I'm having problems getting a web application working -- it's throwing a 403
error.
I ran AuthDiag to determine what was wrong, and it's giving me the message:
Service principal name (SPN) for user 'DOMAIN\MACHINE_asp' not found in
Active Directory
Is there something I can run (preferably from the command line) to add this
MACHINE_asp user into Active Directory?
--
Thanks.
You should not add SPNs unless there is a need to do so.
Firstly, what are the relevant log file entries for the requests in question
(assuming IIS 6.0)?
Secondly, after you disable "Show Friednly HTTP Errors" in IE, and reload
the page, what is the full error message you see on the screen? 403 errors
can occur for lots of reasons - we nee to find out which one is the real
underlying cause.
Basically an SPN (Service Principal Name) allows Kerberos Authentication to
work - it allows Active Directory to create service tickets for particular
services, and allows the remote service to decrypt the ticket. However,
adding additional SPNs can also break Kerberos AuthN, because Active
Directory does not know who the end user account is. So, don't add any
unless necessary.
Cheers
Ken
"RCarbol"
news:74CC07B1-C59B-4299-956A-70C6A494E2FE@microsoft.com...
> I'm having problems getting a web application working -- it's throwing a
> 403
> error.
>
> I ran AuthDiag to determine what was wrong, and it's giving me the
> message:
>
> Service principal name (SPN) for user 'DOMAIN\MACHINE_asp' not found in
> Active Directory
>
> Is there something I can run (preferably from the command line) to add
> this
> MACHINE_asp user into Active Directory?
>
> --
> Thanks.
> Firstly, what are the relevant log file entries for the requests in question
> (assuming IIS 6.0)?
2006-05-16 15:33:57 142.15.29.115 GET /VssAdmin - 80 - 142.15.48.132
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+ 1.1.4322) 401 2
2148074254
2006-05-16 15:33:57 142.15.29.115 GET /VssAdmin - 80 - 142.15.48.132
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+ 1.1.4322) 401 1 0
2006-05-16 15:33:57 142.15.29.115 GET /VssAdmin - 80 - 142.15.48.132
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+ 1.1.4322) 401 1 0
2006-05-16 15:34:06 142.15.29.115 GET /VssAdmin - 80 - 142.15.48.132
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+ 1.1.4322) 401 1 0
2006-05-16 15:34:06 142.15.29.115 GET /VssAdmin - 80 - 142.15.48.132
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+ 1.1.4322) 401 1 0
> Secondly, after you disable "Show Friednly HTTP Errors" in IE, and reload
> the page, what is the full error message you see on the screen? 403 errors
> can occur for lots of reasons - we nee to find out which one is the real
> underlying cause.
Sorry, misreported the error earlier -- it's actually a 401.1 error.
This is an intranet site, as you may have gathered.
Thanks again.
Hi,
OK, since we have 401 not 403 errors, we need to follow different
troubleshooting steps.
Can you look in the Windows Security Event Log on the server, and locate the
relevant logon failure events. We need to see what authentication package
(NTLM or Kerberos is being used). The relevant event should also have some
information on why the logon is failing.
Can you find the relevant event, and paste them here please? depending on
which AuthN package is being used, we need to troubleshoot that.
Cheers
Ken
"RCarbol"
news:9D5FB9E7-B7AF-433A-B9C3-9C209C5715AA@microsoft.com...
>> Firstly, what are the relevant log file entries for the requests in
>> question
>> (assuming IIS 6.0)?
>
> 2006-05-16 15:33:57 142.15.29.115 GET /VssAdmin - 80 - 142.15.48.132
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+ 1.1.4322) 401
> 2
> 2148074254
> 2006-05-16 15:33:57 142.15.29.115 GET /VssAdmin - 80 - 142.15.48.132
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+ 1.1.4322) 401
> 1 0
> 2006-05-16 15:33:57 142.15.29.115 GET /VssAdmin - 80 - 142.15.48.132
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+ 1.1.4322) 401
> 1 0
> 2006-05-16 15:34:06 142.15.29.115 GET /VssAdmin - 80 - 142.15.48.132
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+ 1.1.4322) 401
> 1 0
> 2006-05-16 15:34:06 142.15.29.115 GET /VssAdmin - 80 - 142.15.48.132
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+ 1.1.4322) 401
> 1 0
>
>
>> Secondly, after you disable "Show Friednly HTTP Errors" in IE, and reload
>> the page, what is the full error message you see on the screen? 403
>> errors
>> can occur for lots of reasons - we nee to find out which one is the real
>> underlying cause.
>
> Sorry, misreported the error earlier -- it's actually a 401.1 error.
>
> This is an intranet site, as you may have gathered.
>
>
> Thanks again.
"Ken Schaefer" wrote:
> Can you look in the Windows Security Event Log on the server, and locate the
> relevant logon failure events. We need to see what authentication package
> (NTLM or Kerberos is being used). The relevant event should also have some
> information on why the logon is failing.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 2006/05/17
Time: 2:59:34 PM
User: NT AUTHORITY\SYSTEM
Computer: WEBTEST3
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 142.15.48.132
Source Port: 1348
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
--RC
Hi ,
403 is not an authentication error. We should gather IIS log files to
determine the exact 403 error code(with subcode). This will help you
address the actual problem. Below are all 403.x codes we defined in IIS:
403 - Forbidden. IIS defines a number of different 403 errors that indicate
a more specific cause of the error:?403.1 - Execute access forbidden.
403.2 - Read access forbidden.
403.3 - Write access forbidden.
403.4 - SSL required.
403.5 - SSL 128 required.
403.6 - IP address rejected.
403.7 - Client certificate required.
403.8 - Site access denied.
403.9 - Too many users.
403.10 - Invalid configuration.
403.11 - Password change.
403.12 - Mapper denied access.
403.13 - Client certificate revoked.
403.14 - Directory listing denied.
403.15 - Client Access Licenses exceeded.
403.16 - Client certificate is untrusted or invalid.
403.17 - Client certificate has expired or is not yet valid.
403.18 - Cannot execute requested URL in the current application pool. This
error code is specific to IIS 6.0.
403.19 - Cannot execute CGIs for the client in this application pool. This
error code is specific to IIS 6.0.
403.20 - Passport logon failed. This error code is specific to IIS 6.0.
Please collect the recent log files in \System32\LogFiles\W3SVC[n]\
directory (n here is the Site ID which can be viewed in the right panel by
clicking Web Sites folder in IIS) and paste the records with 403 error
here. Thanks.
Best regards,
WenJun Zhang
Microsoft Online Partner Support
This posting is provided "AS IS" with no warranties, and confers no rights.
Sorry, misreported the error earlier -- it's actually a 401.1 error.
Hi,
OK, so we are using Kerberos here. Can you tell me the following details of
your configuration?
a) The URL that is being used to access the web page - are you using
http://servername or http://servername.domain.com? Or are you using some
kind of DNS alias?
b) The website's web application pool: what user context is it being run
under? Is it Network Service? Or a custom user context?
The answers to the two questions above will tell us what SPNs need to be
registered (if any) and under what user/computer accounts.
c) Lastly, can you enable Kerberos logging on the IIS box, and post the
relevant event log entries? Thanks
http://support.microsoft.com/?id=262177
Cheers
Ken
"RCarbol"
news:7202FB21-19BF-4DDB-92D5-42861C458E0B@microsoft.com...
> "Ken Schaefer" wrote:
>
>> Can you look in the Windows Security Event Log on the server, and locate
>> the
>> relevant logon failure events. We need to see what authentication package
>> (NTLM or Kerberos is being used). The relevant event should also have
>> some
>> information on why the logon is failing.
>
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 529
> Date: 2006/05/17
> Time: 2:59:34 PM
> User: NT AUTHORITY\SYSTEM
> Computer: WEBTEST3
> Description:
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name:
> Domain:
> Logon Type: 3
> Logon Process: Kerberos
> Authentication Package: Kerberos
> Workstation Name: -
> Caller User Name: -
> Caller Domain: -
> Caller Logon ID: -
> Caller Process ID: -
> Transited Services: -
> Source Network Address: 142.15.48.132
> Source Port: 1348
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
> --RC
>
I'm still working at this -- I'll let you know the results as soon as I
can.
Ken Schaefer wrote:
> a) The URL that is being used to access the web page - are you using
> http://servername or http://servername.domain.com? Or are you using some
> kind of DNS alias?
We're using http://servername within an intranet. Does it make a
difference?
> b) The website's web application pool: what user context is it being run
> under? Is it Network Service? Or a custom user context?
I think it must be some custom user; the Identity is set to an account
of the form
[domain]\webtest3_asp
> c) Lastly, can you enable Kerberos logging on the IIS box, and post the
> relevant event log entries? Thanks
> http://support.microsoft.com/?id=262177
Done. Two events reported when I tried to hit the website:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 2006/05/30
Time: 10:22:43 AM
User: NT AUTHORITY\SYSTEM
Computer: WEBTEST3
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: [domain]/[my account]
Source Workstation: VE657818
Error Code: 0xC0000064
..
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 2006/05/30
Time: 10:22:43 AM
User: NT AUTHORITY\SYSTEM
Computer: WEBTEST3
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: [domain]/[my account]
Domain:
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: VE657818
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 142.15.48.132
Source Port: 2384
Thanks,
Roger
Hi,
Thanks for the information.
At the very least:
You will need to register a SPNs for HTTP/servername and
HTTP/servername.domain.com under the Domain\WebTest3_asp account.
Alternatively you can register the HOST/servername and
HOST/servername.domain.com SPNs
You can use the SetSPN tool from the Windows Resource Kit to do this:
http://support.microsoft.com/kb/892777
Or you can use ADSIEdit.msc (this is a GUI tool, if you prefer to be able to
see the current SPNs, and just copy then relevant information across):
http://technet2.microsoft.com/WindowsServer/en/Library/ebca3 324-5427-471a-bc19-9aa1decd3d401033.mspx?mfr=true
Note: All web applications residing at the location http://servername must
be running in one (or more) app pools that have the same identity
(WebTest3_asp). You can't have apps running in app pools with different
identities (e.g. http://servername/app1 -> WebTest3_asp, and
http://servername/webapp2 running in an app pool under Network Service)
The two events that you see are logon/logoff failuring auditing events. You
should have got more events related to Kerberos issues (did you restart the
box after setting the reg key?)
Cheers
Ken
news:1149006824.105733.277650@38g2000cwa.googlegroups.com...
> Ken Schaefer wrote:
>
>> a) The URL that is being used to access the web page - are you using
>> http://servername or http://servername.domain.com? Or are you using some
>> kind of DNS alias?
>
> We're using http://servername within an intranet. Does it make a
> difference?
>
>
>> b) The website's web application pool: what user context is it being run
>> under? Is it Network Service? Or a custom user context?
>
> I think it must be some custom user; the Identity is set to an account
> of the form
> [domain]\webtest3_asp
>
>
>> c) Lastly, can you enable Kerberos logging on the IIS box, and post the
>> relevant event log entries? Thanks
>> http://support.microsoft.com/?id=262177
>
> Done. Two events reported when I tried to hit the website:
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Account Logon
> Event ID: 680
> Date: 2006/05/30
> Time: 10:22:43 AM
> User: NT AUTHORITY\SYSTEM
> Computer: WEBTEST3
> Description:
> Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Logon account: [domain]/[my account]
> Source Workstation: VE657818
> Error Code: 0xC0000064
>
> .
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 529
> Date: 2006/05/30
> Time: 10:22:43 AM
> User: NT AUTHORITY\SYSTEM
> Computer: WEBTEST3
> Description:
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: [domain]/[my account]
> Domain:
> Logon Type: 3
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Workstation Name: VE657818
> Caller User Name: -
> Caller Domain: -
> Caller Logon ID: -
> Caller Process ID: -
> Transited Services: -
> Source Network Address: 142.15.48.132
> Source Port: 2384
>
>
>
>
> Thanks,
> Roger
>