Network/Web Site Authentication

Hi,

I've got a WSUS server, which has been working fine for nearly a year. For
some reason, in the past month or 2, when I try to manage the WSUS service
from the web console, using the server name (https://wsuserver/WSUSadmin) I
get an authentication error. The authentication box pops up, asking for
username & password, however no matter what credentials I enter, (mine,
domain admin, enterprise admin) it pops up 3 times, fails, and then I get
the WSUS message:

Access denied
Network policy settings prevent you from accessing this Windows Server
Update Services server.
If you believe you have received this message in error, please check with
your system administrator.

However, if I connect using the servers IP address, NOT hostname,
(https://192.168.0.10/WSUSadmin) it works perfectly. I'm faily sure it's not
an IIS setting, as I've setup a test server with WSUS installed, that works
with hostname, and exported the web site to an XML file, then imported it
into the live WSUS server. Also the live & test servers are both in the same
OU, with the same group policy applied, so all the security settings
*should* be the same.

What security setting would cause authentication to a hostname to fail, but
to an IP address to work?

Cheers

Ben

Re: Network/Web Site Authentication

Hi Ben,

I believe this article discusses your issue and the workaround:
http://support.microsoft.com/default.aspx?scid=kb;en-us;8968 61

Please let me know if this does not help.

--
Greg Lindsay [MSFT]
greg.lindsay@microsoft.com

Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

"benb" wrote in message
news:e5X2b6%23rGHA.4616@TK2MSFTNGP04.phx.gbl...
> Hi,
>
> I've got a WSUS server, which has been working fine for nearly a year. For
> some reason, in the past month or 2, when I try to manage the WSUS service
> from the web console, using the server name (https://wsuserver/WSUSadmin)
> I get an authentication error. The authentication box pops up, asking for
> username & password, however no matter what credentials I enter, (mine,
> domain admin, enterprise admin) it pops up 3 times, fails, and then I get
> the WSUS message:
>
> Access denied
> Network policy settings prevent you from accessing this Windows Server
> Update Services server.
> If you believe you have received this message in error, please check with
> your system administrator.
>
> However, if I connect using the servers IP address, NOT hostname,
> (https://192.168.0.10/WSUSadmin) it works perfectly. I'm faily sure it's
> not an IIS setting, as I've setup a test server with WSUS installed, that
> works with hostname, and exported the web site to an XML file, then
> imported it into the live WSUS server. Also the live & test servers are
> both in the same OU, with the same group policy applied, so all the
> security settings *should* be the same.
>
> What security setting would cause authentication to a hostname to fail,
> but to an IP address to work?
>
> Cheers
>
> Ben
>

Re: Network/Web Site Authentication

Hi Greg,

Thanks for the reply. Tried both workarounds described on that page, and
rebooted the server last night, but it didn't fix the issue, the logon still
fails when you try and open a page via hostname, but works with IP address!
I don't think I mentioned our setup, we have 2 servers, first is Win2003
SP1, running as a DC, DHCP, DNS, and the other, is our web/app server,
Win2003 SP1, member server. This runs the WSUS web site, and also VMWare,
which is what I setup as a test WSUS server and got working.

Many thanks

Ben


"Greg Lindsay [MSFT]" wrote in message
news:eLfknwEsGHA.1296@TK2MSFTNGP02.phx.gbl...
> Hi Ben,
>
> I believe this article discusses your issue and the workaround:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;8968 61
>
> Please let me know if this does not help.
>
> --
> Greg Lindsay [MSFT]
> greg.lindsay@microsoft.com
>
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
>
> "benb" wrote in message
> news:e5X2b6%23rGHA.4616@TK2MSFTNGP04.phx.gbl...
>> Hi,
>>
>> I've got a WSUS server, which has been working fine for nearly a year.
>> For some reason, in the past month or 2, when I try to manage the WSUS
>> service from the web console, using the server name
>> (https://wsuserver/WSUSadmin) I get an authentication error. The
>> authentication box pops up, asking for username & password, however no
>> matter what credentials I enter, (mine, domain admin, enterprise admin)
>> it pops up 3 times, fails, and then I get the WSUS message:
>>
>> Access denied
>> Network policy settings prevent you from accessing this Windows Server
>> Update Services server.
>> If you believe you have received this message in error, please check with
>> your system administrator.
>>
>> However, if I connect using the servers IP address, NOT hostname,
>> (https://192.168.0.10/WSUSadmin) it works perfectly. I'm faily sure it's
>> not an IIS setting, as I've setup a test server with WSUS installed, that
>> works with hostname, and exported the web site to an XML file, then
>> imported it into the live WSUS server. Also the live & test servers are
>> both in the same OU, with the same group policy applied, so all the
>> security settings *should* be the same.
>>
>> What security setting would cause authentication to a hostname to fail,
>> but to an IP address to work?
>>
>> Cheers
>>
>> Ben
>>
>
>

Re: Network/Web Site Authentication

Hi Ben,

First pleasure check if you ping the wsusever, the IP address 192.168.0.10
is properly returned. Otherwise this is most likely a routing error.

If the servername/IP resolution appears to be fine, would you please export
IIS configuration and send it to me to have a check?

To dump your metabase configuration, please install IIS6 resource kit tools
and use the Metabase Explorer utility. Export the data under LM root node
in to a mbk file.

Internet Information Services (IIS) 6.0 Resource Kit Tools
http://www.microsoft.com/downloads/details.aspx?displaylang= en&familyid=56fc
92ee-a71a-4c73-b628-ade629c89499

You can send the file to me at: wjzhang@online.microsoft.com (please remove
online.)

Best Regards,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx .

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Re: Network/Web Site Authentication

Hi Ben,

I got your email and have responded to you. I still think this is an IIS
issue, and at this point it would be best to examine security logs to track
down what is causing the issue.

--
Greg Lindsay [MSFT]
greg.lindsay@microsoft.com

Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

"benb" wrote in message
news:uXw6HdXsGHA.4872@TK2MSFTNGP02.phx.gbl...
> Hi Greg,
>
> Thanks for the reply. Tried both workarounds described on that page, and
> rebooted the server last night, but it didn't fix the issue, the logon
> still fails when you try and open a page via hostname, but works with IP
> address!
> I don't think I mentioned our setup, we have 2 servers, first is Win2003
> SP1, running as a DC, DHCP, DNS, and the other, is our web/app server,
> Win2003 SP1, member server. This runs the WSUS web site, and also VMWare,
> which is what I setup as a test WSUS server and got working.
>
> Many thanks
>
> Ben
>
>
> "Greg Lindsay [MSFT]" wrote in message
> news:eLfknwEsGHA.1296@TK2MSFTNGP02.phx.gbl...
>> Hi Ben,
>>
>> I believe this article discusses your issue and the workaround:
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;8968 61
>>
>> Please let me know if this does not help.
>>
>> --
>> Greg Lindsay [MSFT]
>> greg.lindsay@microsoft.com
>>
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>>
>> "benb" wrote in message
>> news:e5X2b6%23rGHA.4616@TK2MSFTNGP04.phx.gbl...
>>> Hi,
>>>
>>> I've got a WSUS server, which has been working fine for nearly a year.
>>> For some reason, in the past month or 2, when I try to manage the WSUS
>>> service from the web console, using the server name
>>> (https://wsuserver/WSUSadmin) I get an authentication error. The
>>> authentication box pops up, asking for username & password, however no
>>> matter what credentials I enter, (mine, domain admin, enterprise admin)
>>> it pops up 3 times, fails, and then I get the WSUS message:
>>>
>>> Access denied
>>> Network policy settings prevent you from accessing this Windows Server
>>> Update Services server.
>>> If you believe you have received this message in error, please check
>>> with your system administrator.
>>>
>>> However, if I connect using the servers IP address, NOT hostname,
>>> (https://192.168.0.10/WSUSadmin) it works perfectly. I'm faily sure it's
>>> not an IIS setting, as I've setup a test server with WSUS installed,
>>> that works with hostname, and exported the web site to an XML file, then
>>> imported it into the live WSUS server. Also the live & test servers are
>>> both in the same OU, with the same group policy applied, so all the
>>> security settings *should* be the same.
>>>
>>> What security setting would cause authentication to a hostname to fail,
>>> but to an IP address to work?
>>>
>>> Cheers
>>>
>>> Ben
>>>
>>
>>
>
>

Re: Network/Web Site Authentication

Hi Greg,

I got your email, thanks.
This is a copy of the security event log entry that appears after you try to
logon via hostname. Five of these appear after you try to enter the username
& password with 2 retries via IE.

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 31/07/2006
Time: 10:33:54
User: NT AUTHORITY\SYSTEM
Computer: WSUSERVER
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.0.50
Source Port: 1766


"Greg Lindsay [MSFT]" wrote in message
news:O8F2LMosGHA.1216@TK2MSFTNGP03.phx.gbl...
> Hi Ben,
>
> I got your email and have responded to you. I still think this is an IIS
> issue, and at this point it would be best to examine security logs to
> track down what is causing the issue.
>
> --
> Greg Lindsay [MSFT]
> greg.lindsay@microsoft.com
>
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
>
> "benb" wrote in message
> news:uXw6HdXsGHA.4872@TK2MSFTNGP02.phx.gbl...
>> Hi Greg,
>>
>> Thanks for the reply. Tried both workarounds described on that page, and
>> rebooted the server last night, but it didn't fix the issue, the logon
>> still fails when you try and open a page via hostname, but works with IP
>> address!
>> I don't think I mentioned our setup, we have 2 servers, first is Win2003
>> SP1, running as a DC, DHCP, DNS, and the other, is our web/app server,
>> Win2003 SP1, member server. This runs the WSUS web site, and also VMWare,
>> which is what I setup as a test WSUS server and got working.
>>
>> Many thanks
>>
>> Ben
>>
>>
>> "Greg Lindsay [MSFT]" wrote in message
>> news:eLfknwEsGHA.1296@TK2MSFTNGP02.phx.gbl...
>>> Hi Ben,
>>>
>>> I believe this article discusses your issue and the workaround:
>>> http://support.microsoft.com/default.aspx?scid=kb;en-us;8968 61
>>>
>>> Please let me know if this does not help.
>>>
>>> --
>>> Greg Lindsay [MSFT]
>>> greg.lindsay@microsoft.com
>>>
>>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>>> confers no rights.
>>>
>>> "benb" wrote in message
>>> news:e5X2b6%23rGHA.4616@TK2MSFTNGP04.phx.gbl...
>>>> Hi,
>>>>
>>>> I've got a WSUS server, which has been working fine for nearly a year.
>>>> For some reason, in the past month or 2, when I try to manage the WSUS
>>>> service from the web console, using the server name
>>>> (https://wsuserver/WSUSadmin) I get an authentication error. The
>>>> authentication box pops up, asking for username & password, however no
>>>> matter what credentials I enter, (mine, domain admin, enterprise admin)
>>>> it pops up 3 times, fails, and then I get the WSUS message:
>>>>
>>>> Access denied
>>>> Network policy settings prevent you from accessing this Windows Server
>>>> Update Services server.
>>>> If you believe you have received this message in error, please check
>>>> with your system administrator.
>>>>
>>>> However, if I connect using the servers IP address, NOT hostname,
>>>> (https://192.168.0.10/WSUSadmin) it works perfectly. I'm faily sure
>>>> it's not an IIS setting, as I've setup a test server with WSUS
>>>> installed, that works with hostname, and exported the web site to an
>>>> XML file, then imported it into the live WSUS server. Also the live &
>>>> test servers are both in the same OU, with the same group policy
>>>> applied, so all the security settings *should* be the same.
>>>>
>>>> What security setting would cause authentication to a hostname to fail,
>>>> but to an IP address to work?
>>>>
>>>> Cheers
>>>>
>>>> Ben
>>>>
>>>
>>>
>>
>>
>
>

Re: Network/Web Site Authentication

Hi WenJun,

Thanks for the reply, I downloaded and ran the IIS res kit, very useful
tool, didn't realise it existed! I have exported the config and metabase and
emailed it to you. Hopefully you should have it by now.

Kind regards

Ben

""WenJun Zhang[msft]"" wrote in message
news:nm0sf4hsGHA.3920@TK2MSFTNGXA01.phx.gbl...
> Hi Ben,
>
> First pleasure check if you ping the wsusever, the IP address 192.168.0.10
> is properly returned. Otherwise this is most likely a routing error.
>
> If the servername/IP resolution appears to be fine, would you please
> export
> IIS configuration and send it to me to have a check?
>
> To dump your metabase configuration, please install IIS6 resource kit
> tools
> and use the Metabase Explorer utility. Export the data under LM root node
> in to a mbk file.
>
> Internet Information Services (IIS) 6.0 Resource Kit Tools
> http://www.microsoft.com/downloads/details.aspx?displaylang= en&familyid=56fc
> 92ee-a71a-4c73-b628-ade629c89499
>
> You can send the file to me at: wjzhang@online.microsoft.com (please
> remove
> online.)
>
> Best Regards,
>
> WenJun Zhang
>
> Microsoft Online Community Support
>
> ==================================================
>
> Get notification to my posts through email? Please refer to:
> http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at:
>
> http://msdn.microsoft.com/subscriptions/support/default.aspx .
>
> ==================================================
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>

Re: Network/Web Site Authentication

Hi Ben,

I haven't received mail from you. Could you please double-check the address?

My email is: wjzhang@online.microsoft.com (please remove online.)

Thanks & Have a nice day!

Best Regards,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx .

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Re: Network/Web Site Authentication

Hi WenJun,

I definatly sent it to the address below (removing online.) on the 31st
July. Have re-sent this morning, it's from my hotmail account,
bjblackmore@NOSPAM.hotmail.com (remove NOSPAM.)
Is it possible that it was blocked because of encrypted content? When I
exported the metabase I encrypred it with a password, seeing as it was being
transmitted over email!

Ben


""WenJun Zhang[msft]"" wrote in message
news:W5CYfgVtGHA.2504@TK2MSFTNGXA01.phx.gbl...
> Hi Ben,
>
> I haven't received mail from you. Could you please double-check the
> address?
>
> My email is: wjzhang@online.microsoft.com (please remove online.)
>
> Thanks & Have a nice day!
>
> Best Regards,
>
> WenJun Zhang
>
> Microsoft Online Community Support
>
> ==================================================
>
> Get notification to my posts through email? Please refer to:
> http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at:
>
> http://msdn.microsoft.com/subscriptions/support/default.aspx .
>
> ==================================================
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>

Re: Network/Web Site Authentication

Hi Ben,

I've replied your email. Thanks.

Best Regards,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx .

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Re: Network/Web Site Authentication

Hi WenJun,

I got your email, many thanks. I made some changes to the web sites, deleted
the 2 test sites, but still get the same problem.
Have replied to your email, and attached the 2 new config files.

Best regards

Ben


""WenJun Zhang[msft]"" wrote in message
news:7M4o6qjtGHA.3960@TK2MSFTNGXA01.phx.gbl...
> Hi Ben,
>
> I've replied your email. Thanks.
>
> Best Regards,
>
> WenJun Zhang
>
> Microsoft Online Community Support
>
> ==================================================
>
> Get notification to my posts through email? Please refer to:
> http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at:
>
> http://msdn.microsoft.com/subscriptions/support/default.aspx .
>
> ==================================================
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>

Re: Network/Web Site Authentication

Hi,

Let's use webfetch to trace the rawdata of http request/response and
determine if the problem is actually on server-side.

HOW TO: Use Wfetch.exe to Troubleshoot HTTP Connections
http://support.microsoft.com/default.aspx?scid=kb;en-us;2842 85

To use, please input:

Host: (Your servername)

Path: (The relative path of your page. e.g: /WSUSAdmin/)

Auth: (Select NTLM and specify your domain\username credential)

Press Go! to issue a http request to the server and check what response is
returned. I think the trace should slow us with the details. Please paste
the whole log data here.

I'll wait for your update. Thanks.

Best Regards,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx .

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Re: Network/Web Site Authentication

WenJun,

Here is the TRACE details, below are the details for a GET (wasn't sure if
it mattered which I used)

started....
WWWConnect::Connect("appserver","80")\n
IP = "192.168.254.5:80"\n
source port: 2582\r\n
SEC_I_CONTINUE_NEEDED - InitializeSecurityContext\n
REQUEST: **************\n
TRACE /WSUSadmin HTTP/1.1\r\n
Host: appserver\r\n
Accept: */*\r\n
Connection: Keep-Alive\r\n
Authorization: NTLM
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==\r\n
\r\n
RESPONSE: **************\n
HTTP/1.1 401 Unauthorized\r\n
Content-Length: 1037\r\n
Content-Type: text/html\r\n
Server: Microsoft-IIS/6.0\r\n
WWW-Authenticate: NTLM
TlRMTVNTUAACAAAAFAAUADgAAAAVgoniWve8zs/3BIYAAAAAAAAAAKYApgBM AAAABQLODgAAAA9BAEwAUABIAEEAQwBPAFUAUgBUAAIAFABBAEwAUABIAEEA QwBPAFUA
UgBUAAEAEgBBAFAAUABTAEUAUgBWAEUAUgAEABwAYQBsAHAAaABhAGMAbwB1 AHIAdAAuAGMAbwBtAAMAMABhAHAAcABzAGUAcgB2AGUAcgAuAGEAbABwAGgA YQBjAG8AdQByAHQALgBjAG8AbQAFABw
AYQBsAHAAaABhAGMAbwB1AHIAdAAuAGMAbwBtAAAAAAA=\r\n
X-Powered-By: ASP.NET\r\n
Date: Fri, 04 Aug 2006 13:43:12 GMT\r\n
\r\n
SEC_E_OK - InitializeSecurityContext\n
\r\n
\r\n
\r\n
\t\r\n
\t\t\r\n
\t\t\r\n
\t\r\n
\t\r\n
\t\t

Object Moved

Re: Network/Web Site Authentication

Hi Ben,

I saw NTLM works according to the trace. As least, the authentication is
passed between IIS and the client. Now it looks like this is probably a
Kerberos auth related issue.

Please go to the problematic client, open its IE Internet
Options->Advanced, make sure the 'Enable Integrated Windows Authentication'
option isn't selected. In this case, IE will use NTLM to perform Integrated
auth with IIS instead of Kerberos protocol. See if this will let the SUS
site work from now.

If it works, this means Kerberos authentication fails in your domain. You
have to ping our Windows AD group to help on Kerberos side troubleshooting.
Do you have a proper Kerberos Domain Controller(KDC) set in the domain?

Thanks.

Best Regards,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx .

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Re: Network/Web Site Authentication

Hi WenJun,

That fixed the problem, after turning off the 'Enable Integrated Windows
Authentication' option in IE the WSUS site works.

We are running 2 Windows 2003 domain controllers, so Kerberos should work, I
don't think we've had any other problems flagged, there don't seem to be any
Kerberos related events in any of the event logs.

How do I troubleshoot Kerberos related issues in IIS 6? I've read
support.microsoft.com/kb/326985 but that's for troubleshooting IIS 4 & 5.
Will the same principles work?

I will post a topic to the Windows AD group, but I'm not to sure what to
ask, as I have no error codes or messages to go on.

Many thanks

Ben


""WenJun Zhang[msft]"" wrote in message
news:bdpypPguGHA.3960@TK2MSFTNGXA01.phx.gbl...
> Hi Ben,
>
> I saw NTLM works according to the trace. As least, the authentication is
> passed between IIS and the client. Now it looks like this is probably a
> Kerberos auth related issue.
>
> Please go to the problematic client, open its IE Internet
> Options->Advanced, make sure the 'Enable Integrated Windows
> Authentication'
> option isn't selected. In this case, IE will use NTLM to perform
> Integrated
> auth with IIS instead of Kerberos protocol. See if this will let the SUS
> site work from now.
>
> If it works, this means Kerberos authentication fails in your domain. You
> have to ping our Windows AD group to help on Kerberos side
> troubleshooting.
> Do you have a proper Kerberos Domain Controller(KDC) set in the domain?
>
> Thanks.
>
> Best Regards,
>
> WenJun Zhang
>
> Microsoft Online Community Support
>
> ==================================================
>
> Get notification to my posts through email? Please refer to:
> http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at:
>
> http://msdn.microsoft.com/subscriptions/support/default.aspx .
>
> ==================================================
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
>

Re: Network/Web Site Authentication

Hi Ben,

You can launch WebFetch again and set the auth type to Kerberos to
reproduce an authentication error. Then open event viewer security log on
the server. Generally you should see logon failure events in it with
detailed logon parameters and error code.

You can then post the error events to our Windows AD group for assistance.
Thanks.

Best Regards,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx .

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.