Kerberos from XP to IIS hosting ASP.NET 2.0 Web Service help

I am trying to get Basic Kerberos Auth to work.

The client, middle-tier, and back-end servers are all in the same Windows
2000 functional level domain. All 3 are trusted for delegation. The account
used for testing has domain admin priviliges on the domain, and admin
priviliges on all 3 boxes. The account is also marked as being trusted for
delegation.

The client is an XP machine.

The middle-tier is Win2003SE running IIS6 and MDAC2.7. The website is named
irr.uams.edu which differs from the computer name, OAC3. These SPNS are
registered on the server:
HOST/irr.uams.edu
HTTP/OAC3.vcaa.ad.uams.edu
HTTP/OAC3
HTTP/irr.uams.edu
SMTPSVC/OAC3.vcaa.ad.uams.edu
SMTPSVC/OAC3
HOST/OAC3
HOST/OAC3.vcaa.ad.uams.edu
The folder hosting the web service is only accessible via Integrated Auth
and anonymous access is disabled. IIS is running under the SYSTEM account.
The local security policy allows SYSTEM to Act as part of the operating
system and to impersonate a client after authentication.

I have tested connecting with an ASP.NET 2.0 console application and IE6
from the client machine.

When I code the console app to use Negotiate authentication, I fail to
connect to the SQL server with the message "Login failed for user NT
AUTHORITY/Anonymous. In addition the files captured by Network Monitor have
these entries generated by the exchange between client and IIS box:

Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET


When I code the console app to use Kerberos I always get a 401 unauthorized
error and the same headers. I have also tried using IE6 (Integrated
Authentication turned on, irr.uams.edu in the local intranet zone, etc.) with
the same results.

Servers are all within 5 minutes of each other and DC. Net engineering
tells me that Kerberos is not blocked. Any ideas on what else I should check
appreciated.

Thanks.

Re: Kerberos from XP to IIS hosting ASP.NET 2.0 Web Service help

Some things that weren't mentioned in your post:

a) What user account is the web application pool running under? If it is
running under a custom account, you need to register an SPN under that
account, not the computer account in AD.

b) What SPNs do you have registered for the *SQL Server*? What user account
is SQL Server running under? What port?

c) Looking in the IIS server's security event log, have you verified that
the the actual logon is using Kerberos? Or is it using NTLM

Cheers
Ken

--
IIS Blog: http://www.adOpenStatic.com/cs/blogs/ken


"Brian Cobb" wrote in message
news:A4CBB565-5A23-4868-B185-C98690DC42A8@microsoft.com...
:I am trying to get Basic Kerberos Auth to work.
:
: The client, middle-tier, and back-end servers are all in the same Windows
: 2000 functional level domain. All 3 are trusted for delegation. The
account
: used for testing has domain admin priviliges on the domain, and admin
: priviliges on all 3 boxes. The account is also marked as being trusted
for
: delegation.
:
: The client is an XP machine.
:
: The middle-tier is Win2003SE running IIS6 and MDAC2.7. The website is
named
: irr.uams.edu which differs from the computer name, OAC3. These SPNS are
: registered on the server:
: HOST/irr.uams.edu
: HTTP/OAC3.vcaa.ad.uams.edu
: HTTP/OAC3
: HTTP/irr.uams.edu
: SMTPSVC/OAC3.vcaa.ad.uams.edu
: SMTPSVC/OAC3
: HOST/OAC3
: HOST/OAC3.vcaa.ad.uams.edu
: The folder hosting the web service is only accessible via Integrated Auth
: and anonymous access is disabled. IIS is running under the SYSTEM
account.
: The local security policy allows SYSTEM to Act as part of the operating
: system and to impersonate a client after authentication.
:
: I have tested connecting with an ASP.NET 2.0 console application and IE6
: from the client machine.
:
: When I code the console app to use Negotiate authentication, I fail to
: connect to the SQL server with the message "Login failed for user NT
: AUTHORITY/Anonymous. In addition the files captured by Network Monitor
have
: these entries generated by the exchange between client and IIS box:
:
: Content-Type: text/html
: Server: Microsoft-IIS/6.0
: WWW-Authenticate: Negotiate
: WWW-Authenticate: NTLM
: MicrosoftOfficeWebServer: 5.0_Pub
: X-Powered-By: ASP.NET
:
:
: When I code the console app to use Kerberos I always get a 401
unauthorized
: error and the same headers. I have also tried using IE6 (Integrated
: Authentication turned on, irr.uams.edu in the local intranet zone, etc.)
with
: the same results.
:
: Servers are all within 5 minutes of each other and DC. Net engineering
: tells me that Kerberos is not blocked. Any ideas on what else I should
check
: appreciated.
:
: Thanks.
:
:

Re: Kerberos from XP to IIS hosting ASP.NET 2.0 Web Service help

Thank you for your response.

The application pool is is running under the local system account.

The SQL SPNs are:
MSSQLSvc/OAC2:1433
MSSQLSvc/OAC2.vcaa.ad.uams.edu:1433
MSOLAPSvc/OAC2
MSOLAPSvc/OAC2.vcaa.ad.uams.edu
SMTPSVC/OAC2
SMTPSVC/OAC2.vcaa.ad.uams.edu
HOST/OAC2
HOST/OAC2.vcaa.ad.uams.edu
The SQL service is NOT running under local system. Instead it is using a
local account. I don't think this is a problem, though, (yet). I also
neglected to mention in my first mail that the web app attempts to open a
connection on the SQL server. It is at that point I see the "Login failed
for user NT AUTHORITY/Anonymous" message. Maybe I'm mis-interpreting what's
happening, but it seems that I am authenticating to the webservice as an
Anonymous user. And anonymous user can't open a db connection because he has
no db rights. Should I replace my local account on the SQL box with a domain
account?

I'm not sure which account you mean in item c. If you mean the user login
it can authenticate only using NTLM. Trying to authenticate via Kerberos
makes the 401 error happen.



"Ken Schaefer" wrote:

> Some things that weren't mentioned in your post:
>
> a) What user account is the web application pool running under? If it is
> running under a custom account, you need to register an SPN under that
> account, not the computer account in AD.
>
> b) What SPNs do you have registered for the *SQL Server*? What user account
> is SQL Server running under? What port?
>
> c) Looking in the IIS server's security event log, have you verified that
> the the actual logon is using Kerberos? Or is it using NTLM
>
> Cheers
> Ken
>
> --
> IIS Blog: http://www.adOpenStatic.com/cs/blogs/ken
>
>
> "Brian Cobb" wrote in message
> news:A4CBB565-5A23-4868-B185-C98690DC42A8@microsoft.com...
> :I am trying to get Basic Kerberos Auth to work.
> :
> : The client, middle-tier, and back-end servers are all in the same Windows
> : 2000 functional level domain. All 3 are trusted for delegation. The
> account
> : used for testing has domain admin priviliges on the domain, and admin
> : priviliges on all 3 boxes. The account is also marked as being trusted
> for
> : delegation.
> :
> : The client is an XP machine.
> :
> : The middle-tier is Win2003SE running IIS6 and MDAC2.7. The website is
> named
> : irr.uams.edu which differs from the computer name, OAC3. These SPNS are
> : registered on the server:
> : HOST/irr.uams.edu
> : HTTP/OAC3.vcaa.ad.uams.edu
> : HTTP/OAC3
> : HTTP/irr.uams.edu
> : SMTPSVC/OAC3.vcaa.ad.uams.edu
> : SMTPSVC/OAC3
> : HOST/OAC3
> : HOST/OAC3.vcaa.ad.uams.edu
> : The folder hosting the web service is only accessible via Integrated Auth
> : and anonymous access is disabled. IIS is running under the SYSTEM
> account.
> : The local security policy allows SYSTEM to Act as part of the operating
> : system and to impersonate a client after authentication.
> :
> : I have tested connecting with an ASP.NET 2.0 console application and IE6
> : from the client machine.
> :
> : When I code the console app to use Negotiate authentication, I fail to
> : connect to the SQL server with the message "Login failed for user NT
> : AUTHORITY/Anonymous. In addition the files captured by Network Monitor
> have
> : these entries generated by the exchange between client and IIS box:
> :
> : Content-Type: text/html
> : Server: Microsoft-IIS/6.0
> : WWW-Authenticate: Negotiate
> : WWW-Authenticate: NTLM
> : MicrosoftOfficeWebServer: 5.0_Pub
> : X-Powered-By: ASP.NET
> :
> :
> : When I code the console app to use Kerberos I always get a 401
> unauthorized
> : error and the same headers. I have also tried using IE6 (Integrated
> : Authentication turned on, irr.uams.edu in the local intranet zone, etc.)
> with
> : the same results.
> :
> : Servers are all within 5 minutes of each other and DC. Net engineering
> : tells me that Kerberos is not blocked. Any ideas on what else I should
> check
> : appreciated.
> :
> : Thanks.
> :
> :
>
>
>

Re: Kerberos from XP to IIS hosting ASP.NET 2.0 Web Service help

Hi,

a) If your MS SQL Server is running under a custom /local/ account, then I'm
not sure how Kerberos authentication is supposed to work. The IIS server
needs to get a Kerberos ticket for the remote service (namely SQL Server).
The ticket needs to be encrypted with a password that the remote SQL Server
can decrypt. If SQL Server is running under a domain account, then the SPN
can be registered under the domain account. If the SQL Server is running
under LocalSystem, then the SPN can be registered under the computer account
in AD. If you are running SQL Server in a workgroup, or under a local
account, I don't think Kerberos is going to work

b) No, you are not authenticating to IIS as anonymous. What is happening is
that you are authenticating using whatever credentials you have supplied.
However the next hop (from IIS to SQL Server) is anonymous. This is because
IIS is not able to get an appropriate Kerberos ticket to connect to the
remote server as your user account (remember, IIS doesn't have your
username/password, so it can't just connect as you)

c) If the authentication from XP -> IIS is NTLM, then Kerberos is not going
to work from IIS -> SQL Server. NTLM is not delegatable (i.e. an
authentication by NTLM can not then be delegatable another hop to a remote
service). You need authenticate using Kerberos between XP and IIS. Get it
working using a web browser first, then let's worry about how to get your
application working.

Cheers
Ken

--
IIS Blog: http://www.adOpenStatic.com/cs/blogs/ken


"Brian Cobb" wrote in message
news:0DD74468-AEE5-4E9F-81A2-AEC269B2B064@microsoft.com...
: Thank you for your response.
:
: The application pool is is running under the local system account.
:
: The SQL SPNs are:
: MSSQLSvc/OAC2:1433
: MSSQLSvc/OAC2.vcaa.ad.uams.edu:1433
: MSOLAPSvc/OAC2
: MSOLAPSvc/OAC2.vcaa.ad.uams.edu
: SMTPSVC/OAC2
: SMTPSVC/OAC2.vcaa.ad.uams.edu
: HOST/OAC2
: HOST/OAC2.vcaa.ad.uams.edu
: The SQL service is NOT running under local system. Instead it is using a
: local account. I don't think this is a problem, though, (yet). I also
: neglected to mention in my first mail that the web app attempts to open a
: connection on the SQL server. It is at that point I see the "Login failed
: for user NT AUTHORITY/Anonymous" message. Maybe I'm mis-interpreting
what's
: happening, but it seems that I am authenticating to the webservice as an
: Anonymous user. And anonymous user can't open a db connection because he
has
: no db rights. Should I replace my local account on the SQL box with a
domain
: account?
:
: I'm not sure which account you mean in item c. If you mean the user login
: it can authenticate only using NTLM. Trying to authenticate via Kerberos
: makes the 401 error happen.
:
:
:
: "Ken Schaefer" wrote:
:
: > Some things that weren't mentioned in your post:
: >
: > a) What user account is the web application pool running under? If it is
: > running under a custom account, you need to register an SPN under that
: > account, not the computer account in AD.
: >
: > b) What SPNs do you have registered for the *SQL Server*? What user
account
: > is SQL Server running under? What port?
: >
: > c) Looking in the IIS server's security event log, have you verified
that
: > the the actual logon is using Kerberos? Or is it using NTLM
: >
: > Cheers
: > Ken
: >
: > --
: > IIS Blog: http://www.adOpenStatic.com/cs/blogs/ken
: >
: >
: > "Brian Cobb" wrote in message
: > news:A4CBB565-5A23-4868-B185-C98690DC42A8@microsoft.com...
: > :I am trying to get Basic Kerberos Auth to work.
: > :
: > : The client, middle-tier, and back-end servers are all in the same
Windows
: > : 2000 functional level domain. All 3 are trusted for delegation. The
: > account
: > : used for testing has domain admin priviliges on the domain, and admin
: > : priviliges on all 3 boxes. The account is also marked as being
trusted
: > for
: > : delegation.
: > :
: > : The client is an XP machine.
: > :
: > : The middle-tier is Win2003SE running IIS6 and MDAC2.7. The website is
: > named
: > : irr.uams.edu which differs from the computer name, OAC3. These SPNS
are
: > : registered on the server:
: > : HOST/irr.uams.edu
: > : HTTP/OAC3.vcaa.ad.uams.edu
: > : HTTP/OAC3
: > : HTTP/irr.uams.edu
: > : SMTPSVC/OAC3.vcaa.ad.uams.edu
: > : SMTPSVC/OAC3
: > : HOST/OAC3
: > : HOST/OAC3.vcaa.ad.uams.edu
: > : The folder hosting the web service is only accessible via Integrated
Auth
: > : and anonymous access is disabled. IIS is running under the SYSTEM
: > account.
: > : The local security policy allows SYSTEM to Act as part of the
operating
: > : system and to impersonate a client after authentication.
: > :
: > : I have tested connecting with an ASP.NET 2.0 console application and
IE6
: > : from the client machine.
: > :
: > : When I code the console app to use Negotiate authentication, I fail
to
: > : connect to the SQL server with the message "Login failed for user NT
: > : AUTHORITY/Anonymous. In addition the files captured by Network Monitor
: > have
: > : these entries generated by the exchange between client and IIS box:
: > :
: > : Content-Type: text/html
: > : Server: Microsoft-IIS/6.0
: > : WWW-Authenticate: Negotiate
: > : WWW-Authenticate: NTLM
: > : MicrosoftOfficeWebServer: 5.0_Pub
: > : X-Powered-By: ASP.NET
: > :
: > :
: > : When I code the console app to use Kerberos I always get a 401
: > unauthorized
: > : error and the same headers. I have also tried using IE6 (Integrated
: > : Authentication turned on, irr.uams.edu in the local intranet zone,
etc.)
: > with
: > : the same results.
: > :
: > : Servers are all within 5 minutes of each other and DC. Net
engineering
: > : tells me that Kerberos is not blocked. Any ideas on what else I
should
: > check
: > : appreciated.
: > :
: > : Thanks.
: > :
: > :
: >
: >
: >

Re: Kerberos from XP to IIS hosting ASP.NET 2.0 Web Service help

Thanks for your response.

It is an issue with the SQL server running under a local account. Changing
to a domain account trusted for delegation and configuring SPNs for SQL under
the account allowed the console app to work.

"Ken Schaefer" wrote:

> Hi,
>
> a) If your MS SQL Server is running under a custom /local/ account, then I'm
> not sure how Kerberos authentication is supposed to work. The IIS server
> needs to get a Kerberos ticket for the remote service (namely SQL Server).
> The ticket needs to be encrypted with a password that the remote SQL Server
> can decrypt. If SQL Server is running under a domain account, then the SPN
> can be registered under the domain account. If the SQL Server is running
> under LocalSystem, then the SPN can be registered under the computer account
> in AD. If you are running SQL Server in a workgroup, or under a local
> account, I don't think Kerberos is going to work
>
> b) No, you are not authenticating to IIS as anonymous. What is happening is
> that you are authenticating using whatever credentials you have supplied.
> However the next hop (from IIS to SQL Server) is anonymous. This is because
> IIS is not able to get an appropriate Kerberos ticket to connect to the
> remote server as your user account (remember, IIS doesn't have your
> username/password, so it can't just connect as you)
>
> c) If the authentication from XP -> IIS is NTLM, then Kerberos is not going
> to work from IIS -> SQL Server. NTLM is not delegatable (i.e. an
> authentication by NTLM can not then be delegatable another hop to a remote
> service). You need authenticate using Kerberos between XP and IIS. Get it
> working using a web browser first, then let's worry about how to get your
> application working.
>
> Cheers
> Ken
>
> --
> IIS Blog: http://www.adOpenStatic.com/cs/blogs/ken
>
>
> "Brian Cobb" wrote in message
> news:0DD74468-AEE5-4E9F-81A2-AEC269B2B064@microsoft.com...
> : Thank you for your response.
> :
> : The application pool is is running under the local system account.
> :
> : The SQL SPNs are:
> : MSSQLSvc/OAC2:1433
> : MSSQLSvc/OAC2.vcaa.ad.uams.edu:1433
> : MSOLAPSvc/OAC2
> : MSOLAPSvc/OAC2.vcaa.ad.uams.edu
> : SMTPSVC/OAC2
> : SMTPSVC/OAC2.vcaa.ad.uams.edu
> : HOST/OAC2
> : HOST/OAC2.vcaa.ad.uams.edu
> : The SQL service is NOT running under local system. Instead it is using a
> : local account. I don't think this is a problem, though, (yet). I also
> : neglected to mention in my first mail that the web app attempts to open a
> : connection on the SQL server. It is at that point I see the "Login failed
> : for user NT AUTHORITY/Anonymous" message. Maybe I'm mis-interpreting
> what's
> : happening, but it seems that I am authenticating to the webservice as an
> : Anonymous user. And anonymous user can't open a db connection because he
> has
> : no db rights. Should I replace my local account on the SQL box with a
> domain
> : account?
> :
> : I'm not sure which account you mean in item c. If you mean the user login
> : it can authenticate only using NTLM. Trying to authenticate via Kerberos
> : makes the 401 error happen.
> :
> :
> :
> : "Ken Schaefer" wrote:
> :
> : > Some things that weren't mentioned in your post:
> : >
> : > a) What user account is the web application pool running under? If it is
> : > running under a custom account, you need to register an SPN under that
> : > account, not the computer account in AD.
> : >
> : > b) What SPNs do you have registered for the *SQL Server*? What user
> account
> : > is SQL Server running under? What port?
> : >
> : > c) Looking in the IIS server's security event log, have you verified
> that
> : > the the actual logon is using Kerberos? Or is it using NTLM
> : >
> : > Cheers
> : > Ken
> : >
> : > --
> : > IIS Blog: http://www.adOpenStatic.com/cs/blogs/ken
> : >
> : >
> : > "Brian Cobb" wrote in message
> : > news:A4CBB565-5A23-4868-B185-C98690DC42A8@microsoft.com...
> : > :I am trying to get Basic Kerberos Auth to work.
> : > :
> : > : The client, middle-tier, and back-end servers are all in the same
> Windows
> : > : 2000 functional level domain. All 3 are trusted for delegation. The
> : > account
> : > : used for testing has domain admin priviliges on the domain, and admin
> : > : priviliges on all 3 boxes. The account is also marked as being
> trusted
> : > for
> : > : delegation.
> : > :
> : > : The client is an XP machine.
> : > :
> : > : The middle-tier is Win2003SE running IIS6 and MDAC2.7. The website is
> : > named
> : > : irr.uams.edu which differs from the computer name, OAC3. These SPNS
> are
> : > : registered on the server:
> : > : HOST/irr.uams.edu
> : > : HTTP/OAC3.vcaa.ad.uams.edu
> : > : HTTP/OAC3
> : > : HTTP/irr.uams.edu
> : > : SMTPSVC/OAC3.vcaa.ad.uams.edu
> : > : SMTPSVC/OAC3
> : > : HOST/OAC3
> : > : HOST/OAC3.vcaa.ad.uams.edu
> : > : The folder hosting the web service is only accessible via Integrated
> Auth
> : > : and anonymous access is disabled. IIS is running under the SYSTEM
> : > account.
> : > : The local security policy allows SYSTEM to Act as part of the
> operating
> : > : system and to impersonate a client after authentication.
> : > :
> : > : I have tested connecting with an ASP.NET 2.0 console application and
> IE6
> : > : from the client machine.
> : > :
> : > : When I code the console app to use Negotiate authentication, I fail
> to
> : > : connect to the SQL server with the message "Login failed for user NT
> : > : AUTHORITY/Anonymous. In addition the files captured by Network Monitor
> : > have
> : > : these entries generated by the exchange between client and IIS box:
> : > :
> : > : Content-Type: text/html
> : > : Server: Microsoft-IIS/6.0
> : > : WWW-Authenticate: Negotiate
> : > : WWW-Authenticate: NTLM
> : > : MicrosoftOfficeWebServer: 5.0_Pub
> : > : X-Powered-By: ASP.NET
> : > :
> : > :
> : > : When I code the console app to use Kerberos I always get a 401
> : > unauthorized
> : > : error and the same headers. I have also tried using IE6 (Integrated
> : > : Authentication turned on, irr.uams.edu in the local intranet zone,
> etc.)
> : > with
> : > : the same results.
> : > :
> : > : Servers are all within 5 minutes of each other and DC. Net
> engineering
> : > : tells me that Kerberos is not blocked. Any ideas on what else I
> should
> : > check
> : > : appreciated.
> : > :
> : > : Thanks.
> : > :
> : > :
> : >
> : >
> : >
>
>
>