event id 529 logon type 8, multi tier custom application

event id 529 logon type 8, multi tier custom application

am 16.05.2006 01:28:02 von philipf22

Here is the situation. We acquired a custom app supporting external
users that worked previously in single dom NT4 scenario. I want to
move external untrusted users out to dedicated forest (compliance
issue).

Windows Environment:
Two forests (EXTERNALDOM trusts INTERNALDOM).
- Web servers in DMZ joined to externaldom
- App servers internal, joined to internaldom


- Web server
using anonymous w/ acct internaldom\user2
communicates to app web service over specific ports (enabled in FW)

- App server
using impersonation to access other db components.


The new application was developed to authenticate the users against AD.
I can verify that it is doing this successfully in the external forest
since passing a bad password results in a failure audit on the WEB
server.

When I pass valid credentials to the web server, the app seems to be
flowing the identity back to the app server. The app server is
generating the following error in the security log. To me it seems
that the app is attempting to have the external user authenticate
against the internal app server. Since I have a one way trust in place
where internal does not trust external, it is of course being denied.
I don't see much on logon type 8, other than it is a cleartext
authentication attempt. I was trying to figure out what the app is
trying to access so I used regmon and filemon only to find that there
were no failures.


Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 5/15/2006
Time: 4:41:21 PM
User: NT AUTHORITY\SYSTEM
Computer: INTERNALAPP001
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: USER1
Domain: EXTERNALDOM
Logon Type: 8
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: INTERNALAPP001
Caller User Name: APPACCT
Caller Domain: INTERNALDOM
Caller Logon ID: (0x0,0x7A2991)
Caller Process ID: 3208
Transited Services: -
Source Network Address: -
Source Port: -

**PID 3208 is w3wp.exe running under APPACCT

Any help around this error code would be appreciated.