IIS6 and integrated security

Hi all

I have a problem with a web service I have developed in ASP.NET 2.0.

I have two servers: ServerA and ServerB. Both are in the "UDV" domain.
I have two sets of login credentials: A service account called
xs-biztalk (in the UDV domain) and my own logon credentials (In
another domain).

On ServerA I have created a new web site to listen to port 8000. Under
this web site I have added a virtual directory for my web service. I
have set both web site and virtual directory to not allow anonymous
access, but only "Integrated Security".

The application pool that both are running under is running as
xs-biztalk.

If I logon to ServerB as xs-biztalk and try to access the web service
on ServerA, I get a box prompting for my username and password. This
is unexpected, as I am logged into Windows as xs-biztalk, which is a
user in the same domain as both servers. If I enter my personal
credentials in that box, I get to the web service. Very weird!

The log file from IIS is below. In the log file you can see, that a
bunch of anonymous requests aredenied, until finalyl the jel user is
allowed access. The anonymous requests are xs-biztalk trying to get
access. What really irritates me is, that the UDV\xs-biztalk
credentials do not appear in the log file. I mean... they should
appear and then be denied. I am not sure about what I can deduce from
the fact that they don't even show up in the log. Any help is
appreciated.

LOG FILE:

2007-10-15 08:16:29 W3SVC364038655 123.123.123.50 GET /ax/ax.asmx -
8000 - 123.123.123.66
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+ 1.1.4322;+.NET+CLR+2.0.50727)
401 2 2148074254
2007-10-15 08:16:29 W3SVC364038655 123.123.123.50 GET /ax/ax.asmx -
8000 - 123.123.123.66
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+ 1.1.4322;+.NET+CLR+2.0.50727)
401 1 0
2007-10-15 08:16:29 W3SVC364038655 123.123.123.50 GET /ax/ax.asmx -
8000 - 123.123.123.66
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+ 1.1.4322;+.NET+CLR+2.0.50727)
401 1 0
2007-10-15 08:16:34 W3SVC364038655 123.123.123.50 GET /ax/ax.asmx -
8000 - 123.123.123.66
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+ 1.1.4322;+.NET+CLR+2.0.50727)
401 1 0
2007-10-15 08:16:34 W3SVC364038655 123.123.123.50 GET /ax/ax.asmx -
8000 - 123.123.123.66
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+ 1.1.4322;+.NET+CLR+2.0.50727)
401 1 0
2007-10-15 08:16:34 W3SVC364038655 123.123.123.50 GET /ax/ax.asmx -
8000 - 123.123.123.66
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+ 1.1.4322;+.NET+CLR+2.0.50727)
401 1 0
2007-10-15 08:16:34 W3SVC364038655 123.123.123.50 GET /ax/ax.asmx -
8000 - 123.123.123.66
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+ 1.1.4322;+.NET+CLR+2.0.50727)
401 1 0
2007-10-15 08:16:42 W3SVC364038655 123.123.123.50 GET /ax/ax.asmx -
8000 - 123.123.123.66
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+ 1.1.4322;+.NET+CLR+2.0.50727)
401 1 0
2007-10-15 08:16:45 W3SVC364038655 123.123.123.50 GET /ax/ax.asmx -
8000 domain2\jel 123.123.123.66
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+ 1.1.4322;+.NET+CLR+2.0.50727)
200 0 0

--
eliasen, representing himself and not the company he works for.

Private blog: http://blog.eliasen.dk

Private email: jan@eliasen.dk

Re: IIS6 and integrated security

On Mon, 15 Oct 2007 10:49:54 +0200, Jan Eliasen
wrote:

>I have a problem with a web service I have developed in ASP.NET 2.0.
More information:

My own credentials domain2\jel are a local administrator on ServerA.
If I get another user in domain2 to access the web service from
ServerB, it fails. I have tried adding xs-biztalk to the local
administrators on the machine, and now I can access the web service
from ServeRA, when logged in as xs-biztalk. But if I try from ServERB,
I get the same behaviour I have been getting all along.

--
eliasen, representing himself and not the company he works for.

Private blog: http://blog.eliasen.dk

Private email: jan@eliasen.dk

Re: IIS6 and integrated security

On Oct 15, 2:46 am, Jan Eliasen wrote:
> On Mon, 15 Oct 2007 10:49:54 +0200, Jan Eliasen
>
> wrote:
> >I have a problem with a web service I have developed in ASP.NET 2.0.
>
> More information:
>
> My own credentials domain2\jel are a local administrator on ServerA.
> If I get another user in domain2 to access the web service from
> ServerB, it fails. I have tried adding xs-biztalk to the local
> administrators on the machine, and now I can access the web service
> from ServeRA, when logged in as xs-biztalk. But if I try from ServERB,
> I get the same behaviour I have been getting all along.
>
> --
> eliasen, representing himself and not the company he works for.
>
> Private blog:http://blog.eliasen.dk
>
> Private email: j...@eliasen.dk



This failure pattern is actually by design. You are attempting a
double-hop with Integrated Authentication using Custom AppPool
Identity, which is a definite no-no.

http://blogs.msdn.com/david.wang/archive/2005/07/14/HOWTO_Di agnose_IIS_401_Access_Denied.aspx


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Re: IIS6 and integrated security

On Mon, 15 Oct 2007 04:36:56 -0700, David Wang
wrote:

>This failure pattern is actually by design. You are attempting a
>double-hop with Integrated Authentication using Custom AppPool
>Identity, which is a definite no-no.
>
>http://blogs.msdn.com/david.wang/archive/2005/07/14/HOWTO_D iagnose_IIS_401_Access_Denied.aspx
Hi, and thanks for the fast answer!

I have read your blog entry, and the articles you reference, but I am
still a little bit unsure about a couple of things:

1. My AppPool on ServerA runs under a custom identity, which is a
domain account. I have read that this can be an issue and that I
should use the setspn command to fix it. But how come the web service
works fine when domain2\jel calls it and not when UDV\xs-biztalk calls
it?

2. Why is it only with domain accounts there is a problem? I suppose I
can have as many AppPool as I want with different local acounts for
one site?

3. I am unsure about the reason for this limitation - that I can only
have one custom identity runinng apppools per site. Why is this?

Thanks!

--
eliasen, representing himself and not the company he works for.

Private blog: http://blog.eliasen.dk

Private email: jan@eliasen.dk

Re: IIS6 and integrated security

Hi Jan,

The following article listed a batch of reasons that IE may prompt for
username/password when integrated authentication is enabled. You may check
them to see if the problem is caused by any condition doesn't match.

Internet Explorer May Prompt You for a Password
http://support.microsoft.com/?id=258063

Furthermore I also think it's quite unexpected that why the xs-biztalk
account isn't recorded in IIS log as authenticated user but domain2\jel is.
I suggest you may use webfetch to trace the rawdata of http
request/response to check if there is any clue in it.

HOW TO: Use Wfetch.exe to Troubleshoot HTTP Connections
http://support.microsoft.com/default.aspx?scid=kb;en-us;2842 85

To use, please input:

Host: (The site's domainname/hostheader or servername or just IP address)
Port: (8000)
Path: (The relative path of your web service page. e.g:
/VirtualDirectory1/WebService1.asmx)
Auth: (Select NTLM and Kerberos, then test with UDV, xs-biztalk and its
password )

Press Go! to issue a http request to the server and check what response is
returned. I think the trace should slow us with the details. Please paste
the whole log data here or you can send email to me at:
wjzhang@online.microsoft.com (please remove online.).

As always, I'll wait for your update.

Have a great week.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx .

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Re: IIS6 and integrated security

Please also note you need to SetSPN of the custom domain identity of the
application pool for Kerberos protocol to work with integrated windows
authentication.

You receive an "HTTP Error 401.1 - Unauthorized: Access is denied due to
invalid credentials" error message when you try to access a Web site that
is part of an IIS 6.0 application pool
http://support.microsoft.com/?id=871179

Thanks.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx .

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Re: IIS6 and integrated security

Hi Jan,

Based on my understanding, this may not be a double-hop delegation issue
because the xs-biztalk account is set as the application pool identity and
your ASP.net web service uses it to call other resources in the domain, am
I correct? Only in case that the authenticated user's credential is used by
web application to access remote resources(e.g impersonation is enabled),
it becomes a 2-hop scenario.

To answer your questions:

1. NTLM protocol might be used when you authenticated with domain2\jel
account. The protocol switch can be controlled at browser side:
IE->Internet Options->Advanced->'Enable Integerated Windows
Authentication'. In this case, NTLM auth will succeed regardless the app
pool identity setting. You can have a clear view of these by running
webfetch to test both kerberos and NTLM with different accounts.

2. Any custom accounts(both domain and local ones) may meet the problem.
Per KB: http://support.microsoft.com/?id=871179 , we can set SPN to resolve
the issue for domain accounts. For local accounts, we have to enforce
clients use NTLM protocol.

3. Probably I haven't caught your question clearly. For a web site, we can
separate different parts of it into different application pools and make
these pools run under different identities. So where the limitation comes
from?

Thanks.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx .

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Re: IIS6 and integrated security

Hi Jan,

Just want to check if there is any update of this issue?

Thanks.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx .

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.