ASP.NET and IIS Security

I have a curious issue which is really causing me to scratch my head.

I have a site that has two virtual directories attached to it (same physical
folder). One virtual directory uses Windows Authentication, the other is
Anonymous. It is hosted on Windows 2003 server.

I have a Sign In button which when a user successfully enters credentials
they get directed from the anonymous site to the Windows authentication site.
There is something on a master page that checks for authentication and
directs accordingly.

The curious part is when I come to access the site via a browser from
another machine. If I access via IP address, I click Sign In, get a Windows
security challenge, enter a domain user that has access and everything is
fine.

If I access via the hostname (hostname is mapped via WINS) I get the
challenge as expected, but it never allows the user access, I get a 401 error.

Anyone any ideas as to why an IP address would be okay, but the hostname
wouldn't be?

Thanks,

Competitive Dad

RE: ASP.NET and IIS Security

You might not have an SPN for the host header while there might be an SPN for
the IP address.

"Competitive Dad" wrote:

> I have a curious issue which is really causing me to scratch my head.
>
> I have a site that has two virtual directories attached to it (same physical
> folder). One virtual directory uses Windows Authentication, the other is
> Anonymous. It is hosted on Windows 2003 server.
>
> I have a Sign In button which when a user successfully enters credentials
> they get directed from the anonymous site to the Windows authentication site.
> There is something on a master page that checks for authentication and
> directs accordingly.
>
> The curious part is when I come to access the site via a browser from
> another machine. If I access via IP address, I click Sign In, get a Windows
> security challenge, enter a domain user that has access and everything is
> fine.
>
> If I access via the hostname (hostname is mapped via WINS) I get the
> challenge as expected, but it never allows the user access, I get a 401 error.
>
> Anyone any ideas as to why an IP address would be okay, but the hostname
> wouldn't be?
>
> Thanks,
>
> Competitive Dad

RE: ASP.NET and IIS Security

Hi Diffident,

I'm not sure I entirely follow that. If I go on the server and use setspn -L
to list the SPNs for the server there is an entry for the hostname. I'm not
aware that you can set an SPN for an IP adress.

One thing for sure is I cannot set anything on the client machine because I
cannot role anything out on the client machine, access to the system is via a
browser.

Thx,

CD

"Diffident" wrote:

> You might not have an SPN for the host header while there might be an SPN for
> the IP address.
>
> "Competitive Dad" wrote:
>
> > I have a curious issue which is really causing me to scratch my head.
> >
> > I have a site that has two virtual directories attached to it (same physical
> > folder). One virtual directory uses Windows Authentication, the other is
> > Anonymous. It is hosted on Windows 2003 server.
> >
> > I have a Sign In button which when a user successfully enters credentials
> > they get directed from the anonymous site to the Windows authentication site.
> > There is something on a master page that checks for authentication and
> > directs accordingly.
> >
> > The curious part is when I come to access the site via a browser from
> > another machine. If I access via IP address, I click Sign In, get a Windows
> > security challenge, enter a domain user that has access and everything is
> > fine.
> >
> > If I access via the hostname (hostname is mapped via WINS) I get the
> > challenge as expected, but it never allows the user access, I get a 401 error.
> >
> > Anyone any ideas as to why an IP address would be okay, but the hostname
> > wouldn't be?
> >
> > Thanks,
> >
> > Competitive Dad

RE: ASP.NET and IIS Security

Hi,

Further information, I do not have this problem if the website is running in
an application pool using an account local to the server. It only happens
when I run the application pool under a domain account.

So there you go, a little bit more to the puzzle.

Thx,

CD

"Competitive Dad" wrote:

> Hi Diffident,
>
> I'm not sure I entirely follow that. If I go on the server and use setspn -L
> to list the SPNs for the server there is an entry for the hostname. I'm not
> aware that you can set an SPN for an IP adress.
>
> One thing for sure is I cannot set anything on the client machine because I
> cannot role anything out on the client machine, access to the system is via a
> browser.
>
> Thx,
>
> CD
>
> "Diffident" wrote:
>
> > You might not have an SPN for the host header while there might be an SPN for
> > the IP address.
> >
> > "Competitive Dad" wrote:
> >
> > > I have a curious issue which is really causing me to scratch my head.
> > >
> > > I have a site that has two virtual directories attached to it (same physical
> > > folder). One virtual directory uses Windows Authentication, the other is
> > > Anonymous. It is hosted on Windows 2003 server.
> > >
> > > I have a Sign In button which when a user successfully enters credentials
> > > they get directed from the anonymous site to the Windows authentication site.
> > > There is something on a master page that checks for authentication and
> > > directs accordingly.
> > >
> > > The curious part is when I come to access the site via a browser from
> > > another machine. If I access via IP address, I click Sign In, get a Windows
> > > security challenge, enter a domain user that has access and everything is
> > > fine.
> > >
> > > If I access via the hostname (hostname is mapped via WINS) I get the
> > > challenge as expected, but it never allows the user access, I get a 401 error.
> > >
> > > Anyone any ideas as to why an IP address would be okay, but the hostname
> > > wouldn't be?
> > >
> > > Thanks,
> > >
> > > Competitive Dad

RE: ASP.NET and IIS Security

Make sure that the domain account's "Trust this account to delegate
credentials" is checked. This option should be checked on the active
directory under users I suppose. Google for that and check it on your active
directory.

"Competitive Dad" wrote:

> Hi,
>
> Further information, I do not have this problem if the website is running in
> an application pool using an account local to the server. It only happens
> when I run the application pool under a domain account.
>
> So there you go, a little bit more to the puzzle.
>
> Thx,
>
> CD
>
> "Competitive Dad" wrote:
>
> > Hi Diffident,
> >
> > I'm not sure I entirely follow that. If I go on the server and use setspn -L
> > to list the SPNs for the server there is an entry for the hostname. I'm not
> > aware that you can set an SPN for an IP adress.
> >
> > One thing for sure is I cannot set anything on the client machine because I
> > cannot role anything out on the client machine, access to the system is via a
> > browser.
> >
> > Thx,
> >
> > CD
> >
> > "Diffident" wrote:
> >
> > > You might not have an SPN for the host header while there might be an SPN for
> > > the IP address.
> > >
> > > "Competitive Dad" wrote:
> > >
> > > > I have a curious issue which is really causing me to scratch my head.
> > > >
> > > > I have a site that has two virtual directories attached to it (same physical
> > > > folder). One virtual directory uses Windows Authentication, the other is
> > > > Anonymous. It is hosted on Windows 2003 server.
> > > >
> > > > I have a Sign In button which when a user successfully enters credentials
> > > > they get directed from the anonymous site to the Windows authentication site.
> > > > There is something on a master page that checks for authentication and
> > > > directs accordingly.
> > > >
> > > > The curious part is when I come to access the site via a browser from
> > > > another machine. If I access via IP address, I click Sign In, get a Windows
> > > > security challenge, enter a domain user that has access and everything is
> > > > fine.
> > > >
> > > > If I access via the hostname (hostname is mapped via WINS) I get the
> > > > challenge as expected, but it never allows the user access, I get a 401 error.
> > > >
> > > > Anyone any ideas as to why an IP address would be okay, but the hostname
> > > > wouldn't be?
> > > >
> > > > Thanks,
> > > >
> > > > Competitive Dad

RE: ASP.NET and IIS Security

My dad, you cannot have an SPN for the IP address. Can you also check if
there are two SPN's one for the host header and the other for FQDN?

Are you using FQDN or just the host header while accessing the web site?

"Competitive Dad" wrote:

> Hi Diffident,
>
> I'm not sure I entirely follow that. If I go on the server and use setspn -L
> to list the SPNs for the server there is an entry for the hostname. I'm not
> aware that you can set an SPN for an IP adress.
>
> One thing for sure is I cannot set anything on the client machine because I
> cannot role anything out on the client machine, access to the system is via a
> browser.
>
> Thx,
>
> CD
>
> "Diffident" wrote:
>
> > You might not have an SPN for the host header while there might be an SPN for
> > the IP address.
> >
> > "Competitive Dad" wrote:
> >
> > > I have a curious issue which is really causing me to scratch my head.
> > >
> > > I have a site that has two virtual directories attached to it (same physical
> > > folder). One virtual directory uses Windows Authentication, the other is
> > > Anonymous. It is hosted on Windows 2003 server.
> > >
> > > I have a Sign In button which when a user successfully enters credentials
> > > they get directed from the anonymous site to the Windows authentication site.
> > > There is something on a master page that checks for authentication and
> > > directs accordingly.
> > >
> > > The curious part is when I come to access the site via a browser from
> > > another machine. If I access via IP address, I click Sign In, get a Windows
> > > security challenge, enter a domain user that has access and everything is
> > > fine.
> > >
> > > If I access via the hostname (hostname is mapped via WINS) I get the
> > > challenge as expected, but it never allows the user access, I get a 401 error.
> > >
> > > Anyone any ideas as to why an IP address would be okay, but the hostname
> > > wouldn't be?
> > >
> > > Thanks,
> > >
> > > Competitive Dad

RE: ASP.NET and IIS Security

Hi Diffident,

setspn shows both the hostname and the FQDN. I am trying both when
accessing, get the same problem.

I tried the Trusted delegation you suggested, but I cannot set it. It is
only available on a Computer in the domain not a User, and when I try to set
it I am not allowed. Googling for that showed I need to set 3 domain
policies, I can set 2 but it says I don't have the privileges for the third,
and without it I cannot set the delegation.

Any other thoughts?

Thx,

CD

"Diffident" wrote:

> My dad, you cannot have an SPN for the IP address. Can you also check if
> there are two SPN's one for the host header and the other for FQDN?
>
> Are you using FQDN or just the host header while accessing the web site?
>
> "Competitive Dad" wrote:
>
> > Hi Diffident,
> >
> > I'm not sure I entirely follow that. If I go on the server and use setspn -L
> > to list the SPNs for the server there is an entry for the hostname. I'm not
> > aware that you can set an SPN for an IP adress.
> >
> > One thing for sure is I cannot set anything on the client machine because I
> > cannot role anything out on the client machine, access to the system is via a
> > browser.
> >
> > Thx,
> >
> > CD
> >
> > "Diffident" wrote:
> >
> > > You might not have an SPN for the host header while there might be an SPN for
> > > the IP address.
> > >
> > > "Competitive Dad" wrote:
> > >
> > > > I have a curious issue which is really causing me to scratch my head.
> > > >
> > > > I have a site that has two virtual directories attached to it (same physical
> > > > folder). One virtual directory uses Windows Authentication, the other is
> > > > Anonymous. It is hosted on Windows 2003 server.
> > > >
> > > > I have a Sign In button which when a user successfully enters credentials
> > > > they get directed from the anonymous site to the Windows authentication site.
> > > > There is something on a master page that checks for authentication and
> > > > directs accordingly.
> > > >
> > > > The curious part is when I come to access the site via a browser from
> > > > another machine. If I access via IP address, I click Sign In, get a Windows
> > > > security challenge, enter a domain user that has access and everything is
> > > > fine.
> > > >
> > > > If I access via the hostname (hostname is mapped via WINS) I get the
> > > > challenge as expected, but it never allows the user access, I get a 401 error.
> > > >
> > > > Anyone any ideas as to why an IP address would be okay, but the hostname
> > > > wouldn't be?
> > > >
> > > > Thanks,
> > > >
> > > > Competitive Dad