Application Pools, Domain User Accounts and Service Principal Names

Discussion in 'ASP .Net Security' started by Tom McDonnell, Feb 17, 2006.

  1. I've been involved in building an application in ASP.NET which has
    utilised application pools in IIS6 to allow the site to run under the
    credentials of a domain user and authenticate with SQL Server.

    Having recently rolled this application out to a number of sites, we
    have encountered a problem where Windows integrated authentication is
    enabled, but users credentials are not accepted. I've figured out the
    problem to be due to there being no Service Principal Name for the
    domain account.

    Having found some documentation from Microsoft about this issue, I've
    tried to create the SPN, but it causes authentication to then fail with
    the NETWORK SERVICE user.
    http://msdn.microsoft.com/library/d...0009.asp#paght000009_additionalconsiderations

    How can Windows be configured so both the NETWORK SERVICE and domain
    users can be used to perform Windows authentication in IIS6 application
    pools?
    Tom McDonnell, Feb 17, 2006
    #1
    1. Advertising

  2. My experience has been that to have an SPN that belongs to the domain
    service account that does not conflict with the SPNs already assigned to the
    machine account, you need a new DNS name and a new A record in DNS for that
    name. Then, if you give the machine account the SPN corresponding to the
    new DNS name, should be ok.

    Note that I've recently tried to do this with a CNAME record in DNS that
    just aliases the A record associated with the machine account's DNS/SPN, but
    Kerberos seems to be too clever and resolves the alias back to the A record
    name before creating its SPN.

    I feel your pain. :)

    HTH,

    Joe K.

    "Tom McDonnell" <qirexrd_@_hotmail.com> wrote in message
    news:...
    > I've been involved in building an application in ASP.NET which has
    > utilised application pools in IIS6 to allow the site to run under the
    > credentials of a domain user and authenticate with SQL Server.
    >
    > Having recently rolled this application out to a number of sites, we have
    > encountered a problem where Windows integrated authentication is enabled,
    > but users credentials are not accepted. I've figured out the problem to be
    > due to there being no Service Principal Name for the domain account.
    >
    > Having found some documentation from Microsoft about this issue, I've
    > tried to create the SPN, but it causes authentication to then fail with
    > the NETWORK SERVICE user.
    > http://msdn.microsoft.com/library/d...0009.asp#paght000009_additionalconsiderations
    >
    > How can Windows be configured so both the NETWORK SERVICE and domain users
    > can be used to perform Windows authentication in IIS6 application pools?
    Joe Kaplan \(MVP - ADSI\), Feb 17, 2006
    #2
    1. Advertising

  3. > Note that I've recently tried to do this with a CNAME record in DNS
    > that just aliases the A record associated with the machine account's
    > DNS/SPN, but Kerberos seems to be too clever and resolves the alias
    > back to the A record name before creating its SPN.


    wow.interesting.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > My experience has been that to have an SPN that belongs to the domain
    > service account that does not conflict with the SPNs already assigned
    > to the machine account, you need a new DNS name and a new A record in
    > DNS for that name. Then, if you give the machine account the SPN
    > corresponding to the new DNS name, should be ok.
    >
    > Note that I've recently tried to do this with a CNAME record in DNS
    > that just aliases the A record associated with the machine account's
    > DNS/SPN, but Kerberos seems to be too clever and resolves the alias
    > back to the A record name before creating its SPN.
    >
    > I feel your pain. :)
    >
    > HTH,
    >
    > Joe K.
    >
    > "Tom McDonnell" <qirexrd_@_hotmail.com> wrote in message
    > news:...
    >
    >> I've been involved in building an application in ASP.NET which has
    >> utilised application pools in IIS6 to allow the site to run under the
    >> credentials of a domain user and authenticate with SQL Server.
    >>
    >> Having recently rolled this application out to a number of sites, we
    >> have encountered a problem where Windows integrated authentication is
    >> enabled, but users credentials are not accepted. I've figured out the
    >> problem to be due to there being no Service Principal Name for the
    >> domain account.
    >>
    >> Having found some documentation from Microsoft about this issue, I've
    >>
    >> tried to create the SPN, but it causes authentication to then fail
    >> with
    >>
    >> the NETWORK SERVICE user.
    >>
    >> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpa
    >> g2/html/paght000009.asp#paght000009_additionalconsiderations
    >>
    >> How can Windows be configured so both the NETWORK SERVICE and domain
    >> users can be used to perform Windows authentication in IIS6
    >> application pools?
    >>
    Dominick Baier [DevelopMentor], Feb 17, 2006
    #3
  4. Re: Application Pools, Domain User Accounts and Service PrincipalNames

    > My experience has been that to have an SPN that belongs to the domain
    > service account that does not conflict with the SPNs already assigned to the
    > machine account, you need a new DNS name and a new A record in DNS for that
    > name. Then, if you give the machine account the SPN corresponding to the
    > new DNS name, should be ok.


    This is really out of my league, the documentation I have found is
    purely technical, and nothing you can learn from. Well, it's back to
    using .NET impersonation and recording static user credentials in the
    registry...

    > I feel your pain. :)


    The problem is there is no way I can communicate this to Microsoft and
    say HOY! the documentation doesn't go nearly far enough, how 'bout
    improving it! I did sent them feedback for the article but I'm sure that
    will just go off into oblivion.

    Thanks Joe.
    Tom McDonnell, Feb 21, 2006
    #4
  5. I'm a pretty big fan of the TechNet "kerberos troubleshooting" article. It
    is the most thorough I've seen.

    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx

    The other thing that is critical is enabling event logging for Logon/Logoff
    requests (both success and failure) so that you can see what auth package is
    being used and what SPNs. A lot of those details are recorded in the log
    messages. Learning to use a packet sniffer like netmon or Ethereal can be
    helpful too.

    Unfortunately, there is still some black magic involved when trying to
    figure out why sometimes Negotiate fails over to NTLM. I'm still trying to
    find the magic tool that tells me why Kerberos isn't available when I think
    it should be.

    Best of luck.

    Joe K.

    "Tom McDonnell" <qirexrd_@_hotmail.com> wrote in message
    news:...
    >
    > This is really out of my league, the documentation I have found is purely
    > technical, and nothing you can learn from. Well, it's back to using .NET
    > impersonation and recording static user credentials in the registry...
    >
    >> I feel your pain. :)

    >
    > The problem is there is no way I can communicate this to Microsoft and say
    > HOY! the documentation doesn't go nearly far enough, how 'bout improving
    > it! I did sent them feedback for the article but I'm sure that will just
    > go off into oblivion.
    >
    > Thanks Joe.
    Joe Kaplan \(MVP - ADSI\), Feb 22, 2006
    #5
  6. Hi,

    it is called ethereal (www.ethereal.com) :)

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > I'm a pretty big fan of the TechNet "kerberos troubleshooting"
    > article. It is the most thorough I've seen.
    >
    > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technol
    > ogies/security/tkerberr.mspx
    >
    > The other thing that is critical is enabling event logging for
    > Logon/Logoff requests (both success and failure) so that you can see
    > what auth package is being used and what SPNs. A lot of those details
    > are recorded in the log messages. Learning to use a packet sniffer
    > like netmon or Ethereal can be helpful too.
    >
    > Unfortunately, there is still some black magic involved when trying to
    > figure out why sometimes Negotiate fails over to NTLM. I'm still
    > trying to find the magic tool that tells me why Kerberos isn't
    > available when I think it should be.
    >
    > Best of luck.
    >
    > Joe K.
    >
    > "Tom McDonnell" <qirexrd_@_hotmail.com> wrote in message
    > news:...
    >
    >> This is really out of my league, the documentation I have found is
    >> purely technical, and nothing you can learn from. Well, it's back to
    >> using .NET impersonation and recording static user credentials in the
    >> registry...
    >>
    >>> I feel your pain. :)
    >>>

    >> The problem is there is no way I can communicate this to Microsoft
    >> and say HOY! the documentation doesn't go nearly far enough, how
    >> 'bout improving it! I did sent them feedback for the article but I'm
    >> sure that will just go off into oblivion.
    >>
    >> Thanks Joe.
    >>
    Dominick Baier [DevelopMentor], Feb 22, 2006
    #6
  7. I was afraid you would say that.

    However, the problem with it is that sometimes, no Kerberos traffic is
    generated at all, so the reason for NTLM failover is unclear. I still want
    the tool that tells me why.

    I don't want to try to do my work with Ethereal though. :)

    Joe K.

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hi,
    > it is called ethereal (www.ethereal.com) :)
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    Joe Kaplan \(MVP - ADSI\), Feb 22, 2006
    #7
  8. joe -

    you should :)

    tooling is "sub-optimal" i agree.

    When i get back home i have to try the A vs CNAME thing - if there is magic
    involved it must happen on the server - the TGS_REQ looks exactly the same
    IMO.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > I was afraid you would say that.
    >
    > However, the problem with it is that sometimes, no Kerberos traffic is
    > generated at all, so the reason for NTLM failover is unclear. I still
    > want the tool that tells me why.
    >
    > I don't want to try to do my work with Ethereal though. :)
    >
    > Joe K.
    >
    > "Dominick Baier [DevelopMentor]"
    > <> wrote in message
    > news:...
    >
    >> Hi,
    >> it is called ethereal (www.ethereal.com) :)
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    Dominick Baier [DevelopMentor], Feb 23, 2006
    #8
  9. Let me know what you find. Note that my issues seem to revolve around
    protocol transition/constrained delegation too. I get different/better
    results in some cases with straight Kerberos delegation. With PT, the SPN
    of the delegating process seems to come into play.

    Joe K.

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > joe -
    > you should :)
    >
    > tooling is "sub-optimal" i agree.
    >
    > When i get back home i have to try the A vs CNAME thing - if there is
    > magic involved it must happen on the server - the TGS_REQ looks exactly
    > the same IMO.
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> I was afraid you would say that.
    >>
    >> However, the problem with it is that sometimes, no Kerberos traffic is
    >> generated at all, so the reason for NTLM failover is unclear. I still
    >> want the tool that tells me why.
    >>
    >> I don't want to try to do my work with Ethereal though. :)
    >>
    >> Joe K.
    >>
    >> "Dominick Baier [DevelopMentor]"
    >> <> wrote in message
    >> news:...
    >>
    >>> Hi,
    >>> it is called ethereal (www.ethereal.com) :)
    >>> ---------------------------------------
    >>> Dominick Baier - DevelopMentor
    >>> http://www.leastprivilege.com

    >
    >
    Joe Kaplan \(MVP - ADSI\), Feb 23, 2006
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. AF
    Replies:
    8
    Views:
    1,008
    Chrissy Cruiser
    Aug 23, 2004
  2. ZippyMoo
    Replies:
    8
    Views:
    9,784
    btcomp
    Jun 24, 2009
  3. padma
    Replies:
    3
    Views:
    395
    Victor Bazarov
    Oct 5, 2007
  4. Anthony Yott

    custom app pools with domain identities

    Anthony Yott, Aug 23, 2006, in forum: ASP .Net Web Services
    Replies:
    0
    Views:
    82
    Anthony Yott
    Aug 23, 2006
  5. Brian Duffy
    Replies:
    0
    Views:
    85
    Brian Duffy
    Jul 15, 2003
Loading...

Share This Page