|
Home > Archive > IIS Server Security > July 2004 > Integrated Authentication (Kerberos) Problem
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Integrated Authentication (Kerberos) Problem
|
|
| Mark Parter 2004-07-16, 8:12 am |
| Hello All,
I have the following 3 machines involved in this process;
1. A Windows XP SP1 with IE6 client machine
2. A Windows 2003 server with IIS 6
3. A Windows 200 Server with SQL Server 2000
I'm trying to get a report I've created in Reporting Services (which is server from machine 2) to access data from a SQL database on machine 3.
I cannot get Kerberos to work, IE6 on machine 1 seems to indicate that NTLM is being used instead. I am testing with an ASP script from a Microsoft article. The script always returns the Authentication Type as NTLM. Here's what I've done so far;
1. Configured IIS 6 ot use ONLY Integrated Windows Authentication
2. Given machine 2 delegation privileges in AD
3. Given the domain account under which the IIS application runs, delegation privileges in AD.
4. Set SPN's for this domain account (not sure if I've done this OK so a pointer on this may be helpful)
5. Verified that IE has the "Enable Integrated Windows Authentication" option checked.
6. Changed the NTAuthenticationProviders attribute in the metabase.xml file from NTAuthenticationProviders="NTLM" to NTAuthenticationProviders="Negotiate,NTLM"
7. Gone throught the MS article at http://www.microsoft.com/technet/pr...y/tkerbdel.mspx but still no further forward.
8. Confirmed that authentications only fails from machine 1. If accessing the same site on machine 2, everything works fine.
Here's an extract form the IIS log;
2004-07-16 13:58:33 10.20.16.27 GET /tests/kerberos.asp |17|80004005|Login_failed_for_user_'(nul
l)'. _Reason:_Not_associated_with_a_trusted_S
QL_Server_connection. 80 STAFF\M-Parter 10.20.20.55 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1
.4322) 500 0 0
2004-07-16 13:58:40 10.20.16.27 GET /tests/kerberos.asp - 80 - 10.20.20.55 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 2 2148074254
2004-07-16 13:58:40 10.20.16.27 GET /tests/kerberos.asp - 80 - 10.20.20.55 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 1 0
2004-07-16 13:58:40 10.20.16.27 GET /tests/kerberos.asp |17|80004005|Login_failed_for_user_'(nul
l)'. _Reason:_Not_associated_with_a_trusted_S
QL_Server_connection. 80 STAFF\M-Parter 10.20.20.55 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1
.4322) 500 0 0
When I performed step 6, I then get prompted for a username and password in IE on machine 1. No matter what I enter for a username and password, I don't get access. If I then undo the changes in Step 6, I can gain access to the site again.
| |
| Steve Dodson [MSFT] 2004-07-16, 5:53 pm |
| Mark,
Verify the SPN for the SQL service account is registered such as the
following:
setspn -A MSSQLSvc/server23.northamerica.microsoft.com:1433 sqlaccount
I have also seen it where you need to register another SPN (NetBIOS name)
such as:
setspn -A MSSQLSvc/server1:1433 sqlaccount
Hope that helps!
Steve Dodson [MSFT]
MCSE, CISSP
PSS Security
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.
--------------------
>Thread-Topic: Integrated Authentication (Kerberos) Problem
>thread-index: AcRrPpYjVry3YR/4RguAm4RyKKICRw==
>X-WBNR-Posting-Host: 212.219.188.130
>From: "=?Utf-8?B?TWFyayBQYXJ0ZXI=?=" <MarkParter@discussions.microsoft.com>
>Subject: Integrated Authentication (Kerberos) Problem
>Date: Fri, 16 Jul 2004 07:10:02 -0700
>Lines: 30
>Message-ID: <2DCED5E2-3BEE-4B3F-BEB5-0C9C57BB6FB8@microsoft.com>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.inetserver.iis.security
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 127.0.0.1
>Path: cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: cpmsftngxa06.phx.gbl microsoft.public.inetserver.iis.security:13438
>X-Tomcat-NG: microsoft.public.inetserver.iis.security
>
>Hello All,
>
>I have the following 3 machines involved in this process;
>
>1. A Windows XP SP1 with IE6 client machine
>2. A Windows 2003 server with IIS 6
>3. A Windows 200 Server with SQL Server 2000
>
>I'm trying to get a report I've created in Reporting Services (which is
server from machine 2) to access data from a SQL database on machine 3.
>
>I cannot get Kerberos to work, IE6 on machine 1 seems to indicate that
NTLM is being used instead. I am testing with an ASP script from a
Microsoft article. The script always returns the Authentication Type as
NTLM. Here's what I've done so far;
>
>1. Configured IIS 6 ot use ONLY Integrated Windows Authentication
>2. Given machine 2 delegation privileges in AD
>3. Given the domain account under which the IIS application runs,
delegation privileges in AD.
>4. Set SPN's for this domain account (not sure if I've done this OK so a
pointer on this may be helpful)
>5. Verified that IE has the "Enable Integrated Windows Authentication"
option checked.
>6. Changed the NTAuthenticationProviders attribute in the metabase.xml
file from NTAuthenticationProviders="NTLM" to
NTAuthenticationProviders="Negotiate,NTLM"
>7. Gone throught the MS article at
http://www.microsoft.com/technet/pr...3/technologies/
security/tkerbdel.mspx but still no further forward.
>8. Confirmed that authentications only fails from machine 1. If accessing
the same site on machine 2, everything works fine.
>
>Here's an extract form the IIS log;
>
>2004-07-16 13:58:33 10.20.16.27 GET /tests/kerberos.asp
|17|80004005|Login_failed_for_user_'(nul
l)'._Reason:_Not_associated_with_a_t
rusted_SQL_Server_connection. 80 STAFF\M-Parter 10.20.20.55
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 500 0
0
>2004-07-16 13:58:40 10.20.16.27 GET /tests/kerberos.asp - 80 - 10.20.20.55
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 2
2148074254
>2004-07-16 13:58:40 10.20.16.27 GET /tests/kerberos.asp - 80 - 10.20.20.55
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 1
0
>2004-07-16 13:58:40 10.20.16.27 GET /tests/kerberos.asp
|17|80004005|Login_failed_for_user_'(nul
l)'._Reason:_Not_associated_with_a_t
rusted_SQL_Server_connection. 80 STAFF\M-Parter 10.20.20.55
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 500 0
0
>
>
>When I performed step 6, I then get prompted for a username and password
in IE on machine 1. No matter what I enter for a username and password, I
don't get access. If I then undo the changes in Step 6, I can gain access
to the site again.
>
| |
| Ken Schaefer 2004-07-18, 2:48 am |
| What is the servername that you are accessing the IIS server with?
If it is a fully qualified domain name (FQDN), then IE will think that this
machine is the "Internet" security zone by default, and will not attempt
Kerberos Authentication (I think this is mentioned in the Troubleshooting
Kerberos doc you have). You need to add the site to the Intranet zone -or-
access the site by NetBIOS name.
Also, if you are accessing by FQDN, ensure that the relevant SPN is
registered:
http://support.microsoft.com/defaul...kb;EN-US;294382
Cheers
Ken
"Mark Parter" <MarkParter@discussions.microsoft.com> wrote in message
news:2DCED5E2-3BEE-4B3F-BEB5-0C9C57BB6FB8@microsoft.com...
> Hello All,
>
> I have the following 3 machines involved in this process;
>
> 1. A Windows XP SP1 with IE6 client machine
> 2. A Windows 2003 server with IIS 6
> 3. A Windows 200 Server with SQL Server 2000
>
> I'm trying to get a report I've created in Reporting Services (which is
server from machine 2) to access data from a SQL database on machine 3.
>
> I cannot get Kerberos to work, IE6 on machine 1 seems to indicate that
NTLM is being used instead. I am testing with an ASP script from a Microsoft
article. The script always returns the Authentication Type as NTLM. Here's
what I've done so far;
>
> 1. Configured IIS 6 ot use ONLY Integrated Windows Authentication
> 2. Given machine 2 delegation privileges in AD
> 3. Given the domain account under which the IIS application runs,
delegation privileges in AD.
> 4. Set SPN's for this domain account (not sure if I've done this OK so a
pointer on this may be helpful)
> 5. Verified that IE has the "Enable Integrated Windows Authentication"
option checked.
> 6. Changed the NTAuthenticationProviders attribute in the metabase.xml
file from NTAuthenticationProviders="NTLM" to
NTAuthenticationProviders="Negotiate,NTLM"
> 7. Gone throught the MS article at
http://www.microsoft.com/technet/pr...y/tkerbdel.mspx but still no further forward.
> 8. Confirmed that authentications only fails from machine 1. If accessing
the same site on machine 2, everything works fine.
>
> Here's an extract form the IIS log;
>
> 2004-07-16 13:58:33 10.20.16.27 GET /tests/kerberos.asp
|17|80004005|Login_failed_for_user_'(nul
l)'._Reason:_Not_associated_with_a_t
rusted_SQL_Server_connection. 80 STAFF\M-Parter 10.20.20.55
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 500 0
0
> 2004-07-16 13:58:40 10.20.16.27 GET /tests/kerberos.asp - 80 - 10.20.20.55
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 2
2148074254
> 2004-07-16 13:58:40 10.20.16.27 GET /tests/kerberos.asp - 80 - 10.20.20.55
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 1
0
> 2004-07-16 13:58:40 10.20.16.27 GET /tests/kerberos.asp
|17|80004005|Login_failed_for_user_'(nul
l)'._Reason:_Not_associated_with_a_t
rusted_SQL_Server_connection. 80 STAFF\M-Parter 10.20.20.55
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 500 0
0
>
>
> When I performed step 6, I then get prompted for a username and password
in IE on machine 1. No matter what I enter for a username and password, I
don't get access. If I then undo the changes in Step 6, I can gain access to
the site again.
| |
| Mark Parter 2004-07-27, 5:57 pm |
| The IIS server is called dv2anai
The SQL Server is called sql-server
Imaginative titles or what 
I access the site using http://dv2anai
IE shows this as being part of the "Intranet Zone"
"Ken Schaefer" wrote:
> What is the servername that you are accessing the IIS server with?
>
> If it is a fully qualified domain name (FQDN), then IE will think that this
> machine is the "Internet" security zone by default, and will not attempt
> Kerberos Authentication (I think this is mentioned in the Troubleshooting
> Kerberos doc you have). You need to add the site to the Intranet zone -or-
> access the site by NetBIOS name.
>
> Also, if you are accessing by FQDN, ensure that the relevant SPN is
> registered:
> http://support.microsoft.com/defaul...kb;EN-US;294382
>
> Cheers
> Ken
>
>
> "Mark Parter" <MarkParter@discussions.microsoft.com> wrote in message
> news:2DCED5E2-3BEE-4B3F-BEB5-0C9C57BB6FB8@microsoft.com...
> server from machine 2) to access data from a SQL database on machine 3.
> NTLM is being used instead. I am testing with an ASP script from a Microsoft
> article. The script always returns the Authentication Type as NTLM. Here's
> what I've done so far;
> delegation privileges in AD.
> pointer on this may be helpful)
> option checked.
> file from NTAuthenticationProviders="NTLM" to
> NTAuthenticationProviders="Negotiate,NTLM"
> http://www.microsoft.com/technet/pr...y/tkerbdel.mspx but still no further forward.
> the same site on machine 2, everything works fine.
> |17|80004005|Login_failed_for_user_'(nul
l)'._Reason:_Not_associated_with_a_t
> rusted_SQL_Server_connection. 80 STAFF\M-Parter 10.20.20.55
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 500 0
> 0
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 2
> 2148074254
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 401 1
> 0
> |17|80004005|Login_failed_for_user_'(nul
l)'._Reason:_Not_associated_with_a_t
> rusted_SQL_Server_connection. 80 STAFF\M-Parter 10.20.20.55
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 500 0
> 0
> in IE on machine 1. No matter what I enter for a username and password, I
> don't get access. If I then undo the changes in Step 6, I can gain access to
> the site again.
>
>
>
|
|
|
|
|