|
Home > Archive > IIS Server Security > January 2006 > Odd Kerberos Delegation Problem - wfetch works, IE doesn't
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Odd Kerberos Delegation Problem - wfetch works, IE doesn't
|
|
| Tyler S 2006-01-22, 6:10 pm |
| I am experiencing a very odd and frustrating kerberos delegation problem (I
think) that I hope someone can help me figure out. I want to make my web
server use the credentials of the user accessing the website to access my
SQL Server using integrated authentication. The problem I have is that
sometimes the delegation works and sometimes it doesn't.
My test environment is as follows:
- Client: Windows XP SP2 running IE v6.0 (negotiating a Kerberos session
w/IIS server)
- WebServer: Windows 2003 SP1 Server running IIS v6.0
- SQL Server: Windows 2003 SP1 Server running SQLServer 2005 Beta, SPN for
this service and its port is configured
- Domain: Windows Server 2003 functional level, WebServer is configured as
"Trust this computer for delegation to any service (Kerberos Only)", SQL
Server domain account is configured as "Trust this user for delegation to
any service (Kerberos Only)"
I have put the sample ASP page onto my web server as its default page
(http://support.microsoft.com/kb/319723/en-us).
If I use IE to attempt to retrieve the page, it will prompt me for my
password (I have configured IE to always ask) and then bring up the page.
The auth_user is the user I specified and the auth_type is 'Negotiate', but
I still get the following error in the page contents:
Microsoft OLE DB Provider for SQL Server error '80004005'
Login failed for user ''. The user is not associated with a trusted SQL
Server connection
If I use wfetch v1.3 to pull up the same page (authentication selected is
'Negotiate' and same domain/user name/password is supplied), the wfetch
results will retrieve the page successfully. If I then try IE again right
away, it also will now work! (huh???) If I wait a few minutes and try IE
again, it will fail with the same error as before.
I have reviewed the IIS logs and cannot see anything really amiss in them.
For the IE that fails, the logs look as follows:
2006-01-21 19:29:19 W3SVC1 10.0.0.12 GET / - 80 - 172.16.255.199
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322)
401 2 2148074254
2006-01-21 19:29:30 W3SVC1 10.0.0.12 GET /Default.asp
|20|80004005|Login_failed_for_user_''. _The_user_is_not_associated_with_a_trust
ed_SQL_Server_connection.
80 <DOMAIN>\<USERNAME> 172.16.255.199
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322)
500 0 0
For the wfetch that works, the logs look as follows:
2006-01-21 19:31:49 W3SVC1 10.0.0.12 GET /Default.asp - 80
<DOMAIN>\<USERNAME> 172.16.255.199 - 200 0 0
After the wfetch that works, the logs look as follows for IE working:
2006-01-21 19:33:50 W3SVC1 10.0.0.12 GET / - 80 - 172.16.255.199
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322)
401 2 2148074254
2006-01-21 19:33:50 W3SVC1 10.0.0.12 GET /Default.asp - 80
<DOMAIN>\<USERNAME> 172.16.255.199
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322)
200 0 0
I have tried to work through a number of the Microsoft kerberos/IIS
troubleshooting guides, but none seem to cover this specific problem I'm
having. Can someone please help me understand what is going on and what I
should do to fix this problem?
Thanks, Tyler
| |
| Ken Schaefer 2006-01-24, 7:51 am |
| Hi,
I would start by looking in the Security Event logs on the servers. Verify
that the authentication package being used isn't NTLM for the logons that
don't work.
Cheers
Ken
"Tyler S" <TylerS@newsgroups.nospam> wrote in message
news:uOjkOHsHGHA.3024@TK2MSFTNGP10.phx.gbl...
:I am experiencing a very odd and frustrating kerberos delegation problem (I
: think) that I hope someone can help me figure out. I want to make my web
: server use the credentials of the user accessing the website to access my
: SQL Server using integrated authentication. The problem I have is that
: sometimes the delegation works and sometimes it doesn't.
:
: My test environment is as follows:
: - Client: Windows XP SP2 running IE v6.0 (negotiating a Kerberos session
: w/IIS server)
: - WebServer: Windows 2003 SP1 Server running IIS v6.0
: - SQL Server: Windows 2003 SP1 Server running SQLServer 2005 Beta, SPN for
: this service and its port is configured
: - Domain: Windows Server 2003 functional level, WebServer is configured as
: "Trust this computer for delegation to any service (Kerberos Only)", SQL
: Server domain account is configured as "Trust this user for delegation to
: any service (Kerberos Only)"
:
: I have put the sample ASP page onto my web server as its default page
: (http://support.microsoft.com/kb/319723/en-us).
:
: If I use IE to attempt to retrieve the page, it will prompt me for my
: password (I have configured IE to always ask) and then bring up the page.
: The auth_user is the user I specified and the auth_type is 'Negotiate',
but
: I still get the following error in the page contents:
:
: Microsoft OLE DB Provider for SQL Server error '80004005'
: Login failed for user ''. The user is not associated with a trusted SQL
: Server connection
:
: If I use wfetch v1.3 to pull up the same page (authentication selected is
: 'Negotiate' and same domain/user name/password is supplied), the wfetch
: results will retrieve the page successfully. If I then try IE again right
: away, it also will now work! (huh???) If I wait a few minutes and try IE
: again, it will fail with the same error as before.
:
: I have reviewed the IIS logs and cannot see anything really amiss in them.
: For the IE that fails, the logs look as follows:
: 2006-01-21 19:29:19 W3SVC1 10.0.0.12 GET / - 80 - 172.16.255.199
: Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322)
: 401 2 2148074254
: 2006-01-21 19:29:30 W3SVC1 10.0.0.12 GET /Default.asp
:
|20|80004005|Login_failed_for_user_''. _The_user_is_not_associated_with_a_trust
ed_SQL_Server_connection.
: 80 <DOMAIN>\<USERNAME> 172.16.255.199
: Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322)
: 500 0 0
:
: For the wfetch that works, the logs look as follows:
: 2006-01-21 19:31:49 W3SVC1 10.0.0.12 GET /Default.asp - 80
: <DOMAIN>\<USERNAME> 172.16.255.199 - 200 0 0
:
: After the wfetch that works, the logs look as follows for IE working:
: 2006-01-21 19:33:50 W3SVC1 10.0.0.12 GET / - 80 - 172.16.255.199
: Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322)
: 401 2 2148074254
: 2006-01-21 19:33:50 W3SVC1 10.0.0.12 GET /Default.asp - 80
: <DOMAIN>\<USERNAME> 172.16.255.199
: Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322)
: 200 0 0
:
: I have tried to work through a number of the Microsoft kerberos/IIS
: troubleshooting guides, but none seem to cover this specific problem I'm
: having. Can someone please help me understand what is going on and what I
: should do to fix this problem?
:
: Thanks, Tyler
:
:
| |
| Ken Schaefer 2006-01-24, 7:51 am |
| Also use can use Kerbtray tool to verify what Kerberos tickets the user has
(that'll help tell you whether Kerberos is being used to auth to the IIS
box).
Once we have Kerberos verified as working between client <-> IIS we can look
at IIS <-> SQL Server
Cheers
Ken
"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:OpY3rjNIGHA.984@tk2msftngp13.phx.gbl...
: Hi,
:
: I would start by looking in the Security Event logs on the servers. Verify
: that the authentication package being used isn't NTLM for the logons that
: don't work.
:
: Cheers
: Ken
:
:
: "Tyler S" <TylerS@newsgroups.nospam> wrote in message
: news:uOjkOHsHGHA.3024@TK2MSFTNGP10.phx.gbl...
::I am experiencing a very odd and frustrating kerberos delegation problem
(I
:: think) that I hope someone can help me figure out. I want to make my web
:: server use the credentials of the user accessing the website to access my
:: SQL Server using integrated authentication. The problem I have is that
:: sometimes the delegation works and sometimes it doesn't.
::
:: My test environment is as follows:
:: - Client: Windows XP SP2 running IE v6.0 (negotiating a Kerberos session
:: w/IIS server)
:: - WebServer: Windows 2003 SP1 Server running IIS v6.0
:: - SQL Server: Windows 2003 SP1 Server running SQLServer 2005 Beta, SPN
for
:: this service and its port is configured
:: - Domain: Windows Server 2003 functional level, WebServer is configured
as
:: "Trust this computer for delegation to any service (Kerberos Only)", SQL
:: Server domain account is configured as "Trust this user for delegation to
:: any service (Kerberos Only)"
::
:: I have put the sample ASP page onto my web server as its default page
:: (http://support.microsoft.com/kb/319723/en-us).
::
:: If I use IE to attempt to retrieve the page, it will prompt me for my
:: password (I have configured IE to always ask) and then bring up the page.
:: The auth_user is the user I specified and the auth_type is 'Negotiate',
: but
:: I still get the following error in the page contents:
::
:: Microsoft OLE DB Provider for SQL Server error '80004005'
:: Login failed for user ''. The user is not associated with a trusted SQL
:: Server connection
::
:: If I use wfetch v1.3 to pull up the same page (authentication selected is
:: 'Negotiate' and same domain/user name/password is supplied), the wfetch
:: results will retrieve the page successfully. If I then try IE again
right
:: away, it also will now work! (huh???) If I wait a few minutes and try IE
:: again, it will fail with the same error as before.
::
:: I have reviewed the IIS logs and cannot see anything really amiss in
them.
:: For the IE that fails, the logs look as follows:
:: 2006-01-21 19:29:19 W3SVC1 10.0.0.12 GET / - 80 - 172.16.255.199
::
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322)
:: 401 2 2148074254
:: 2006-01-21 19:29:30 W3SVC1 10.0.0.12 GET /Default.asp
::
:
|20|80004005|Login_failed_for_user_''. _The_user_is_not_associated_with_a_trust
ed_SQL_Server_connection.
:: 80 <DOMAIN>\<USERNAME> 172.16.255.199
::
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322)
:: 500 0 0
::
:: For the wfetch that works, the logs look as follows:
:: 2006-01-21 19:31:49 W3SVC1 10.0.0.12 GET /Default.asp - 80
:: <DOMAIN>\<USERNAME> 172.16.255.199 - 200 0 0
::
:: After the wfetch that works, the logs look as follows for IE working:
:: 2006-01-21 19:33:50 W3SVC1 10.0.0.12 GET / - 80 - 172.16.255.199
::
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322)
:: 401 2 2148074254
:: 2006-01-21 19:33:50 W3SVC1 10.0.0.12 GET /Default.asp - 80
:: <DOMAIN>\<USERNAME> 172.16.255.199
::
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322)
:: 200 0 0
::
:: I have tried to work through a number of the Microsoft kerberos/IIS
:: troubleshooting guides, but none seem to cover this specific problem I'm
:: having. Can someone please help me understand what is going on and what
I
:: should do to fix this problem?
::
:: Thanks, Tyler
::
::
:
:
|
|
|
|
|