|
Home > Archive > IIS Server Security > January 2004 > Windows integrated authentication with site content on UNC share...
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Windows integrated authentication with site content on UNC share...
|
|
| Prasad Dabak 2004-01-24, 2:02 am |
| Hello,
I have the following setup
Machine setup
-------------
Windows 2003 Domain Controller (Domain function level is Windows 2000
native). Windows 2003 server running IIS 6
Windows 2003 server acting as a file server.
Configuration
-------------
1. The file server has a share called "WEBCONTENT", that, has everyone
full control permissions.
2. There is a website on the web server whose webroot points to
\\FileServer\WEBCONTENT\wwwroot. The web site is configured to use
Integrated Windows Authentication. Anonymous access is enabled for the
site.
3. The anonymous user of the website is DOMAIN\IUSR_testuser (AD
user). This user has Read permissions on the entire file system
pointed by \\FileServer\WEBCONTENT\webroot
4. There is another user called DOMAIN\testuser (AD user). This user
has full control on the entire file system pointed by
\\FileServer\WEBCONTENT\webroot.
5. The DOMAIN\WebServer computer account has full control on the
entire file system pointed by \\FileServer\WEBCONTENT\webroot
6. I have configured the AD such that the web server and the
DOMAIN\testuser are trusted for delegation.
I am able to successfully browse the web site. No issues here.
Now, the problem that I am facing:
There is one page under \\FileServer\WEBCONTENT\wwwroot say
protected.htm. I have configured the metabase such that this file does
not have anonymous access enabled for it. Hence, when I access this
page, I get an authentication box. However, despite of entering the
correct account name i.e. DOMAIN\testuser, it is not allowing me to
browse the page. After 3 attempts it throws HTTP Error 401.3.
Now, if I just switch the web site from "Windows integrated
authentication" to "Basic authentication", it all works fine.
I am pretty sure, that, this is an issue with delegation. However, I
think, I am following all the steps required for delegation. I used
the following article for reference.
http://www.microsoft.com/technet/tr...at/RemStorg.asp
I have seen numerous posts on this forum related to this issue, but
could not find any closure.
Can anyone shade some light on this?
Thanks.
-Prasad
| |
| Ken Schaefer 2004-01-24, 2:02 am |
| You are indeed running into a delegation issue.
However there are a number of things you need to do to get this all working,
and you haven't provided enough details:
a) is the webserver sending the "Negotiate" authentication header
b) are the client browsers able to support Kerberos authentication
c) what steps do you take to enable delegation for both computers *and* user
accounts in question
The following KB article has steps for IIS -> SQL Server, and you'd need to
follow something similar for IIS -> Remote file server:
http://support.microsoft.com/?id=319723
Can you outline the exact steps that you took? We may be able to spot
something that you missed.
Cheers
Ken
"Prasad Dabak" <pdabak@yahoo.com> wrote in message
news:96ca2fd2.0401220732.30a028de@posting.google.com...
: Hello,
:
: I have the following setup
:
: Machine setup
: -------------
: Windows 2003 Domain Controller (Domain function level is Windows 2000
: native). Windows 2003 server running IIS 6
: Windows 2003 server acting as a file server.
:
: Configuration
: -------------
: 1. The file server has a share called "WEBCONTENT", that, has everyone
: full control permissions.
: 2. There is a website on the web server whose webroot points to
: \\FileServer\WEBCONTENT\wwwroot. The web site is configured to use
: Integrated Windows Authentication. Anonymous access is enabled for the
: site.
: 3. The anonymous user of the website is DOMAIN\IUSR_testuser (AD
: user). This user has Read permissions on the entire file system
: pointed by \\FileServer\WEBCONTENT\webroot
: 4. There is another user called DOMAIN\testuser (AD user). This user
: has full control on the entire file system pointed by
: \\FileServer\WEBCONTENT\webroot.
: 5. The DOMAIN\WebServer computer account has full control on the
: entire file system pointed by \\FileServer\WEBCONTENT\webroot
: 6. I have configured the AD such that the web server and the
: DOMAIN\testuser are trusted for delegation.
:
: I am able to successfully browse the web site. No issues here.
:
: Now, the problem that I am facing:
:
: There is one page under \\FileServer\WEBCONTENT\wwwroot say
: protected.htm. I have configured the metabase such that this file does
: not have anonymous access enabled for it. Hence, when I access this
: page, I get an authentication box. However, despite of entering the
: correct account name i.e. DOMAIN\testuser, it is not allowing me to
: browse the page. After 3 attempts it throws HTTP Error 401.3.
:
: Now, if I just switch the web site from "Windows integrated
: authentication" to "Basic authentication", it all works fine.
:
: I am pretty sure, that, this is an issue with delegation. However, I
: think, I am following all the steps required for delegation. I used
: the following article for reference.
:
:
http://www.microsoft.com/technet/tr...at/RemStorg.asp
:
: I have seen numerous posts on this forum related to this issue, but
: could not find any closure.
:
: Can anyone shade some light on this?
:
: Thanks.
: -Prasad
| |
| Prasad Dabak 2004-01-24, 2:02 am |
| Hello,
quote:
> a) is the webserver sending the "Negotiate" authentication header
How do I verify this?
quote:
> b) are the client browsers able to support Kerberos authentication
Yes. I am using IE 6 on Windows 2003.
quote:
> c) what steps do you take to enable delegation for both computers *and* user
> accounts in question
I have configured the AD such that the web server and the
DOMAIN\testuser are trusted for delegation. For web server, I did this
by right clicking on web server computer account and enabled the
checkbox for "Trust computer for delegation". For user, I did this by
right clicking on the user account, went to "Account" tab and enabled
the checkbox "Account is trusted for delegation" under account
options. I verified that "Account is sensitive and cannot be
delegated" is turned off.
BTW, I turned on auditing and kerberos logging and I am receiving some
errors in event log on AD and the web server.
On web server, in security log, I get the following error
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 1/23/2004
Time: 5:58:36 AM
User: NT AUTHORITY\SYSTEM
Computer: WEBSERVER
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_
0
Logon account: testuser
Source Workstation: PRASAD-LT
Error Code: 0xC0000064
In System log, I get the following error
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 3
Date: 1/23/2004
Time: 5:58:36 AM
User: N/A
Computer: WEBSERVER
Description:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 0:28:36.0000 1/23/2004 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: DOMAIN.COM
Server Name: host/webserver.domain.com
Target Name: host/webserver.domain.com@WEBSERVER.DOMAIN.COM
Error Text:
File: 9
Line: ab8
Error Data is in record data.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 30 15 a1 03 02 01 03 a2 0.¡....¢
0008: 0e 04 0c bb 00 00 c0 00 ...»..À.
0010: 00 00 00 03 00 00 00 .......
On AD, in security log, I am getting the following
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 673
Date: 1/23/2004
Time: 5:58:36 AM
User: NT AUTHORITY\SYSTEM
Computer: DC
Description:
Service Ticket Request:
User Name:
User Domain: DOMAIN.COM
Service Name: host/webserver.domain.com
Service ID: -
Ticket Options: 0x40830000
Ticket Encryption Type: -
Client Address: 10.72.36.5
Failure Code: 0xD
Logon GUID: -
Transited Services: -
Thanks.
-Prasad
"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message news:<#Ulx8uU4DHA.1752@tk2msftngp13.phx.gbl>...quote:
> You are indeed running into a delegation issue.
>
> However there are a number of things you need to do to get this all working,
> and you haven't provided enough details:
>
> a) is the webserver sending the "Negotiate" authentication header
> b) are the client browsers able to support Kerberos authentication
> c) what steps do you take to enable delegation for both computers *and* user
> accounts in question
>
> The following KB article has steps for IIS -> SQL Server, and you'd need to
> follow something similar for IIS -> Remote file server:
> http://support.microsoft.com/?id=319723
>
> Can you outline the exact steps that you took? We may be able to spot
> something that you missed.
>
> Cheers
> Ken
>
>
>
> "Prasad Dabak" <pdabak@yahoo.com> wrote in message
> news:96ca2fd2.0401220732.30a028de@posting.google.com...
> : Hello,
> :
> : I have the following setup
> :
> : Machine setup
> : -------------
> : Windows 2003 Domain Controller (Domain function level is Windows 2000
> : native). Windows 2003 server running IIS 6
> : Windows 2003 server acting as a file server.
> :
> : Configuration
> : -------------
> : 1. The file server has a share called "WEBCONTENT", that, has everyone
> : full control permissions.
> : 2. There is a website on the web server whose webroot points to
> : \\FileServer\WEBCONTENT\wwwroot. The web site is configured to use
> : Integrated Windows Authentication. Anonymous access is enabled for the
> : site.
> : 3. The anonymous user of the website is DOMAIN\IUSR_testuser (AD
> : user). This user has Read permissions on the entire file system
> : pointed by \\FileServer\WEBCONTENT\webroot
> : 4. There is another user called DOMAIN\testuser (AD user). This user
> : has full control on the entire file system pointed by
> : \\FileServer\WEBCONTENT\webroot.
> : 5. The DOMAIN\WebServer computer account has full control on the
> : entire file system pointed by \\FileServer\WEBCONTENT\webroot
> : 6. I have configured the AD such that the web server and the
> : DOMAIN\testuser are trusted for delegation.
> :
> : I am able to successfully browse the web site. No issues here.
> :
> : Now, the problem that I am facing:
> :
> : There is one page under \\FileServer\WEBCONTENT\wwwroot say
> : protected.htm. I have configured the metabase such that this file does
> : not have anonymous access enabled for it. Hence, when I access this
> : page, I get an authentication box. However, despite of entering the
> : correct account name i.e. DOMAIN\testuser, it is not allowing me to
> : browse the page. After 3 attempts it throws HTTP Error 401.3.
> :
> : Now, if I just switch the web site from "Windows integrated
> : authentication" to "Basic authentication", it all works fine.
> :
> : I am pretty sure, that, this is an issue with delegation. However, I
> : think, I am following all the steps required for delegation. I used
> : the following article for reference.
> :
> :
> http://www.microsoft.com/technet/tr...at/RemStorg.asp
> :
> : I have seen numerous posts on this forum related to this issue, but
> : could not find any closure.
> :
> : Can anyone shade some light on this?
> :
> : Thanks.
> : -Prasad
|
|
|
|
|