Kerberos and ASP NET application

Hi All

First time poster to this group,and this is my first experience
looking into the intricacies of Kerberos.

Anyway, I've developed a vanilla asp .net application. It has a web
tier which connects to a web service which talks with the SQL server -
a very standard set-up. I have set the web application to use
integrated authentication and hence Kerberos, as retrieving the
information requires two hops.

I have set up IIS and the web config files as recommended by microsoft
(and confirmed across the web). I have set the service principals and
set the delegations correctly. And I was very pleased with myself
when the application worked as expected from my machine. I was also
very happy when it worked from my bosses machine. I wasn't so happy
when it didn't work from my customer's machine (all on the same
network).

That's when my adventure in Kerberos, and pain, began. In a nutshell,
some machines authenticate using Kerberos, while others default to
NTLM and the SQL server won't (rightly) let them in (ERROR message
is : Login failed for user '(null)'. Reason: Not associated with a
trusted SQL Server connection.). We even had the great test case of a
user with 2 similarly configured machines being able to connect
successfully with one but not the other!! Sigh.

As further background:

client is IE7 on Win XP SP2 - and enable integrated authentication
is selected;
web server is on a virtual server running windows 2003
app server is also on this server (for now)
sql server is SQL 2000 on a Win 2003 box.

Now I've tried everything I can glean from the web to see what the
differences between the 2 machines are - and I have come up with
nothing. ZIP. Everything seems to be in order, but obviously
something isn't!! I have run some limited packet sniffing, but that
isn't really my forte - using Netmon, I could see that there was a
Kerberos error (the error code was 0x3e - KDC_ERR_CLIENT_NOT_TRUSTED ,
but that didn't really give me much to go on). I have compared
workstations and accounts in active directory, with no success. I
have compared IE7 properties - nothing.

Has anyone ever had this sort of problem before - ie Kerberos seems to
work for some workstations but not others? Or can anyone suggest some
diagnostics or something that I can run that might lead me down the
right track?

I'm nearing breaking point on this one - am even taking the day off
tomorrow to go fishing to see if something comes up ;-)

Cheers and grateful for ANY help or advice.

James

Re: Kerberos and ASP NET application

Are all the machines in the same domain?

Cheers
Ken


wrote in message
news:0ca5054e-b2b5-4cd6-96e0-d5c37d727025@s13g2000prd.google groups.com...
> Hi All
>
> First time poster to this group,and this is my first experience
> looking into the intricacies of Kerberos.
>
> Anyway, I've developed a vanilla asp .net application. It has a web
> tier which connects to a web service which talks with the SQL server -
> a very standard set-up. I have set the web application to use
> integrated authentication and hence Kerberos, as retrieving the
> information requires two hops.
>
> I have set up IIS and the web config files as recommended by microsoft
> (and confirmed across the web). I have set the service principals and
> set the delegations correctly. And I was very pleased with myself
> when the application worked as expected from my machine. I was also
> very happy when it worked from my bosses machine. I wasn't so happy
> when it didn't work from my customer's machine (all on the same
> network).
>
> That's when my adventure in Kerberos, and pain, began. In a nutshell,
> some machines authenticate using Kerberos, while others default to
> NTLM and the SQL server won't (rightly) let them in (ERROR message
> is : Login failed for user '(null)'. Reason: Not associated with a
> trusted SQL Server connection.). We even had the great test case of a
> user with 2 similarly configured machines being able to connect
> successfully with one but not the other!! Sigh.
>
> As further background:
>
> client is IE7 on Win XP SP2 - and enable integrated authentication
> is selected;
> web server is on a virtual server running windows 2003
> app server is also on this server (for now)
> sql server is SQL 2000 on a Win 2003 box.
>
> Now I've tried everything I can glean from the web to see what the
> differences between the 2 machines are - and I have come up with
> nothing. ZIP. Everything seems to be in order, but obviously
> something isn't!! I have run some limited packet sniffing, but that
> isn't really my forte - using Netmon, I could see that there was a
> Kerberos error (the error code was 0x3e - KDC_ERR_CLIENT_NOT_TRUSTED ,
> but that didn't really give me much to go on). I have compared
> workstations and accounts in active directory, with no success. I
> have compared IE7 properties - nothing.
>
> Has anyone ever had this sort of problem before - ie Kerberos seems to
> work for some workstations but not others? Or can anyone suggest some
> diagnostics or something that I can run that might lead me down the
> right track?
>
> I'm nearing breaking point on this one - am even taking the day off
> tomorrow to go fishing to see if something comes up ;-)
>
> Cheers and grateful for ANY help or advice.
>
> James

Re: Kerberos and ASP NET application

Thanks for the response Ken. Yes they are all on the same domain.

Further investigative work last week revealed something which may be
important: basically, Kerberos operates as expected from one specific
make of machines on our network - other machines, with a different
build, fail.

I have my suspicions that it might be a difference between these two
builds that is causing the problem. Is there any way to analyse this
- for example, comparing the local security policies of the two
different builds, or any other LOCAL settings that might be
applicable - can local setting cause this problem and if so, what
would be the best places to check? I've been on a few wild goose
chases with this issue already and am looking forward to resolving it!

Cheers

James

Re: Kerberos and ASP NET application

On Apr 20, 5:17=A0pm, dragons...@gmail.com wrote:
> Thanks for the response Ken. =A0Yes they are all on the same domain.
>
> Further investigative work last week revealed something which may be
> important: =A0basically, Kerberos operates as expected from one specific
> make of machines on our network - other machines, with a different
> build, fail.
>
> I have my suspicions that it might be a difference between these two
> builds that is causing the problem. =A0Is there any way to analyse this
> - for example, comparing the local security policies of the two
> different builds, or any other LOCAL settings that might be
> applicable =A0- can local setting cause this problem and if so, what
> would be the best places to check? =A0I've been on a few wild goose
> chases with this issue already and am looking forward to resolving it!
>
> Cheers
>
> James

James,

Are the users of these machines using smart cards to logon? I suspect
not, but CLIENT_NOT_TRUSTED is the typical error code for untrusted CA
using PKINIT.

It sounds like the KDC doesn't like these machines that are giving you
problems, but a couple more data points wouldn't hurt.

- If you look in the event logs and find the logon events, what
package is referenced?
- Install the Windows Resource Kit on one of the problem machines and
try running klist or kerbtray. Are there any Kerb tickets?

Dave