iis problems with some xp clients - kerberos issue?

I'm the web dev for a 200 person company, everything herein is in our
corporate domain.

We use Kerberos authentication - the domain controler is a win2k
server.

In short I have an Intranet server (win2k) hosting a .net 2 application
and a test server (win2k) hosting a classic asp page. Both access SQL
data on different server.

Delegation is enabled for all domain users. I have "impersonate=true"
on my .net app and directories on both servers are set to use only
Windows Integrated Authentication.

Internet Explorer settings on the client are set to recognize all the
involved servers and use propper settings, windows auth is enabled,
auto logon, etc.

And both apps work for about 80% of our users. But the authentication
isn't being bassed from IE to the server to SQL as expected for the
rest, resulting in SQL errors. Our clients are all on XP. At first we
thought it was their profiles. But it's the client. The apps don't
work for anyone logged on those clients that aren't passing
authentication. And for those staff who have no problems, anyone can
log on and will have no problems / vice versa.

Then we thought it might be a hotfix/security update. Our sysadmin
ghosted an old image and the apps worked (authentication was passed to
sql), then he applied all of the updates and set up he normally would
for a new user and...it still worked.

We're not sure where to look...AD/profiles don't seem to be the
culprit, IE settings have been mimicked on working machines and
therefore seem ok, IIS/SQL is behaving normally and it works for all
users, just not all machines.

Does anyone have any idea what could be going on? Also, I was not sure
what group to post this on...it's security/networking/sql/iis or is
there a group for general MS mysteries?

I could post IIS logs, asp errors, sql errors, etc. Please let me know
what information would help in diagnosing this.

Re: iis problems with some xp clients - kerberos issue?

Just giving a non-obvious food for thought...


For some users/machines, they unfortunately end up with LARGE Kerberos
tickets -- this is totally normal and is a function of many things,
including how many groups they are in as well as number of domains.

The difference in Kerberos ticket size has been known to cause some
users/machines to fail with Kerberos while everything is perfectly
configured. One reason is because IIS has a limit on request header size,
which is where the Kerberos tickets are passed - and I don't know what your
server is configured to. It is 128KB by default on IIS5/W2K, but security
lockdown can shrink it to 16KB, at which point Kerberos Tickets can start
getting rejected.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

wrote in message
news:1153526771.259662.173920@75g2000cwc.googlegroups.com...
> I'm the web dev for a 200 person company, everything herein is in our
> corporate domain.
>
> We use Kerberos authentication - the domain controler is a win2k
> server.
>
> In short I have an Intranet server (win2k) hosting a .net 2 application
> and a test server (win2k) hosting a classic asp page. Both access SQL
> data on different server.
>
> Delegation is enabled for all domain users. I have "impersonate=true"
> on my .net app and directories on both servers are set to use only
> Windows Integrated Authentication.
>
> Internet Explorer settings on the client are set to recognize all the
> involved servers and use propper settings, windows auth is enabled,
> auto logon, etc.
>
> And both apps work for about 80% of our users. But the authentication
> isn't being bassed from IE to the server to SQL as expected for the
> rest, resulting in SQL errors. Our clients are all on XP. At first we
> thought it was their profiles. But it's the client. The apps don't
> work for anyone logged on those clients that aren't passing
> authentication. And for those staff who have no problems, anyone can
> log on and will have no problems / vice versa.
>
> Then we thought it might be a hotfix/security update. Our sysadmin
> ghosted an old image and the apps worked (authentication was passed to
> sql), then he applied all of the updates and set up he normally would
> for a new user and...it still worked.
>
> We're not sure where to look...AD/profiles don't seem to be the
> culprit, IE settings have been mimicked on working machines and
> therefore seem ok, IIS/SQL is behaving normally and it works for all
> users, just not all machines.
>
> Does anyone have any idea what could be going on? Also, I was not sure
> what group to post this on...it's security/networking/sql/iis or is
> there a group for general MS mysteries?
>
> I could post IIS logs, asp errors, sql errors, etc. Please let me know
> what information would help in diagnosing this.
>

Re: iis problems with some xp clients - kerberos issue?

wrote in message
news:1153526771.259662.173920@75g2000cwc.googlegroups.com...

> Internet Explorer settings on the client are set to recognize all the
> involved servers and use propper settings, windows auth is enabled,
> auto logon, etc.
>
> And both apps work for about 80% of our users. But the authentication
> isn't being bassed from IE to the server to SQL as expected for the
> rest, resulting in SQL errors.

Have you tried putting the web server name into the local intranet zone or
trusted zone in IE? That's a very common cause when XP sporadically fails
to send windows integrated authentication.

Is the same server / domain name being used in the URL in successful and
unsuccessful cases? Is there any possibility that IE is deciding that the
server / domain name is in the Internet zone, where windows integrated
authentication is generally disabled?

What is the "User Authentication: Logon" setting in IE for the zone in which
you believe the server resides? Is there any difference in this setting
between working and troubled PCs?

When the authentication fails, I'd be curious to know what zone IE says the
web server is in. Should be an icon near the lower right corner of the IE
status bar.

And you're certain that IE isn't passing the authentication at all? I'd
want to use Wireshark sniffer, current stable release at www.ethereal.com,
to look at what happens

I'd also be curious to know what the IE / client error message is.

--
kind regards,
Karl Levinson, CISSP, CCSA, MCSE [MS MVP]
--------------------------------
Microsoft Security FAQ:
http://securityadmin.info

Re: iis problems with some xp clients - kerberos issue?

I think we need to verify exactly where the process is failing.

For example: is the browser even attempting Kerberos Authentication? Or is
the webserver failing to get a service ticket for the SQL Server etc.

Check that the site is in IE's Intranet zone (IE doesn't attempt to Kerberos
AuthN to sites in the internet zone - it will use NTLM instead).

Then I would get packet captures (using www.ethereal.com) of traffic from
client -> webserver and webserver -> domain controller and webserver -> SQL
server.

Additionally, you can enable Kerberos logging on the webserver to see if
there are any Kerberos related issues (the events get logged to the Windows
event log)

Cheers
Ken


wrote in message
news:1153526771.259662.173920@75g2000cwc.googlegroups.com...
> I'm the web dev for a 200 person company, everything herein is in our
> corporate domain.
>
> We use Kerberos authentication - the domain controler is a win2k
> server.
>
> In short I have an Intranet server (win2k) hosting a .net 2 application
> and a test server (win2k) hosting a classic asp page. Both access SQL
> data on different server.
>
> Delegation is enabled for all domain users. I have "impersonate=true"
> on my .net app and directories on both servers are set to use only
> Windows Integrated Authentication.
>
> Internet Explorer settings on the client are set to recognize all the
> involved servers and use propper settings, windows auth is enabled,
> auto logon, etc.
>
> And both apps work for about 80% of our users. But the authentication
> isn't being bassed from IE to the server to SQL as expected for the
> rest, resulting in SQL errors. Our clients are all on XP. At first we
> thought it was their profiles. But it's the client. The apps don't
> work for anyone logged on those clients that aren't passing
> authentication. And for those staff who have no problems, anyone can
> log on and will have no problems / vice versa.
>
> Then we thought it might be a hotfix/security update. Our sysadmin
> ghosted an old image and the apps worked (authentication was passed to
> sql), then he applied all of the updates and set up he normally would
> for a new user and...it still worked.
>
> We're not sure where to look...AD/profiles don't seem to be the
> culprit, IE settings have been mimicked on working machines and
> therefore seem ok, IIS/SQL is behaving normally and it works for all
> users, just not all machines.
>
> Does anyone have any idea what could be going on? Also, I was not sure
> what group to post this on...it's security/networking/sql/iis or is
> there a group for general MS mysteries?
>
> I could post IIS logs, asp errors, sql errors, etc. Please let me know
> what information would help in diagnosing this.
>

Re: iis problems with some xp clients - kerberos issue?

Thanks everyone for their suggestions. I'm working with my sysadmin
now to get Ethereal going and will do some investigating and report
back. I forgot to mention earlier that most everyone is using a roaming
profile, if that makes a difference.

And to answer an earlier query, yep, IE settings recognize the domains
as being in the intranet zone (it does this by default as the domains
use no dots, and include all local sites, sites that bypass proxy, all
network paths are checked), and I've added the domains manually just to
see if it made a difference. Logon is set to 'Automatic logon only in
Intranet zone'. (I've tried prompt as well.). Both pages in question
(one on intranet server and one on a different dev server) are
indicated as being in the intranet zone by the icon in the status bar
for both clients where it is working and clients where it is not. IE
settings are identical on working clients and non-working clients.

Due to the roaming profiles, identical AD settings and since a given
user's credentials aren't passed to sql on one client but everything
works as expected if they logon to someone's client that is working, it
seems like headers wouldn't the problem. That is, if Kerberos tickets
are user specific...if they also grow depending on machine(?), then we
need to look at that too.



> Then I would get packet captures (using www.ethereal.com) of traffic from
> client -> webserver and webserver -> domain controller and webserver -> SQL
> server.
>
> Additionally, you can enable Kerberos logging on the webserver to see if
> there are any Kerberos related issues (the events get logged to the Windows
> event log)



> > And both apps work for about 80% of our users. But the authentication
> > isn't being bassed from IE to the server to SQL as expected for the
> > rest, resulting in SQL errors. Our clients are all on XP. At first we
> > thought it was their profiles. But it's the client. The apps don't
> > work for anyone logged on those clients that aren't passing
> > authentication. And for those staff who have no problems, anyone can
> > log on and will have no problems / vice versa.

Re: iis problems with some xp clients - kerberos issue?

Thanks again to the suggestions to use Ethereal. We had some clients
that were not recognized due to an errant dns setting on their LAN
connection left over from an old wireless firewall that was set to
append a nonexistent suffix to their DNS. I don't know how we would
have figured that out w/o packet sniffing. Thanks again!!!!

Btw, for future readers, I was shocked to find that two of the systems,
which I swore I'd checked, had proper IE security settings under Tools
> Internet Options > Security > Local Intranet > Sites & Custom Level but I had missed the 'Enable Integrated Windows Authentication (requires restart)' - I think in part because I couldn't believe that any users wouldn't have this checked due to our heavy reliance on it on the intranet, but it just goes to show, there are users that don't ever report errors - they just give up and unfortunately not everyone is using the intranet...
~mahalie

>
> > > And both apps work for about 80% of our users. But the authentication
> > > isn't being bassed from IE to the server to SQL as expected for the
> > > rest, resulting in SQL errors. Our clients are all on XP. At first we
> > > thought it was their profiles. But it's the client. The apps don't
> > > work for anyone logged on those clients that aren't passing
> > > authentication. And for those staff who have no problems, anyone can
> > > log on and will have no problems / vice versa.
>