Bookmarks

Yahoo Gmail Google Facebook Delicious Twitter Reddit Stumpleupon Myspace Digg

Search queries

sqldatasource dal, wwwxxxenden, convert raid5 to raid 10 mdadm, apache force chunked, nrao wwwxxx, xxxxxdup, procmail change subject header, wwwXxx not20, Wwwxxx.doks sas, linux raid resync after reboot

Links

XODOX
Impressum

#1: Kerberos and ASP NET application

Posted on 2008-04-15 13:36:34 by dragonsjmd

Hi All

First time poster to this group,and this is my first experience
looking into the intricacies of Kerberos.

Anyway, I've developed a vanilla asp .net application. It has a web
tier which connects to a web service which talks with the SQL server -
a very standard set-up. I have set the web application to use
integrated authentication and hence Kerberos, as retrieving the
information requires two hops.

I have set up IIS and the web config files as recommended by microsoft
(and confirmed across the web). I have set the service principals and
set the delegations correctly. And I was very pleased with myself
when the application worked as expected from my machine. I was also
very happy when it worked from my bosses machine. I wasn't so happy
when it didn't work from my customer's machine (all on the same
network).

That's when my adventure in Kerberos, and pain, began. In a nutshell,
some machines authenticate using Kerberos, while others default to
NTLM and the SQL server won't (rightly) let them in (ERROR message
is : Login failed for user '(null)'. Reason: Not associated with a
trusted SQL Server connection.). We even had the great test case of a
user with 2 similarly configured machines being able to connect
successfully with one but not the other!! Sigh.

As further background:

client is IE7 on Win XP SP2 - and enable integrated authentication
is selected;
web server is on a virtual server running windows 2003
app server is also on this server (for now)
sql server is SQL 2000 on a Win 2003 box.

Now I've tried everything I can glean from the web to see what the
differences between the 2 machines are - and I have come up with
nothing. ZIP. Everything seems to be in order, but obviously
something isn't!! I have run some limited packet sniffing, but that
isn't really my forte - using Netmon, I could see that there was a
Kerberos error (the error code was 0x3e - KDC_ERR_CLIENT_NOT_TRUSTED ,
but that didn't really give me much to go on). I have compared
workstations and accounts in active directory, with no success. I
have compared IE7 properties - nothing.

Has anyone ever had this sort of problem before - ie Kerberos seems to
work for some workstations but not others? Or can anyone suggest some
diagnostics or something that I can run that might lead me down the
right track?

I'm nearing breaking point on this one - am even taking the day off
tomorrow to go fishing to see if something comes up ;-)

Cheers and grateful for ANY help or advice.

James

Report this message

#2: Re: Kerberos and ASP NET application

Posted on 2008-04-18 04:18:17 by Ken Schaefer

Are all the machines in the same domain?

Cheers
Ken


<dragonsjmd@gmail.com> wrote in message
news:0ca5054e-b2b5-4cd6-96e0-d5c37d727025@s13g2000prd.google groups.com...
> Hi All
>
> First time poster to this group,and this is my first experience
> looking into the intricacies of Kerberos.
>
> Anyway, I've developed a vanilla asp .net application. It has a web
> tier which connects to a web service which talks with the SQL server -
> a very standard set-up. I have set the web application to use
> integrated authentication and hence Kerberos, as retrieving the
> information requires two hops.
>
> I have set up IIS and the web config files as recommended by microsoft
> (and confirmed across the web). I have set the service principals and
> set the delegations correctly. And I was very pleased with myself
> when the application worked as expected from my machine. I was also
> very happy when it worked from my bosses machine. I wasn't so happy
> when it didn't work from my customer's machine (all on the same
> network).
>
> That's when my adventure in Kerberos, and pain, began. In a nutshell,
> some machines authenticate using Kerberos, while others default to
> NTLM and the SQL server won't (rightly) let them in (ERROR message
> is : Login failed for user '(null)'. Reason: Not associated with a
> trusted SQL Server connection.). We even had the great test case of a
> user with 2 similarly configured machines being able to connect
> successfully with one but not the other!! Sigh.
>
> As further background:
>
> client is IE7 on Win XP SP2 - and enable integrated authentication
> is selected;
> web server is on a virtual server running windows 2003
> app server is also on this server (for now)
> sql server is SQL 2000 on a Win 2003 box.
>
> Now I've tried everything I can glean from the web to see what the
> differences between the 2 machines are - and I have come up with
> nothing. ZIP. Everything seems to be in order, but obviously
> something isn't!! I have run some limited packet sniffing, but that
> isn't really my forte - using Netmon, I could see that there was a
> Kerberos error (the error code was 0x3e - KDC_ERR_CLIENT_NOT_TRUSTED ,
> but that didn't really give me much to go on). I have compared
> workstations and accounts in active directory, with no success. I
> have compared IE7 properties - nothing.
>
> Has anyone ever had this sort of problem before - ie Kerberos seems to
> work for some workstations but not others? Or can anyone suggest some
> diagnostics or something that I can run that might lead me down the
> right track?
>
> I'm nearing breaking point on this one - am even taking the day off
> tomorrow to go fishing to see if something comes up ;-)
>
> Cheers and grateful for ANY help or advice.
>
> James

Report this message

#3: Re: Kerberos and ASP NET application

Posted on 2008-04-21 02:17:17 by dragonsjmd

Thanks for the response Ken. Yes they are all on the same domain.

Further investigative work last week revealed something which may be
important: basically, Kerberos operates as expected from one specific
make of machines on our network - other machines, with a different
build, fail.

I have my suspicions that it might be a difference between these two
builds that is causing the problem. Is there any way to analyse this
- for example, comparing the local security policies of the two
different builds, or any other LOCAL settings that might be
applicable - can local setting cause this problem and if so, what
would be the best places to check? I've been on a few wild goose
chases with this issue already and am looking forward to resolving it!

Cheers

James

Report this message

#4: Re: Kerberos and ASP NET application

Posted on 2008-04-21 14:53:04 by DaveMo

On Apr 20, 5:17=A0pm, dragons...@gmail.com wrote:
> Thanks for the response Ken. =A0Yes they are all on the same domain.
>
> Further investigative work last week revealed something which may be
> important: =A0basically, Kerberos operates as expected from one specific
> make of machines on our network - other machines, with a different
> build, fail.
>
> I have my suspicions that it might be a difference between these two
> builds that is causing the problem. =A0Is there any way to analyse this
> - for example, comparing the local security policies of the two
> different builds, or any other LOCAL settings that might be
> applicable =A0- can local setting cause this problem and if so, what
> would be the best places to check? =A0I've been on a few wild goose
> chases with this issue already and am looking forward to resolving it!
>
> Cheers
>
> James

James,

Are the users of these machines using smart cards to logon? I suspect
not, but CLIENT_NOT_TRUSTED is the typical error code for untrusted CA
using PKINIT.

It sounds like the KDC doesn't like these machines that are giving you
problems, but a couple more data points wouldn't hurt.

- If you look in the event logs and find the logon events, what
package is referenced?
- Install the Windows Resource Kit on one of the problem machines and
try running klist or kerbtray. Are there any Kerb tickets?

Dave

Report this message