|
Home > Archive > IIS Server Security > May 2006 > Kerberos timout with IIS6, ASP.Net and SQLServer
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Kerberos timout with IIS6, ASP.Net and SQLServer
|
|
| roarfred@gmail.com 2006-05-17, 7:16 pm |
| I've been struggling with a problem for the last two months that are
almost driving me nuts...
We have a traditional ASP.Net 1.1 web site accessing a SQL2000 database
using delegation and a trusted connection. I have seen many posts
regarding this setup, and we had quite some trouble getting it all
working ourself. User could finally access the web server and pull data
from the database, fully authenticated through Kerberos and Integrated
Windows Authentication.
The problem is:
- After a user have been inactive for anything from a few minutes to
half an hour, the connection with the database is broken and it
responds with the well known login failed for user (null) error.
Some more facts:
- The connection with the web server works fine, and as long as the
exception is trapped in the code, all pages are displayed (as intended
when a db connection is unavailable, that is)
- I got a feeling that the Kerberos ticket is expireing and the web
server doesn't bother asking the client for a new one.
- We do have trust for delegation set up in the AD for the web server
to access any resource
- We do have a HTTP/fqdm SPN set up in AD
Questions:
- Any suggestions to what this might be caused by?
- Would we need a SPN for the DB server too? (This is just accessed
through the netbios name)
- Do you know of any Kerberos-related settings that would make the
initial authetication work, but connections to fail at a later point?
One more thing... The very same problem was posted unanswered here in
several newsgroups about a year ago:
http://groups.google.com/group/micr...33e72c9029b8b32
This posting describes a bit more what have been tried and not. I have
done very much the same approach, with no more luck than that guy.
(I have not found any other postings that I can tell are describing the
same problem as my)
Any help on this matter is most appreciated.
Regards,
Roar Fredriksen
Systems Engineer
Omega Project Solutions Inc
| |
| Ken Schaefer 2006-05-18, 7:20 am |
| Hi,
Can you enable Kerberos audit logging on the IIS box, and post the relevant
events that are being logged when the problems start occuring?
http://support.microsoft.com/?id=262177
Cheers
Ken
<roarfred@gmail.com> wrote in message
news:1147898055.853976.36330@j73g2000cwa.googlegroups.com...
> I've been struggling with a problem for the last two months that are
> almost driving me nuts...
>
> We have a traditional ASP.Net 1.1 web site accessing a SQL2000 database
> using delegation and a trusted connection. I have seen many posts
> regarding this setup, and we had quite some trouble getting it all
> working ourself. User could finally access the web server and pull data
> from the database, fully authenticated through Kerberos and Integrated
> Windows Authentication.
>
> The problem is:
> - After a user have been inactive for anything from a few minutes to
> half an hour, the connection with the database is broken and it
> responds with the well known login failed for user (null) error.
>
> Some more facts:
> - The connection with the web server works fine, and as long as the
> exception is trapped in the code, all pages are displayed (as intended
> when a db connection is unavailable, that is)
> - I got a feeling that the Kerberos ticket is expireing and the web
> server doesn't bother asking the client for a new one.
> - We do have trust for delegation set up in the AD for the web server
> to access any resource
> - We do have a HTTP/fqdm SPN set up in AD
>
> Questions:
> - Any suggestions to what this might be caused by?
> - Would we need a SPN for the DB server too? (This is just accessed
> through the netbios name)
> - Do you know of any Kerberos-related settings that would make the
> initial authetication work, but connections to fail at a later point?
>
>
> One more thing... The very same problem was posted unanswered here in
> several newsgroups about a year ago:
> http://groups.google.com/group/micr...33e72c9029b8b32
>
> This posting describes a bit more what have been tried and not. I have
> done very much the same approach, with no more luck than that guy.
>
> (I have not found any other postings that I can tell are describing the
> same problem as my)
>
>
> Any help on this matter is most appreciated.
>
> Regards,
> Roar Fredriksen
> Systems Engineer
> Omega Project Solutions Inc
>
| |
|
| Thanks for your reply Ken!
Unfortunately, we are developing in a shared environment without direct
access to the web server. I will check with the Administrator if we can
have this done on this server.
Should this log kerberos events for communication with the sql server,
the client's browser or both?
| |
| Ken Schaefer 2006-05-21, 1:17 am |
| This will log Kerberos events on the IIS server (i.e. logon failed, ticket
corrupt/altered etc).
You will probably want to enable this on the SQL Server as well, just in
case the problem is at the SQL Server box rather than at the IIS box
Cheers
Ken
"Roar" <roarfred@gmail.com> wrote in message
news:1147965165.263988.246430@y43g2000cwc.googlegroups.com...
> Thanks for your reply Ken!
>
> Unfortunately, we are developing in a shared environment without direct
> access to the web server. I will check with the Administrator if we can
> have this done on this server.
>
> Should this log kerberos events for communication with the sql server,
> the client's browser or both?
>
|
|
|
|
|