IIS Server Security - Integrated Windows Authentication fails

Author

Integrated Windows Authentication fails

Wouter Demuynck

2005-11-22, 5:56 pm

Hi,

I'm encountering a problem which is quite 'mysterious' to me.

Scenario:
- Windows XP Pro SP2 with IIS 5.1, acting as both server and client
- a virtual directory /tests/secured/ with Directory Security set to
"Integrated Windows Authentication" (IWA) (no other options are
enabled)

In IE6 (SP2), when I surf to http://localhost/tests/secured/ , I end up
with the following error: "Cannot find server or DNS error"

If I allow anonymous access, or choose basic authentication instead of
IWA, I _can_ visit the URL without problems.

More info about the configuration:
- The computer is part of a domain
- The domain controller is a small business server (SBS), which also
runs an ISA server
- The computer runs Microsoft AntiSpyware and the ISA Firewall Client
- The problem also occurs on other computers in the network
- In the filesystem, Everyone has access to the tests/secured directory

Using the wfetch tool, I simulated a request. It looks like the NTLM
sequence got interruped with Access Denied. The user names and
passwords I tried were correct, however (I tried both domain
users/local users). The output from wfetch is below:

--------------------------------------------

started....
WWWConnect::Connect("localhost","80")\n
IP = "127.0.0.1:80"\n
source port: 4693\r\n
SEC_I_CONTINUE_NEEDED - InitializeSecurityContext\n
REQUEST: **************\n
GET /tests/secured/test.txt HTTP/1.1\r\n
Host: localhost\r\n
Accept: */*\r\n
Connection: Keep-Alive\r\n
Authorization: NTLM
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAA
AAAFASgKAAAADw==\r\n
\r\n
RESPONSE: **************\n
HTTP/1.1 401 Access Denied\r\n
Server: Microsoft-IIS/5.1\r\n
Date: Tue, 22 Nov 2005 14:14:50 GMT\r\n
WWW-Authenticate: NTLM
TlRMTVNTUAACAAAAEAAQADgAAAAVgoniRmWYnG/ R+VoAAAAAAAAAAJQAlABIAAAABQEoCgAAAA9TAEs
AWQBMAEkATgBFADIAAgAQAFMASwBZAEwASQBOAEU
AMgABAA4A
VwBPAFUAVABFAFIAMgAEABoAcwBrAHkAbABpAG4A
ZQAuAGwAbwBjAGEAbAADACoAVwBvAHUAdABlAHIA
MgAuAHMAawB5AGwAaQBuAGUALgBsAG8AYwBhAGwA
BQAaAHMAawB5AGwAaQBuAGUALgBsAG8
AYwBhAGwAAAAAAA==\r\n
Connection: close\r\n
Content-Length: 24\r\n
Content-Type: text/html\r\n
\r\n
SEC_E_OK - InitializeSecurityContext\n
Error: Access is Denied.
WWWConnect::Close("localhost","80")\n
closed source port: 4693\r\n
cannot send data, because connection is closed
finished.

--------------------------------------------

The "Error: Access is Denied." string is the body of the server
response.

Any ideas what could be wrong in my configuration or why IE displays
the "Cannot find server or DNS error" error instead of "access denied"?

Thanks,
Wouter

Consultant

2005-11-22, 5:56 pm

microsoft has a utility called authdiag, i suggest you use it. sounds like
your users dont have the correct access rights

"Wouter Demuynck" <dekarma@gmail.com> wrote in message
news:1132670451.019687.177530@g14g2000cwa.googlegroups.com...
> Hi,
>
> I'm encountering a problem which is quite 'mysterious' to me.
>
> Scenario:
> - Windows XP Pro SP2 with IIS 5.1, acting as both server and client
> - a virtual directory /tests/secured/ with Directory Security set to
> "Integrated Windows Authentication" (IWA) (no other options are
> enabled)
>
> In IE6 (SP2), when I surf to http://localhost/tests/secured/ , I end up
> with the following error: "Cannot find server or DNS error"
>
> If I allow anonymous access, or choose basic authentication instead of
> IWA, I _can_ visit the URL without problems.
>
> More info about the configuration:
> - The computer is part of a domain
> - The domain controller is a small business server (SBS), which also
> runs an ISA server
> - The computer runs Microsoft AntiSpyware and the ISA Firewall Client
> - The problem also occurs on other computers in the network
> - In the filesystem, Everyone has access to the tests/secured directory
>
>
> Using the wfetch tool, I simulated a request. It looks like the NTLM
> sequence got interruped with Access Denied. The user names and
> passwords I tried were correct, however (I tried both domain
> users/local users). The output from wfetch is below:
>
> --------------------------------------------
>
> started....
> WWWConnect::Connect("localhost","80")\n
> IP = "127.0.0.1:80"\n
> source port: 4693\r\n
> SEC_I_CONTINUE_NEEDED - InitializeSecurityContext\n
> REQUEST: **************\n
> GET /tests/secured/test.txt HTTP/1.1\r\n
> Host: localhost\r\n
> Accept: */*\r\n
> Connection: Keep-Alive\r\n
> Authorization: NTLM
> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAA
AAAFASgKAAAADw==\r\n
> \r\n
> RESPONSE: **************\n
> HTTP/1.1 401 Access Denied\r\n
> Server: Microsoft-IIS/5.1\r\n
> Date: Tue, 22 Nov 2005 14:14:50 GMT\r\n
> WWW-Authenticate: NTLM
> TlRMTVNTUAACAAAAEAAQADgAAAAVgoniRmWYnG/ R+VoAAAAAAAAAAJQAlABIAAAABQEoCgAAAA9TAEs
AWQBMAEkATgBFADIAAgAQAFMASwBZAEwASQBOAEU
AMgABAA4A
> VwBPAFUAVABFAFIAMgAEABoAcwBrAHkAbABpAG4A
ZQAuAGwAbwBjAGEAbAADACoAVwBvAHUAdABlAHIA
MgAuAHMAawB5AGwAaQBuAGUALgBsAG8AYwBhAGwA
BQAaAHMAawB5AGwAaQBuAGUALgBsAG8
> AYwBhAGwAAAAAAA==\r\n
> Connection: close\r\n
> Content-Length: 24\r\n
> Content-Type: text/html\r\n
> \r\n
> SEC_E_OK - InitializeSecurityContext\n
> Error: Access is Denied.
> WWWConnect::Close("localhost","80")\n
> closed source port: 4693\r\n
> cannot send data, because connection is closed
> finished.
>
> --------------------------------------------
>
> The "Error: Access is Denied." string is the body of the server
> response.
>
> Any ideas what could be wrong in my configuration or why IE displays
> the "Cannot find server or DNS error" error instead of "access denied"?
>
> Thanks,
> Wouter
>

Wouter Demuynck

2005-11-23, 7:51 am

Consultant wrote:
> microsoft has a utility called authdiag, i suggest you use it. sounds like
> your users dont have the correct access rights

Thanks for the hint!

AuthDiag told me the problem right away: "NTLM requires KeepAlive
connections", which makes sense.

IIS indeed had KeepAlives disabled.

Wouter