|
Home > Archive > IIS Server Security > August 2006 > Network/Web Site Authentication
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Network/Web Site Authentication
|
|
|
| Hi,
I've got a WSUS server, which has been working fine for nearly a year. For
some reason, in the past month or 2, when I try to manage the WSUS service
from the web console, using the server name (https://wsuserver/WSUSadmin) I
get an authentication error. The authentication box pops up, asking for
username & password, however no matter what credentials I enter, (mine,
domain admin, enterprise admin) it pops up 3 times, fails, and then I get
the WSUS message:
Access denied
Network policy settings prevent you from accessing this Windows Server
Update Services server.
If you believe you have received this message in error, please check with
your system administrator.
However, if I connect using the servers IP address, NOT hostname,
(https://192.168.0.10/WSUSadmin) it works perfectly. I'm faily sure it's not
an IIS setting, as I've setup a test server with WSUS installed, that works
with hostname, and exported the web site to an XML file, then imported it
into the live WSUS server. Also the live & test servers are both in the same
OU, with the same group policy applied, so all the security settings
*should* be the same.
What security setting would cause authentication to a hostname to fail, but
to an IP address to work?
Cheers
Ben
| |
| Greg Lindsay [MSFT] 2006-07-26, 1:21 am |
| Hi Ben,
I believe this article discusses your issue and the workaround:
http://support.microsoft.com/defaul...kb;en-us;896861
Please let me know if this does not help.
--
Greg Lindsay [MSFT]
greg.lindsay@microsoft.com
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
"benb" <benblackmore@nospam.postalias> wrote in message
news:e5X2b6%23rGHA.4616@TK2MSFTNGP04.phx.gbl...
> Hi,
>
> I've got a WSUS server, which has been working fine for nearly a year. For
> some reason, in the past month or 2, when I try to manage the WSUS service
> from the web console, using the server name (https://wsuserver/WSUSadmin)
> I get an authentication error. The authentication box pops up, asking for
> username & password, however no matter what credentials I enter, (mine,
> domain admin, enterprise admin) it pops up 3 times, fails, and then I get
> the WSUS message:
>
> Access denied
> Network policy settings prevent you from accessing this Windows Server
> Update Services server.
> If you believe you have received this message in error, please check with
> your system administrator.
>
> However, if I connect using the servers IP address, NOT hostname,
> (https://192.168.0.10/WSUSadmin) it works perfectly. I'm faily sure it's
> not an IIS setting, as I've setup a test server with WSUS installed, that
> works with hostname, and exported the web site to an XML file, then
> imported it into the live WSUS server. Also the live & test servers are
> both in the same OU, with the same group policy applied, so all the
> security settings *should* be the same.
>
> What security setting would cause authentication to a hostname to fail,
> but to an IP address to work?
>
> Cheers
>
> Ben
>
| |
|
| Hi Greg,
Thanks for the reply. Tried both workarounds described on that page, and
rebooted the server last night, but it didn't fix the issue, the logon still
fails when you try and open a page via hostname, but works with IP address!
I don't think I mentioned our setup, we have 2 servers, first is Win2003
SP1, running as a DC, DHCP, DNS, and the other, is our web/app server,
Win2003 SP1, member server. This runs the WSUS web site, and also VMWare,
which is what I setup as a test WSUS server and got working.
Many thanks
Ben
"Greg Lindsay [MSFT]" <greg.lindsay@microsoft.com> wrote in message
news:eLfknwEsGHA.1296@TK2MSFTNGP02.phx.gbl...
> Hi Ben,
>
> I believe this article discusses your issue and the workaround:
> http://support.microsoft.com/defaul...kb;en-us;896861
>
> Please let me know if this does not help.
>
> --
> Greg Lindsay [MSFT]
> greg.lindsay@microsoft.com
>
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
>
> "benb" <benblackmore@nospam.postalias> wrote in message
> news:e5X2b6%23rGHA.4616@TK2MSFTNGP04.phx.gbl...
>
>
| |
| WenJun Zhang[msft] 2006-07-28, 7:26 am |
| Hi Ben,
First pleasure check if you ping the wsusever, the IP address 192.168.0.10
is properly returned. Otherwise this is most likely a routing error.
If the servername/IP resolution appears to be fine, would you please export
IIS configuration and send it to me to have a check?
To dump your metabase configuration, please install IIS6 resource kit tools
and use the Metabase Explorer utility. Export the data under LM root node
in to a mbk file.
Internet Information Services (IIS) 6.0 Resource Kit Tools
http://www.microsoft.com/downloads/...n&familyid=56fc
92ee-a71a-4c73-b628-ade629c89499
You can send the file to me at: wjzhang@online.microsoft.com (please remove
online.)
Best Regards,
WenJun Zhang
Microsoft Online Community Support
========================================
==========
Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscript...ault.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:
http://msdn.microsoft.com/subscript...t/default.aspx.
========================================
==========
This posting is provided "AS IS" with no warranties, and confers no rights.
| |
| Greg Lindsay [MSFT] 2006-07-28, 7:19 pm |
| Hi Ben,
I got your email and have responded to you. I still think this is an IIS
issue, and at this point it would be best to examine security logs to track
down what is causing the issue.
--
Greg Lindsay [MSFT]
greg.lindsay@microsoft.com
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
"benb" <benblackmore@nospam.postalias> wrote in message
news:uXw6HdXsGHA.4872@TK2MSFTNGP02.phx.gbl...
> Hi Greg,
>
> Thanks for the reply. Tried both workarounds described on that page, and
> rebooted the server last night, but it didn't fix the issue, the logon
> still fails when you try and open a page via hostname, but works with IP
> address!
> I don't think I mentioned our setup, we have 2 servers, first is Win2003
> SP1, running as a DC, DHCP, DNS, and the other, is our web/app server,
> Win2003 SP1, member server. This runs the WSUS web site, and also VMWare,
> which is what I setup as a test WSUS server and got working.
>
> Many thanks
>
> Ben
>
>
> "Greg Lindsay [MSFT]" <greg.lindsay@microsoft.com> wrote in message
> news:eLfknwEsGHA.1296@TK2MSFTNGP02.phx.gbl...
>
>
| |
|
| Hi Greg,
I got your email, thanks.
This is a copy of the security event log entry that appears after you try to
logon via hostname. Five of these appear after you try to enter the username
& password with 2 retries via IE.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 31/07/2006
Time: 10:33:54
User: NT AUTHORITY\SYSTEM
Computer: WSUSERVER
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.0.50
Source Port: 1766
"Greg Lindsay [MSFT]" <greg.lindsay@microsoft.com> wrote in message
news:O8F2LMosGHA.1216@TK2MSFTNGP03.phx.gbl...
> Hi Ben,
>
> I got your email and have responded to you. I still think this is an IIS
> issue, and at this point it would be best to examine security logs to
> track down what is causing the issue.
>
> --
> Greg Lindsay [MSFT]
> greg.lindsay@microsoft.com
>
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
>
> "benb" <benblackmore@nospam.postalias> wrote in message
> news:uXw6HdXsGHA.4872@TK2MSFTNGP02.phx.gbl...
>
>
| |
|
| Hi WenJun,
Thanks for the reply, I downloaded and ran the IIS res kit, very useful
tool, didn't realise it existed! I have exported the config and metabase and
emailed it to you. Hopefully you should have it by now.
Kind regards
Ben
""WenJun Zhang[msft]"" <wjzhang@online.microsoft.com> wrote in message
news:nm0sf4hsGHA.3920@TK2MSFTNGXA01.phx.gbl...
> Hi Ben,
>
> First pleasure check if you ping the wsusever, the IP address 192.168.0.10
> is properly returned. Otherwise this is most likely a routing error.
>
> If the servername/IP resolution appears to be fine, would you please
> export
> IIS configuration and send it to me to have a check?
>
> To dump your metabase configuration, please install IIS6 resource kit
> tools
> and use the Metabase Explorer utility. Export the data under LM root node
> in to a mbk file.
>
> Internet Information Services (IIS) 6.0 Resource Kit Tools
> http://www.microsoft.com/downloads/...n&familyid=56fc
> 92ee-a71a-4c73-b628-ade629c89499
>
> You can send the file to me at: wjzhang@online.microsoft.com (please
> remove
> online.)
>
> Best Regards,
>
> WenJun Zhang
>
> Microsoft Online Community Support
>
> ========================================
==========
>
> Get notification to my posts through email? Please refer to:
> http://msdn.microsoft.com/subscript...ault.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at:
>
> http://msdn.microsoft.com/subscript...t/default.aspx.
>
> ========================================
==========
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
| |
| WenJun Zhang[msft] 2006-08-01, 7:28 am |
| Hi Ben,
I haven't received mail from you. Could you please double-check the address?
My email is: wjzhang@online.microsoft.com (please remove online.)
Thanks & Have a nice day!
Best Regards,
WenJun Zhang
Microsoft Online Community Support
========================================
==========
Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscript...ault.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:
http://msdn.microsoft.com/subscript...t/default.aspx.
========================================
==========
This posting is provided "AS IS" with no warranties, and confers no rights.
| |
|
| Hi WenJun,
I definatly sent it to the address below (removing online.) on the 31st
July. Have re-sent this morning, it's from my hotmail account,
bjblackmore@NOSPAM.hotmail.com (remove NOSPAM.)
Is it possible that it was blocked because of encrypted content? When I
exported the metabase I encrypred it with a password, seeing as it was being
transmitted over email!
Ben
""WenJun Zhang[msft]"" <wjzhang@online.microsoft.com> wrote in message
news:W5CYfgVtGHA.2504@TK2MSFTNGXA01.phx.gbl...
> Hi Ben,
>
> I haven't received mail from you. Could you please double-check the
> address?
>
> My email is: wjzhang@online.microsoft.com (please remove online.)
>
> Thanks & Have a nice day!
>
> Best Regards,
>
> WenJun Zhang
>
> Microsoft Online Community Support
>
> ========================================
==========
>
> Get notification to my posts through email? Please refer to:
> http://msdn.microsoft.com/subscript...ault.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at:
>
> http://msdn.microsoft.com/subscript...t/default.aspx.
>
> ========================================
==========
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
| |
| WenJun Zhang[msft] 2006-08-02, 1:27 pm |
| Hi Ben,
I've replied your email. Thanks.
Best Regards,
WenJun Zhang
Microsoft Online Community Support
========================================
==========
Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscript...ault.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:
http://msdn.microsoft.com/subscript...t/default.aspx.
========================================
==========
This posting is provided "AS IS" with no warranties, and confers no rights.
| |
|
| Hi WenJun,
I got your email, many thanks. I made some changes to the web sites, deleted
the 2 test sites, but still get the same problem.
Have replied to your email, and attached the 2 new config files.
Best regards
Ben
""WenJun Zhang[msft]"" <wjzhang@online.microsoft.com> wrote in message
news:7M4o6qjtGHA.3960@TK2MSFTNGXA01.phx.gbl...
> Hi Ben,
>
> I've replied your email. Thanks.
>
> Best Regards,
>
> WenJun Zhang
>
> Microsoft Online Community Support
>
> ========================================
==========
>
> Get notification to my posts through email? Please refer to:
> http://msdn.microsoft.com/subscript...ault.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at:
>
> http://msdn.microsoft.com/subscript...t/default.aspx.
>
> ========================================
==========
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
| |
| WenJun Zhang[msft] 2006-08-04, 7:27 am |
| Hi,
Let's use webfetch to trace the rawdata of http request/response and
determine if the problem is actually on server-side.
HOW TO: Use Wfetch.exe to Troubleshoot HTTP Connections
http://support.microsoft.com/defaul...kb;en-us;284285
To use, please input:
Host: (Your servername)
Path: (The relative path of your page. e.g: /WSUSAdmin/)
Auth: (Select NTLM and specify your domain\username credential)
Press Go! to issue a http request to the server and check what response is
returned. I think the trace should slow us with the details. Please paste
the whole log data here.
I'll wait for your update. Thanks.
Best Regards,
WenJun Zhang
Microsoft Online Community Support
========================================
==========
Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscript...ault.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:
http://msdn.microsoft.com/subscript...t/default.aspx.
========================================
==========
This posting is provided "AS IS" with no warranties, and confers no rights.
| |
|
| WenJun,
Here is the TRACE details, below are the details for a GET (wasn't sure if
it mattered which I used)
started....
WWWConnect::Connect("appserver","80")\n
IP = "192.168.254.5:80"\n
source port: 2582\r\n
SEC_I_CONTINUE_NEEDED - InitializeSecurityContext\n
REQUEST: **************\n
TRACE /WSUSadmin HTTP/1.1\r\n
Host: appserver\r\n
Accept: */*\r\n
Connection: Keep-Alive\r\n
Authorization: NTLM
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAA
AAAFAs4OAAAADw==\r\n
\r\n
RESPONSE: **************\n
HTTP/1.1 401 Unauthorized\r\n
Content-Length: 1037\r\n
Content-Type: text/html\r\n
Server: Microsoft-IIS/6.0\r\n
WWW-Authenticate: NTLM
TlRMTVNTUAACAAAAFAAUADgAAAAVgoniWve8zs/ 3BIYAAAAAAAAAAKYApgBMAAAABQLODgAAAA9BAEw
AUABIAEEAQwBPAFUAUgBUAAIAFABBAEwAUABIAEE
AQwBPAFUA
UgBUAAEAEgBBAFAAUABTAEUAUgBWAEUAUgAEABwA
YQBsAHAAaABhAGMAbwB1AHIAdAAuAGMAbwBtAAMA
MABhAHAAcABzAGUAcgB2AGUAcgAuAGEAbABwAGgA
YQBjAG8AdQByAHQALgBjAG8AbQAFABw
AYQBsAHAAaABhAGMAbwB1AHIAdAAuAGMAbwBtAAA
AAAA=\r\n
X-Powered-By: ASP.NET\r\n
Date: Fri, 04 Aug 2006 13:43:12 GMT\r\n
\r\n
SEC_E_OK - InitializeSecurityContext\n
\r\n
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >\r\n
<html>\r\n
\t<head>\r\n
\t\t<title>Access denied</title>\r\n
\t\t<style type="text/css">\r\n
\r\n
body {\r\n
\tcolor: black;\r\n
\tbackground-color: #F5F5F5;\r\n
\toverflow: auto;\r\n
\tmargin: 0px;\r\n
\tfont-family: Tahoma;\r\n
\tfont-size: 66.6%;\r\n
}\r\n
\r\n
body div.CurrentNavigation {\r\n
\theight: 28px;\r\n
\tline-height: 28px;\r\n
\tcolor: white;\r\n
\tbackground-color: #666F74;\r\n
\tpadding: 0px 10px 0px 10px;\r\n
\tfont-weight: bold;\r\n
}\r\n
\r\n
body div.Content {\r\n
\tpadding: 16px;\r\n
}\r\n
\r\n
body div.Content div.Title {\r\n
\tfont-size: 225%;\r\n
\tfont-family: Franklin Gothic Medium;\r\n
\tmargin-bottom: 5px;\r\n
}\r\n
\r\n
\t\t</style>\r\n
\t</head>\r\n
\t<body>\r\n
\t\t<div class="CurrentNavigation">Windows Server Update Services
error</div>\r\n
\t\t<div class="Content">\r\n
\t\t\t<div class="Title">Access denied</div>\r\n
\t\t\tNetwork policy settings prevent you from accessing this Windows Server
Update Services server.<br /><br />\r\n
\t\t\tIf you believe you have received this message in error, please check
with your system administrator.<br /><br />\r\n
\t\t</div>\r\n
\t</body>\r\n
</html>\r\n
REQUEST: **************\n
TRACE /WSUSadmin HTTP/1.1\r\n
Host: appserver\r\n
Accept: */*\r\n
Connection: Keep-Alive\r\n
Authorization: NTLM
TlRMTVNTUAADAAAAGAAYAIgAAADWANYAoAAAABQA
FABIAAAAGgAaAFwAAAASABIAdgAAABAAEAB2AQAA
FYKI4gUCzg4AAAAPYQBsAHAAaABhAGMAbwB1AHIA
dABiAGUAbgA
uAGIAbABhAGMAawBtAG8AcgBlAEEAUABQAFMARQB
SAFYARQBSACc1L9G7vFsyNLyHVWi19z6hJXbSSx8
QmwvQZMChosgEB3py/ S6dosoBAQAAAAAAAP4x+u3Lt8YBoSV20ksfEJsAA
AAAAgAUAEEATA
BQAEgAQQBDAE8AVQBSAFQAAQASAEEAUABQAFMARQ
BSAFYARQBSAAQAHABhAGwAcABoAGEAYwBvAHUAcg
B0AC4AYwBvAG0AAwAwAGEAcABwAHMAZQByAHYAZQ
ByAC4AYQBsAHAAaABhAGMAbwB1AHIAd
AAuAGMAbwBtAAUAHABhAGwAcABoAGEAYwBvAHUAc
gB0AC4AYwBvAG0AAAAAAAAAAACubInVbwVD4N4uU
EqZITud\r\n
\r\n
RESPONSE: **************\n
HTTP/1.1 302 Found\r\n
Date: Fri, 04 Aug 2006 13:43:12 GMT\r\n
Server: Microsoft-IIS/6.0\r\n
X-Powered-By: ASP.NET\r\n
X-AspNet-Version: 1.1.4322\r\n
Location: /WSUSAdmin/Errors/Error.aspx\r\n
Cache-Control: private\r\n
Content-Type: text/html; charset=utf-8\r\n
Content-Length: 2645\r\n
\r\n
<!doctype html public "-//w3c//dtd html 4.0 transitional//en" >\n
<html>\n
<head>\n
<title>Windows Server Update Services error</title>\n
<link rel="stylesheet" type="text/css"
href="/WsusAdmin/Common/Common.css">\n
<script language="JScript" type="text/javascript"
src="/WsusAdmin/Common/Common.js"></script>\n
<script language="JScript" type="text/javascript">\n
function InitializeErrorPage()\n
{\n
try\n
{\n
if(!TopFrame.SiteProperlyInitialized) // If site wasn't properly
initialized (got to site without going to home page first), go to home
page\n
{\n
TopFrame.Banner.TabHome.click();\n
}\n
}catch(e){}\n
}\n
</script>\n
<script language="JScript" type="text/javascript">\n
function ShowErrorDetails()\n
{\n
Details.parentElement.style.height = "100%";\n
Details.previousSibling.style.display = "block";\n
DetailsButton.disabled = true;\n
ResizeDialog();\n
}\n
</script>\n
</head>\n
<body onload=" Initialize();InitializeErrorPage();Close
WaitDialog();"
class="Content">\n
<table cellspacing="0" style="width: 100%;height: 100%;"
class="UserFontSize">\n
<tr>\n
<td style="vertical-align: top;">\n
<div class="Introduction">Windows Server Update Services
encountered an error. </div>\n
<div id="Summary" class="Content" style="padding-bottom:
11px;">Thread was being aborted.</div>\n
<button id="DetailsButton" onclick="ShowErrorDetails();"
style="margin-left: 9px;">Show Details</button><br /><br />\n
</td>\n
</tr>\n
<tr>\n
<td class="ErrorDetails">\n
<div class="SectionHeader">Details</div>\n
<textarea id="Details" contenteditable="false"
wrap="off">System.Threading.ThreadAbortException: Thread was being
aborted.\r\n
at System.Threading.Thread.AbortInternal()\r\n
at System.Threading.Thread.Abort(Object stateInfo)\r\n
at System.Web.HttpResponse.End()\r\n
at System.Web.HttpResponse.Redirect(String url, Boolean endResponse)\r\n
at System.Web.HttpResponse.Redirect(String url)\r\n
at Administration.Errors.ErrorRedirect.Page_Load(Object sender, EventArgs
e)\n
\n
at System.Threading.Thread.AbortInternal()\r\n
at System.Threading.Thread.Abort(Object stateInfo)\r\n
at System.Web.HttpResponse.End()\r\n
at System.Web.HttpResponse.Redirect(String url, Boolean endResponse)\r\n
at System.Web.HttpResponse.Redirect(String url)\r\n
at Administration.Errors.ErrorRedirect.Page_Load(Object sender, EventArgs
e)</textarea>\n
</td>\n
</tr>\n
</table>\n
</body>\n
</html>
finished.
=============
GET
=============
started....
Reusing existing connection (source port 2584)\n
SEC_I_CONTINUE_NEEDED - InitializeSecurityContext\n
REQUEST: **************\n
GET /WSUSadmin HTTP/1.1\r\n
Host: appserver\r\n
Accept: */*\r\n
Connection: Keep-Alive\r\n
Authorization: NTLM
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAA
AAAFAs4OAAAADw==\r\n
\r\n
RESPONSE: **************\n
HTTP/1.1 401 Unauthorized\r\n
Content-Length: 1037\r\n
Content-Type: text/html\r\n
Server: Microsoft-IIS/6.0\r\n
WWW-Authenticate: NTLM
TlRMTVNTUAACAAAAFAAUADgAAAAVgoni/ bUU5xXahGAAAAAAAAAAAKYApgBMAAAABQLODgAAA
A9BAEwAUABIAEEAQwBPAFUAUgBUAAIAFABBAEwAU
ABIAEEAQwBPAFUA
UgBUAAEAEgBBAFAAUABTAEUAUgBWAEUAUgAEABwA
YQBsAHAAaABhAGMAbwB1AHIAdAAuAGMAbwBtAAMA
MABhAHAAcABzAGUAcgB2AGUAcgAuAGEAbABwAGgA
YQBjAG8AdQByAHQALgBjAG8AbQAFABw
AYQBsAHAAaABhAGMAbwB1AHIAdAAuAGMAbwBtAAA
AAAA=\r\n
X-Powered-By: ASP.NET\r\n
Date: Fri, 04 Aug 2006 13:48:17 GMT\r\n
\r\n
SEC_E_OK - InitializeSecurityContext\n
\r\n
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >\r\n
<html>\r\n
\t<head>\r\n
\t\t<title>Access denied</title>\r\n
\t\t<style type="text/css">\r\n
\r\n
body {\r\n
\tcolor: black;\r\n
\tbackground-color: #F5F5F5;\r\n
\toverflow: auto;\r\n
\tmargin: 0px;\r\n
\tfont-family: Tahoma;\r\n
\tfont-size: 66.6%;\r\n
}\r\n
\r\n
body div.CurrentNavigation {\r\n
\theight: 28px;\r\n
\tline-height: 28px;\r\n
\tcolor: white;\r\n
\tbackground-color: #666F74;\r\n
\tpadding: 0px 10px 0px 10px;\r\n
\tfont-weight: bold;\r\n
}\r\n
\r\n
body div.Content {\r\n
\tpadding: 16px;\r\n
}\r\n
\r\n
body div.Content div.Title {\r\n
\tfont-size: 225%;\r\n
\tfont-family: Franklin Gothic Medium;\r\n
\tmargin-bottom: 5px;\r\n
}\r\n
\r\n
\t\t</style>\r\n
\t</head>\r\n
\t<body>\r\n
\t\t<div class="CurrentNavigation">Windows Server Update Services
error</div>\r\n
\t\t<div class="Content">\r\n
\t\t\t<div class="Title">Access denied</div>\r\n
\t\t\tNetwork policy settings prevent you from accessing this Windows Server
Update Services server.<br /><br />\r\n
\t\t\tIf you believe you have received this message in error, please check
with your system administrator.<br /><br />\r\n
\t\t</div>\r\n
\t</body>\r\n
</html>\r\n
REQUEST: **************\n
GET /WSUSadmin HTTP/1.1\r\n
Host: appserver\r\n
Accept: */*\r\n
Connection: Keep-Alive\r\n
Authorization: NTLM
TlRMTVNTUAADAAAAGAAYAIgAAADWANYAoAAAABQA
FABIAAAAGgAaAFwAAAASABIAdgAAABAAEAB2AQAA
FYKI4gUCzg4AAAAPYQBsAHAAaABhAGMAbwB1AHIA
dABiAGUAbgA
uAGIAbABhAGMAawBtAG8AcgBlAEEAUABQAFMARQB
SAFYARQBSAOPzvlCm7ohu9ApfvrxQhR2fckq5LXG
G6HPl5U0RXlGy+xTNYRlPqmIBAQAAAAAAAJMq+aP
Mt8YBn3JKuS1xhugAAAAAAgAUAEEATA
BQAEgAQQBDAE8AVQBSAFQAAQASAEEAUABQAFMARQ
BSAFYARQBSAAQAHABhAGwAcABoAGEAYwBvAHUAcg
B0AC4AYwBvAG0AAwAwAGEAcABwAHMAZQByAHYAZQ
ByAC4AYQBsAHAAaABhAGMAbwB1AHIAd
AAuAGMAbwBtAAUAHABhAGwAcABoAGEAYwBvAHUAc
gB0AC4AYwBvAG0AAAAAAAAAAAAgB/YPTf5M2fVJ55e8aNLs\r\n
\r\n
RESPONSE: **************\n
HTTP/1.1 301 Moved Permanently\r\n
Content-Length: 150\r\n
Content-Type: text/html\r\n
Location: http://appserver/WSUSadmin/\r\n
Server: Microsoft-IIS/6.0\r\n
X-Powered-By: ASP.NET\r\n
Date: Fri, 04 Aug 2006 13:48:17 GMT\r\n
\r\n
<head><title>Document Moved</title></head>\n
<body><h1>Object Moved</h1>This document may be found <a
HREF="http://appserver/WSUSadmin/">here</a></body>
finished.
| |
| WenJun Zhang[msft] 2006-08-07, 1:25 pm |
| Hi Ben,
I saw NTLM works according to the trace. As least, the authentication is
passed between IIS and the client. Now it looks like this is probably a
Kerberos auth related issue.
Please go to the problematic client, open its IE Internet
Options->Advanced, make sure the 'Enable Integrated Windows Authentication'
option isn't selected. In this case, IE will use NTLM to perform Integrated
auth with IIS instead of Kerberos protocol. See if this will let the SUS
site work from now.
If it works, this means Kerberos authentication fails in your domain. You
have to ping our Windows AD group to help on Kerberos side troubleshooting.
Do you have a proper Kerberos Domain Controller(KDC) set in the domain?
Thanks.
Best Regards,
WenJun Zhang
Microsoft Online Community Support
========================================
==========
Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscript...ault.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:
http://msdn.microsoft.com/subscript...t/default.aspx.
========================================
==========
This posting is provided "AS IS" with no warranties, and confers no rights.
| |
|
| Hi WenJun,
That fixed the problem, after turning off the 'Enable Integrated Windows
Authentication' option in IE the WSUS site works.
We are running 2 Windows 2003 domain controllers, so Kerberos should work, I
don't think we've had any other problems flagged, there don't seem to be any
Kerberos related events in any of the event logs.
How do I troubleshoot Kerberos related issues in IIS 6? I've read
support.microsoft.com/kb/326985 but that's for troubleshooting IIS 4 & 5.
Will the same principles work?
I will post a topic to the Windows AD group, but I'm not to sure what to
ask, as I have no error codes or messages to go on.
Many thanks
Ben
""WenJun Zhang[msft]"" <wjzhang@online.microsoft.com> wrote in message
news:bdpypPguGHA.3960@TK2MSFTNGXA01.phx.gbl...
> Hi Ben,
>
> I saw NTLM works according to the trace. As least, the authentication is
> passed between IIS and the client. Now it looks like this is probably a
> Kerberos auth related issue.
>
> Please go to the problematic client, open its IE Internet
> Options->Advanced, make sure the 'Enable Integrated Windows
> Authentication'
> option isn't selected. In this case, IE will use NTLM to perform
> Integrated
> auth with IIS instead of Kerberos protocol. See if this will let the SUS
> site work from now.
>
> If it works, this means Kerberos authentication fails in your domain. You
> have to ping our Windows AD group to help on Kerberos side
> troubleshooting.
> Do you have a proper Kerberos Domain Controller(KDC) set in the domain?
>
> Thanks.
>
> Best Regards,
>
> WenJun Zhang
>
> Microsoft Online Community Support
>
> ========================================
==========
>
> Get notification to my posts through email? Please refer to:
> http://msdn.microsoft.com/subscript...ault.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at:
>
> http://msdn.microsoft.com/subscript...t/default.aspx.
>
> ========================================
==========
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
>
| |
| WenJun Zhang[msft] 2006-08-09, 1:27 pm |
| Hi Ben,
You can launch WebFetch again and set the auth type to Kerberos to
reproduce an authentication error. Then open event viewer security log on
the server. Generally you should see logon failure events in it with
detailed logon parameters and error code.
You can then post the error events to our Windows AD group for assistance.
Thanks.
Best Regards,
WenJun Zhang
Microsoft Online Community Support
========================================
==========
Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscript...ault.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:
http://msdn.microsoft.com/subscript...t/default.aspx.
========================================
==========
This posting is provided "AS IS" with no warranties, and confers no rights.
|
|
|
|
|