Credentials not passed on when using ASP.NET

Hi there,

I am having trouble getting an ASP.NET web application to connect to another
computer and passing the proper credentials and I hope someone can help me.

I have a stand-alone Windows 2003 Server, ServerA, running as a Web Server
that uses ASP.NET. The default.aspx file tries to access a file in a share
on another computer, ServerB. ServerA and ServerB are on the same domain and
are both running Windows 2003 Server.



The Domain Controller is running Windows 2000 Server. I want to use
Integrated Windows Authentication to access the file. When I connect to the
Web site and then check the event viewer on ServerB, I can see that ServerA
is using the Anonymous Logon to connect to ServerB instead of passing
through my windows credentials. On ServerA, I have done the following:



In IIS, set the authentication to Integrated Windows Authentication and
deselected Allow Anonymous logon

Did the following according to
http://support.microsoft.com/default.aspx?scid=kb;en-us;8711 79

In my application pool, I set the Identity to a domain user,
MyDomain\SvcAcct

Added the user, MyDomain\SvcAcct to the IIS_WPG group

As the domain administrator, I ran Setspn on ServerA . When this didn't
work, I repeated it on the Primary Domain Controller of the domain and that
didn't work either. How I ran the command is listed below:

Setspn -A HTTP/ MyDomain\SvcAcct



Then I followed the instructions at
http://technet2.microsoft.com/WindowsServer/en/Library/b207e e9c-a055-43f7-b9be-20599b694a311033.mspx?mfr=true
and on the Primary Domain Controller of the domain I also went into Active
Directory Services Users and Groups and selected the "Trust this computer
for delegation" option for ServerA and I also followed the instructions at
http://technet2.microsoft.com/WindowsServer/en/Library/91a98 c38-38c5-49dc-83bf-e69d8e1dbbfa1033.mspx?mfr=true
and I selected the "Account is trusted for delegation" option for the
MyDomain\SvcAcct user.

Following http://support.microsoft.com/kb/215383/, on ServerA, I ran the
following:



Cscript adsutil.vbs set w3svc/1/NTAuthenticationProviders "Negotiate,NTLM"

I signed in to my client computer as MyDomain\UserA

In IE 6.0, on the client computer, as instructed in
http://support.microsoft.com/kb/810572/, I selected the "Enable Integrated
Windows Authentication (requires restart)" option on the Advanced tab and
then cleared my cache and close my IE 6.0 session and started another.



In my web.config file for the website, I added the following line after the
closing tag:





When I connect to the Website on ServerA from the client computer, I am not
prompted for credentials and that is what I would expect. When I turn on
auditing, I can also see that UserA is accessing the default.aspx file for
the Website and that is also what I would expect. However, the event viewer
on ServerB shows that the Anonymous Logon is what is being used to connect
to it.



When I run the Auth Diagnostics 1.0 tool from Microsoft that is refered to
in http://support.microsoft.com/default.aspx?scid=kb;en-us;8711 79 on my
Website on ServerA, I see the message, "Service Principal name (SPN) for
user 'MyDomain\SvcAcct' not found in Active Directory"

Anything I see on the Internet says to run Setspn for this problem but we
have done this. Am I doing something wrong when I do this? Is there another
reason why the credentials are not being passed on?

When I try this with a straight html file, I am able to access the file.



What am I doing wrong?



Thanks,



Jennifer

Re: Credentials not passed on when using ASP.NET

you need to setup an spn for it

"Jay-nospam" wrote in message
news:9qKdncjhL6_2JC_ZnZ2dnUVZ_s2dnZ2d@magma.ca...
> Hi there,
>
> I am having trouble getting an ASP.NET web application to connect to
> another computer and passing the proper credentials and I hope someone can
> help me.
>
> I have a stand-alone Windows 2003 Server, ServerA, running as a Web Server
> that uses ASP.NET. The default.aspx file tries to access a file in a share
> on another computer, ServerB. ServerA and ServerB are on the same domain
> and are both running Windows 2003 Server.
>
>
>
> The Domain Controller is running Windows 2000 Server. I want to use
> Integrated Windows Authentication to access the file. When I connect to
> the Web site and then check the event viewer on ServerB, I can see that
> ServerA is using the Anonymous Logon to connect to ServerB instead of
> passing through my windows credentials. On ServerA, I have done the
> following:
>
>
>
> In IIS, set the authentication to Integrated Windows Authentication and
> deselected Allow Anonymous logon
>
> Did the following according to
> http://support.microsoft.com/default.aspx?scid=kb;en-us;8711 79
>
> In my application pool, I set the Identity to a domain user,
> MyDomain\SvcAcct
>
> Added the user, MyDomain\SvcAcct to the IIS_WPG group
>
> As the domain administrator, I ran Setspn on ServerA . When this didn't
> work, I repeated it on the Primary Domain Controller of the domain and
> that didn't work either. How I ran the command is listed below:
>
> Setspn -A HTTP/ MyDomain\SvcAcct
>
>
>
> Then I followed the instructions at
> http://technet2.microsoft.com/WindowsServer/en/Library/b207e e9c-a055-43f7-b9be-20599b694a311033.mspx?mfr=true
> and on the Primary Domain Controller of the domain I also went into Active
> Directory Services Users and Groups and selected the "Trust this computer
> for delegation" option for ServerA and I also followed the instructions at
> http://technet2.microsoft.com/WindowsServer/en/Library/91a98 c38-38c5-49dc-83bf-e69d8e1dbbfa1033.mspx?mfr=true
> and I selected the "Account is trusted for delegation" option for the
> MyDomain\SvcAcct user.
>
> Following http://support.microsoft.com/kb/215383/, on ServerA, I ran the
> following:
>
>
>
> Cscript adsutil.vbs set w3svc/1/NTAuthenticationProviders "Negotiate,NTLM"
>
> I signed in to my client computer as MyDomain\UserA
>
> In IE 6.0, on the client computer, as instructed in
> http://support.microsoft.com/kb/810572/, I selected the "Enable Integrated
> Windows Authentication (requires restart)" option on the Advanced tab and
> then cleared my cache and close my IE 6.0 session and started another.
>
>
>
> In my web.config file for the website, I added the following line after
> the closing tag:
>
>
>
>
>
> When I connect to the Website on ServerA from the client computer, I am
> not prompted for credentials and that is what I would expect. When I turn
> on auditing, I can also see that UserA is accessing the default.aspx file
> for the Website and that is also what I would expect. However, the event
> viewer on ServerB shows that the Anonymous Logon is what is being used to
> connect to it.
>
>
>
> When I run the Auth Diagnostics 1.0 tool from Microsoft that is refered to
> in http://support.microsoft.com/default.aspx?scid=kb;en-us;8711 79 on my
> Website on ServerA, I see the message, "Service Principal name (SPN) for
> user 'MyDomain\SvcAcct' not found in Active Directory"
>
> Anything I see on the Internet says to run Setspn for this problem but we
> have done this. Am I doing something wrong when I do this? Is there
> another reason why the credentials are not being passed on?
>
> When I try this with a straight html file, I am able to access the file.
>
>
>
> What am I doing wrong?
>
>
>
> Thanks,
>
>
>
> Jennifer
>
>
>
>

Re: Credentials not passed on when using ASP.NET

I thought I had setup an spn using the setspn utility. I did the following
according to http://support.microsoft.com/default.aspx?scid=kb;en-us;8711 79
In my application pool, I set the Identity to a domain user,
MyDomain\SvcAcct

Added the user, MyDomain\SvcAcct to the IIS_WPG group

As the domain administrator, I ran Setspn on ServerA . When this didn't
work, I repeated it on the Primary Domain Controller of the domain and that
didn't work either. How I ran the command is listed below:

Setspn -A HTTP/ MyDomain\SvcAcct

Have I made a mistake when setting up my spn?

Thanks,

Jennifer

"Consultant" wrote in message
news:OzmqwgGpGHA.4208@TK2MSFTNGP04.phx.gbl...
> you need to setup an spn for it
>
> "Jay-nospam" wrote in message
> news:9qKdncjhL6_2JC_ZnZ2dnUVZ_s2dnZ2d@magma.ca...
>> Hi there,
>>
>> I am having trouble getting an ASP.NET web application to connect to
>> another computer and passing the proper credentials and I hope someone
>> can help me.
>>
>> I have a stand-alone Windows 2003 Server, ServerA, running as a Web
>> Server that uses ASP.NET. The default.aspx file tries to access a file in
>> a share on another computer, ServerB. ServerA and ServerB are on the same
>> domain and are both running Windows 2003 Server.
>>
>>
>>
>> The Domain Controller is running Windows 2000 Server. I want to use
>> Integrated Windows Authentication to access the file. When I connect to
>> the Web site and then check the event viewer on ServerB, I can see that
>> ServerA is using the Anonymous Logon to connect to ServerB instead of
>> passing through my windows credentials. On ServerA, I have done the
>> following:
>>
>>
>>
>> In IIS, set the authentication to Integrated Windows Authentication and
>> deselected Allow Anonymous logon
>>
>> Did the following according to
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;8711 79
>>
>> In my application pool, I set the Identity to a domain user,
>> MyDomain\SvcAcct
>>
>> Added the user, MyDomain\SvcAcct to the IIS_WPG group
>>
>> As the domain administrator, I ran Setspn on ServerA . When this didn't
>> work, I repeated it on the Primary Domain Controller of the domain and
>> that didn't work either. How I ran the command is listed below:
>>
>> Setspn -A HTTP/ MyDomain\SvcAcct
>>
>>
>>
>> Then I followed the instructions at
>> http://technet2.microsoft.com/WindowsServer/en/Library/b207e e9c-a055-43f7-b9be-20599b694a311033.mspx?mfr=true
>> and on the Primary Domain Controller of the domain I also went into
>> Active Directory Services Users and Groups and selected the "Trust this
>> computer for delegation" option for ServerA and I also followed the
>> instructions at
>> http://technet2.microsoft.com/WindowsServer/en/Library/91a98 c38-38c5-49dc-83bf-e69d8e1dbbfa1033.mspx?mfr=true
>> and I selected the "Account is trusted for delegation" option for the
>> MyDomain\SvcAcct user.
>>
>> Following http://support.microsoft.com/kb/215383/, on ServerA, I ran the
>> following:
>>
>>
>>
>> Cscript adsutil.vbs set w3svc/1/NTAuthenticationProviders
>> "Negotiate,NTLM"
>>
>> I signed in to my client computer as MyDomain\UserA
>>
>> In IE 6.0, on the client computer, as instructed in
>> http://support.microsoft.com/kb/810572/, I selected the "Enable
>> Integrated Windows Authentication (requires restart)" option on the
>> Advanced tab and then cleared my cache and close my IE 6.0 session and
>> started another.
>>
>>
>>
>> In my web.config file for the website, I added the following line after
>> the closing tag:
>>
>>
>>
>>
>>
>> When I connect to the Website on ServerA from the client computer, I am
>> not prompted for credentials and that is what I would expect. When I turn
>> on auditing, I can also see that UserA is accessing the default.aspx file
>> for the Website and that is also what I would expect. However, the event
>> viewer on ServerB shows that the Anonymous Logon is what is being used to
>> connect to it.
>>
>>
>>
>> When I run the Auth Diagnostics 1.0 tool from Microsoft that is refered
>> to in http://support.microsoft.com/default.aspx?scid=kb;en-us;8711 79 on
>> my Website on ServerA, I see the message, "Service Principal name (SPN)
>> for user 'MyDomain\SvcAcct' not found in Active Directory"
>>
>> Anything I see on the Internet says to run Setspn for this problem but we
>> have done this. Am I doing something wrong when I do this? Is there
>> another reason why the credentials are not being passed on?
>>
>> When I try this with a straight html file, I am able to access the file.
>>
>>
>>
>> What am I doing wrong?
>>
>>
>>
>> Thanks,
>>
>>
>>
>> Jennifer
>>
>>
>>
>>
>
>