What I want you to do
> is
> : > make
> : > : > an anonymous request to the server. Because that's the way a browser
> : > works.
> : > : > First it makes an anonymous request, and then the server should
> reply
> : > with:
> : > : > 401 Access Denied
> : > : > WWW-Authenticate: Negotiate
> : > : > WWW-Authenticate: NTLM
> : > : >
> : > : > the WWW-Authenticate: Negotiate
> : > : >
> : > : > means that the server supports Kerberos as an authentication
> protocol,
> : > and
> : > : > the client should make a new request using one of the supported
> : > : > authentication mechanisms (if it doesn't support Kerberos, it can
> use
> : > the
> : > : > next one on the list, namely NTLM, if it supports NTLM).
> : > : >
> : > : > Now, when you make an anonymous request - what do you see? IIS is
> : > actually
> : > : > sending back a 302 - Object Moved status, not a 401 (Access Denied).
> : > : > However, the response does not appear to be valid, because there is
> no
> : > : > Location: header which indicates where the content has moved to. I
> think
> : > : > something else is up with your configuration rather than just
> Kerberos
> : > : > configuration.
> : > : >
> : > : > Cheers
> : > : > Ken
> : > : >
> : > : > --
> : > : > IIS Blog: www.adopenstatic.com/cs/blogs/ken/
> : > : > Web: www.adopenstatic.com
> : > : >
> : > : >
> : > : > "Kyle" <Kyle@discussions.microsoft.com> wrote in message
> : > : > news:E6D91347-1604-4AE4-89AA-EC193F94BA33@microsoft.com...
> : > : > :I used wfetch and came up with the following:
> : > : > :
> : > : > : Using Kerberos Auth. (This is what we use)
> : > : > :
> : > : > : 0x80090303 (The specified target is unknown or unreachable):
> Unable to
> : > : > : InitializeSecurityContext
> : > : > :
> : > : > : Using anon auth.
> : > : > :
> : > : > : RESPONSE: **************\n
> : > : > : HTTP/1.1 302 Object moved\r\n
> : > : > : Connection: close\r\n
> : > : > : Date: Wed, 08 Jun 2005 14:45:50 GMT\r\n
> : > : > : Server: Microsoft-IIS/6.0\r\n
> : > : > : X-Powered-By: ASP.NET\r\n
> : > : > : WWWConnect::Close("test","80")\n
> : > : > : closed source port: 2882\r\n
> : > : > : finished.
> : > : > :
> : > : > : So it looks to be a kerberos issue.
> : > : > :
> : > : > :
> : > : > : "Ken Schaefer" wrote:
> : > : > :
> : > : > : > Hi,
> : > : > : >
> : > : > : > I doubt there is authentication attempting to happen. If so, you
> : > would
> : > : > see
> : > : > : > the initial request logged in the IIS log (with 401 status). I
> : > suspect
> : > : > that
> : > : > : > the client is not getting to the server at all -or- the server
> is
> : > not
> : > : > : > responding to the request.
> : > : > : >
> : > : > : > If you use a tool like WFetch (from the IIS Resource Kit) [1],
> you
> : > can
> : > : > see
> : > : > : > whether IIS is sending back anything at all. If there's an
> : > : > authentication
> : > : > : > attempt you will see IIS coming back with a 401 and
> : > WWW-Authenticate:
> : > : > : > headers indicating what auth mechanisms are supported.
> : > : > : >
> : > : > : > Cheers
> : > : > : > Ken
> : > : > : >
> : > : > : > [1]
> : > : > : >
> : > : >
> : >
> http://www.microsoft.com/downloads/...&DisplayLang=en
> : > : > : >
> : > : > : > --
> : > : > : > IIS Blog: www.adopenstatic.com/cs/blogs/ken/
> : > : > : > Web: www.adopenstatic.com
> : > : > : >
> : > : > : > "Kyle" <Kyle@discussions.microsoft.com> wrote in message
> : > : > : > news:7F52307A-7005-481B-8813-1593C8699501@microsoft.com...
> : > : > : > : It has: Cannot find server or DNS Error
> : > : > : > :
> : > : > : > : I have an ALIAS setup and an A record. It seems like its
> still
> : > trying
> : > : > to
> : > : > : > : authenticate some how.
> : > : > : > :
> : > : > : > : "Ken Schaefer" wrote:
> : > : > : > :
> : > : > : > : > Hi,
> : > : > : > : >
> : > : > : > : > Look further down the error page that you are seeing. Do you
> see
> : > a
> : > : > HTTP
> : > : > : > : > status code (e.g. 404 File Not Found), or do you see "Can
> not
> : > find
> : > : > : > server or
> : > : > : > : > DNS error"? The former indicates that the request has
> reached
> : > IIS
> : > : > and
> : > : > : > IIS is
> : > : > : > : > returning a status code. The latter indicates that the
> request
> : > : > never
> : > : > : > : > reached IIS (or IIS is not responding for some reason)
> : > : > : > : >
> : > : > : > : > Chers
> : > : > : > : > Ken
> : > : > : > : >
> : > : > : > : > --
> : > : > : > : > IIS Blog: www.adopenstatic.com/cs/blogs/ken/
> : > : > : > : > Web: www.adopenstatic.com
> : > : > : > : >
> : > : > : > : >
> : > : > : > : > "Kyle" <Kyle@discussions.microsoft.com> wrote in message
> : > : > : > : > news:0E57541B-CF45-4532-ABF8-1D6E176C62E9@microsoft.com...
> : > : > : > : > :I keep getting "Page Cannot Be Dsiplayed". I have checked
> all
> : > my
> : > : > : > : > : permissions, etc. Everything seems to be in order.
> : > : > : > : > :
> : > : > : > : > : "Ken Schaefer" wrote:
> : > : > : > : > :
> : > : > : > : > : > "try to get my intranet site up and running and I can't
> get
> : > it
> : > : > to
> : > : > : > work"
> : > : > : > : > : >
> : > : > : > : > : > Please elaborate on what you mean by "can't get it to
> work".
> : > : > What
> : > : > : > isn't
> : > : > : > : > : > working, and what are the symptoms you see?
> : > : > : > : > : >
> : > : > : > : > : > Cheers
> : > : > : > : > : > Ken
> : > : > : > : > : >
> : > : > : > : > : > --
> : > : > : > : > : > IIS Blog: www.adopenstatic.com/cs/blogs/ken/
> : > : > : > : > : > Web: www.adopenstatic.com
> : > : > : > : > : >
> : > : > : > : > : >
> : > : > : > : > : > "Kyle" <Kyle@discussions.microsoft.com> wrote in message
> : > : > : > : > : >
> news:CCCF3812-84FE-4B67-8499-E4FF717EDB6F@microsoft.com...
> : > : > : > : > : > :I already posted this on the WIN2K3 forum.
> : > : > : > : > : > :
> : > : > : > : > : > : I am trying to load balance my intranet site. Right
> now I
> : > : > have it
> : > : > : > : > : > configured
> : > : > : > : > : > : for 2 server's. The NLB setup went fine. I tested it
> : > with a
> : > : > : > simple
> : > : > : > : > HTML
> : > : > : > : > : > : page and evrything works fine. I try to get my
> intranet
> : > site
> : > : > up
> : > : > : > and
> : > : > : > : > : > running
> : > : > : > : > : > : and I can't get it to work. We use kerberos
> : > authentication.
> : > : > I
> : > : > : > have
> : > : > : > : > done
> : > : > : > : > : > all
> : > : > : > : > : > : the required things such as setting the SPN's and
Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com