Constrained delegation question!

Discussion in 'ASP .Net Security' started by Tony201, Jun 22, 2009.

  1. Tony201

    Tony201 Guest

    Can I use constrained delegation to alllow my web application to control
    services on a remote server? At the moment, I have code that when run on my
    local machine (XP - no double hop) is able to control services on remote
    servers. However, when I move the web application to an IIS server, I get the
    error llisted below. I am guessing that I need to setup an SPN but don't know
    how to do it for the Service Control Manager. Any ideas?

    [Win32Exception (0x80004005): Access is denied]

    [InvalidOperationException: Cannot open Service Control Manager on computer
    'serverxxxx'. This operation might require other privileges.]

    System.ServiceProcess.ServiceController.GetDataBaseHandleWithAccess(String
    machineName, Int32 serviceControlManaqerAccess) +35775

    System.ServiceProcess.ServiceController.GetDataBaseHandleWithEnumerateAccess(String machineName) +9
    System.ServiceProcess.ServiceController.GetServicesOfType(String
    machineName, Int32 serviceType) +143
    System.ServiceProcess.ServiceController.GetServices(String machineName) +9
    AutonomyAdmin.test.test2() +400
    AutonomyAdmin.test.Page_Load(Object sender, EventArgs e) +137
    System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o,
    Object t, EventArgs e) +14
    System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender,
    EventArgs e) +35
    System.Web.UI.Control.OnLoad(EventArgs e) +99
    System.Web.UI.Control.LoadRecursive() +50
    System.Web.UI.Page.ProcessRequestMain(Boolean
    includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +627
     
    Tony201, Jun 22, 2009
    #1
    1. Advertising

  2. Tony201

    Joe Kaplan Guest

    It should work although I've never tested this scenario.

    I'd suggest delegating the SPN for HOST/server to the IIS app pool identity
    (or the computer account if you use network service or system) to see if
    that works. If you are using the full DNS name to connect to the remote
    machine, use that SPN instead. You can also delegate both.

    If you are getting Kerberos authentication to the remote machine, then the
    constrained delegation should work here. You can check the security event
    logs on the remote machine to discover how you are authenticating. If you
    get NTLM, then it will not work.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    "Tony201" <> wrote in message
    news:...
    > Can I use constrained delegation to alllow my web application to control
    > services on a remote server? At the moment, I have code that when run on
    > my
    > local machine (XP - no double hop) is able to control services on remote
    > servers. However, when I move the web application to an IIS server, I get
    > the
    > error llisted below. I am guessing that I need to setup an SPN but don't
    > know
    > how to do it for the Service Control Manager. Any ideas?
    >
    > [Win32Exception (0x80004005): Access is denied]
    >
    > [InvalidOperationException: Cannot open Service Control Manager on
    > computer
    > 'serverxxxx'. This operation might require other privileges.]
    >
    > System.ServiceProcess.ServiceController.GetDataBaseHandleWithAccess(String
    > machineName, Int32 serviceControlManaqerAccess) +35775
    >
    > System.ServiceProcess.ServiceController.GetDataBaseHandleWithEnumerateAccess(String
    > machineName) +9
    > System.ServiceProcess.ServiceController.GetServicesOfType(String
    > machineName, Int32 serviceType) +143
    > System.ServiceProcess.ServiceController.GetServices(String machineName)
    > +9
    > AutonomyAdmin.test.test2() +400
    > AutonomyAdmin.test.Page_Load(Object sender, EventArgs e) +137
    > System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o,
    > Object t, EventArgs e) +14
    > System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender,
    > EventArgs e) +35
    > System.Web.UI.Control.OnLoad(EventArgs e) +99
    > System.Web.UI.Control.LoadRecursive() +50
    > System.Web.UI.Page.ProcessRequestMain(Boolean
    > includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +627
    >
     
    Joe Kaplan, Jun 22, 2009
    #2
    1. Advertising

  3. Tony201

    Tony201 Guest

    Hi Joe,

    Thanks for the reply. For this application, I have already setup delegation
    for SQL Server access so I have an SPN for my DNS/IIS App Pool Identity. In
    Active Directory under the delegation tab (for IIS App Pool Identity), I have
    allowed delegation to the SQL Server service, however, I don't know how to
    allow delegation to the Service Control Manager eg, for SQL Server, under the
    delegation tab, I click add and then type in the account that I created the
    SQL Server SPN for. For allowing Service Control Manager, which user would I
    need to type in and then what service should I add? Alternatively, how would
    I setup an SPN to allow delegation to Window Services?

    Cheers,
    Tan

    "Joe Kaplan" wrote:

    > It should work although I've never tested this scenario.
    >
    > I'd suggest delegating the SPN for HOST/server to the IIS app pool identity
    > (or the computer account if you use network service or system) to see if
    > that works. If you are using the full DNS name to connect to the remote
    > machine, use that SPN instead. You can also delegate both.
    >
    > If you are getting Kerberos authentication to the remote machine, then the
    > constrained delegation should work here. You can check the security event
    > logs on the remote machine to discover how you are authenticating. If you
    > get NTLM, then it will not work.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"
    > http://www.directoryprogramming.net
    > "Tony201" <> wrote in message
    > news:...
    > > Can I use constrained delegation to alllow my web application to control
    > > services on a remote server? At the moment, I have code that when run on
    > > my
    > > local machine (XP - no double hop) is able to control services on remote
    > > servers. However, when I move the web application to an IIS server, I get
    > > the
    > > error llisted below. I am guessing that I need to setup an SPN but don't
    > > know
    > > how to do it for the Service Control Manager. Any ideas?
    > >
    > > [Win32Exception (0x80004005): Access is denied]
    > >
    > > [InvalidOperationException: Cannot open Service Control Manager on
    > > computer
    > > 'serverxxxx'. This operation might require other privileges.]
    > >
    > > System.ServiceProcess.ServiceController.GetDataBaseHandleWithAccess(String
    > > machineName, Int32 serviceControlManaqerAccess) +35775
    > >
    > > System.ServiceProcess.ServiceController.GetDataBaseHandleWithEnumerateAccess(String
    > > machineName) +9
    > > System.ServiceProcess.ServiceController.GetServicesOfType(String
    > > machineName, Int32 serviceType) +143
    > > System.ServiceProcess.ServiceController.GetServices(String machineName)
    > > +9
    > > AutonomyAdmin.test.test2() +400
    > > AutonomyAdmin.test.Page_Load(Object sender, EventArgs e) +137
    > > System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o,
    > > Object t, EventArgs e) +14
    > > System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender,
    > > EventArgs e) +35
    > > System.Web.UI.Control.OnLoad(EventArgs e) +99
    > > System.Web.UI.Control.LoadRecursive() +50
    > > System.Web.UI.Page.ProcessRequestMain(Boolean
    > > includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +627
    > >

    >
    >
     
    Tony201, Jun 22, 2009
    #3
  4. Tony201

    Joe Kaplan Guest

    The account to delegate to would be the domain computer account for the
    machine running the services. I think you should be able to use the service
    type "HOST" which is a wildcard for a bunch of stuff and typically covers
    these built in RPC things like remote management.

    I'm not sure what this would look like in the GUI exactly. I usually make
    this type of change using a lower level tool but hopefully this gives you
    the idea.

    You should not need to create a new SPN though. You are just delegating to
    an existing one. The HOST/xxx SPNs for the computer account are created
    automatically when the machine is joined to the domain.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    "Tony201" <> wrote in message
    news:...
    > Hi Joe,
    >
    > Thanks for the reply. For this application, I have already setup
    > delegation
    > for SQL Server access so I have an SPN for my DNS/IIS App Pool Identity.
    > In
    > Active Directory under the delegation tab (for IIS App Pool Identity), I
    > have
    > allowed delegation to the SQL Server service, however, I don't know how to
    > allow delegation to the Service Control Manager eg, for SQL Server, under
    > the
    > delegation tab, I click add and then type in the account that I created
    > the
    > SQL Server SPN for. For allowing Service Control Manager, which user would
    > I
    > need to type in and then what service should I add? Alternatively, how
    > would
    > I setup an SPN to allow delegation to Window Services?
    >
    > Cheers,
    > Tan
    >
    > "Joe Kaplan" wrote:
    >
    >> It should work although I've never tested this scenario.
    >>
    >> I'd suggest delegating the SPN for HOST/server to the IIS app pool
    >> identity
    >> (or the computer account if you use network service or system) to see if
    >> that works. If you are using the full DNS name to connect to the remote
    >> machine, use that SPN instead. You can also delegate both.
    >>
    >> If you are getting Kerberos authentication to the remote machine, then
    >> the
    >> constrained delegation should work here. You can check the security
    >> event
    >> logs on the remote machine to discover how you are authenticating. If
    >> you
    >> get NTLM, then it will not work.
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> "Tony201" <> wrote in message
    >> news:...
    >> > Can I use constrained delegation to alllow my web application to
    >> > control
    >> > services on a remote server? At the moment, I have code that when run
    >> > on
    >> > my
    >> > local machine (XP - no double hop) is able to control services on
    >> > remote
    >> > servers. However, when I move the web application to an IIS server, I
    >> > get
    >> > the
    >> > error llisted below. I am guessing that I need to setup an SPN but
    >> > don't
    >> > know
    >> > how to do it for the Service Control Manager. Any ideas?
    >> >
    >> > [Win32Exception (0x80004005): Access is denied]
    >> >
    >> > [InvalidOperationException: Cannot open Service Control Manager on
    >> > computer
    >> > 'serverxxxx'. This operation might require other privileges.]
    >> >
    >> > System.ServiceProcess.ServiceController.GetDataBaseHandleWithAccess(String
    >> > machineName, Int32 serviceControlManaqerAccess) +35775
    >> >
    >> > System.ServiceProcess.ServiceController.GetDataBaseHandleWithEnumerateAccess(String
    >> > machineName) +9
    >> > System.ServiceProcess.ServiceController.GetServicesOfType(String
    >> > machineName, Int32 serviceType) +143
    >> > System.ServiceProcess.ServiceController.GetServices(String
    >> > machineName)
    >> > +9
    >> > AutonomyAdmin.test.test2() +400
    >> > AutonomyAdmin.test.Page_Load(Object sender, EventArgs e) +137
    >> > System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object
    >> > o,
    >> > Object t, EventArgs e) +14
    >> > System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object
    >> > sender,
    >> > EventArgs e) +35
    >> > System.Web.UI.Control.OnLoad(EventArgs e) +99
    >> > System.Web.UI.Control.LoadRecursive() +50
    >> > System.Web.UI.Page.ProcessRequestMain(Boolean
    >> > includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
    >> > +627
    >> >

    >>
    >>
     
    Joe Kaplan, Jun 22, 2009
    #4
  5. Tony201

    Tony201 Guest

    Hi Joe,

    You are right there is a service called HOST on the target server which I
    have now delegated to the IIS AppPool account. However I am still getting
    access denied. The one thing I forgot to mention in my earlier posts is that
    when I browse to the application locally (i.e on the web server), it works,
    however, when I browse to it from an XP box I get access denied.

    The thing that perplexes me is that there are no faillure audit events on
    any of the servers including the domain controllers. The only 2 events that
    might be related i.e they are generated everytime I browse to the application
    from my XP box and they mention the web server name. I have listed these
    below.

    Event Type: Success Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 540
    Date: 23/06/2009
    Time: 10:22:03
    User: NT AUTHORITY\ANONYMOUS LOGON
    Computer: TARGET-SERVER
    Description:
    Successful Network Logon:
    User Name:
    Domain:
    Logon ID: (0x0,0x7D98711)
    Logon Type: 3
    Logon Process: NtLmSsp
    Authentication Package: NTLM
    Workstation Name: WEB-SERVER
    Logon GUID: -
    Caller User Name: -
    Caller Domain: -
    Caller Logon ID: -
    Caller Process ID: -
    Transited Services: -
    Source Network Address: 172.16.224.1
    Source Port: 0
    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.

    Event Type: Success Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 538
    Date: 23/06/2009
    Time: 10:22:06
    User: NT AUTHORITY\ANONYMOUS LOGON
    Computer: TARGET-SERVER
    Description:
    User Logoff:
    User Name: ANONYMOUS LOGON
    Domain: NT AUTHORITY
    Logon ID: (0x0,0x7D98711)
    Logon Type: 3
    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.


    "Joe Kaplan" wrote:

    > The account to delegate to would be the domain computer account for the
    > machine running the services. I think you should be able to use the service
    > type "HOST" which is a wildcard for a bunch of stuff and typically covers
    > these built in RPC things like remote management.
    >
    > I'm not sure what this would look like in the GUI exactly. I usually make
    > this type of change using a lower level tool but hopefully this gives you
    > the idea.
    >
    > You should not need to create a new SPN though. You are just delegating to
    > an existing one. The HOST/xxx SPNs for the computer account are created
    > automatically when the machine is joined to the domain.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"
    > http://www.directoryprogramming.net
    > "Tony201" <> wrote in message
    > news:...
    > > Hi Joe,
    > >
    > > Thanks for the reply. For this application, I have already setup
    > > delegation
    > > for SQL Server access so I have an SPN for my DNS/IIS App Pool Identity.
    > > In
    > > Active Directory under the delegation tab (for IIS App Pool Identity), I
    > > have
    > > allowed delegation to the SQL Server service, however, I don't know how to
    > > allow delegation to the Service Control Manager eg, for SQL Server, under
    > > the
    > > delegation tab, I click add and then type in the account that I created
    > > the
    > > SQL Server SPN for. For allowing Service Control Manager, which user would
    > > I
    > > need to type in and then what service should I add? Alternatively, how
    > > would
    > > I setup an SPN to allow delegation to Window Services?
    > >
    > > Cheers,
    > > Tan
    > >
    > > "Joe Kaplan" wrote:
    > >
    > >> It should work although I've never tested this scenario.
    > >>
    > >> I'd suggest delegating the SPN for HOST/server to the IIS app pool
    > >> identity
    > >> (or the computer account if you use network service or system) to see if
    > >> that works. If you are using the full DNS name to connect to the remote
    > >> machine, use that SPN instead. You can also delegate both.
    > >>
    > >> If you are getting Kerberos authentication to the remote machine, then
    > >> the
    > >> constrained delegation should work here. You can check the security
    > >> event
    > >> logs on the remote machine to discover how you are authenticating. If
    > >> you
    > >> get NTLM, then it will not work.
    > >>
    > >> --
    > >> Joe Kaplan-MS MVP Directory Services Programming
    > >> Co-author of "The .NET Developer's Guide to Directory Services
    > >> Programming"
    > >> http://www.directoryprogramming.net
    > >> "Tony201" <> wrote in message
    > >> news:...
    > >> > Can I use constrained delegation to alllow my web application to
    > >> > control
    > >> > services on a remote server? At the moment, I have code that when run
    > >> > on
    > >> > my
    > >> > local machine (XP - no double hop) is able to control services on
    > >> > remote
    > >> > servers. However, when I move the web application to an IIS server, I
    > >> > get
    > >> > the
    > >> > error llisted below. I am guessing that I need to setup an SPN but
    > >> > don't
    > >> > know
    > >> > how to do it for the Service Control Manager. Any ideas?
    > >> >
    > >> > [Win32Exception (0x80004005): Access is denied]
    > >> >
    > >> > [InvalidOperationException: Cannot open Service Control Manager on
    > >> > computer
    > >> > 'serverxxxx'. This operation might require other privileges.]
    > >> >
    > >> > System.ServiceProcess.ServiceController.GetDataBaseHandleWithAccess(String
    > >> > machineName, Int32 serviceControlManaqerAccess) +35775
    > >> >
    > >> > System.ServiceProcess.ServiceController.GetDataBaseHandleWithEnumerateAccess(String
    > >> > machineName) +9
    > >> > System.ServiceProcess.ServiceController.GetServicesOfType(String
    > >> > machineName, Int32 serviceType) +143
    > >> > System.ServiceProcess.ServiceController.GetServices(String
    > >> > machineName)
    > >> > +9
    > >> > AutonomyAdmin.test.test2() +400
    > >> > AutonomyAdmin.test.Page_Load(Object sender, EventArgs e) +137
    > >> > System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object
    > >> > o,
    > >> > Object t, EventArgs e) +14
    > >> > System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object
    > >> > sender,
    > >> > EventArgs e) +35
    > >> > System.Web.UI.Control.OnLoad(EventArgs e) +99
    > >> > System.Web.UI.Control.LoadRecursive() +50
    > >> > System.Web.UI.Page.ProcessRequestMain(Boolean
    > >> > includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
    > >> > +627
    > >> >
    > >>
    > >>

    >
    >
     
    Tony201, Jun 23, 2009
    #5
  6. Tony201

    Tony201 Guest

    Hi Joe,

    You are right there is a service called HOST on the target server which I
    have now delegated to the IIS AppPool account. However I am still getting
    access denied. The one thing I forgot to mention in my earlier posts is that
    when I browse to the application locally (i.e on the web server), it works,
    however, when I browse to it from an XP box I get access denied.

    The thing that perplexes me is that there are no faillure audit events on
    any of the servers including the domain controllers. The only 2 events that
    might be related i.e they are generated everytime I browse to the application
    from my XP box and they mention the web server name. I have listed these
    below.

    Event Type: Success Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 540
    Date: 23/06/2009
    Time: 10:22:03
    User: NT AUTHORITY\ANONYMOUS LOGON
    Computer: TARGET-SERVER
    Description:
    Successful Network Logon:
    User Name:
    Domain:
    Logon ID: (0x0,0x7D98711)
    Logon Type: 3
    Logon Process: NtLmSsp
    Authentication Package: NTLM
    Workstation Name: WEB-SERVER
    Logon GUID: -
    Caller User Name: -
    Caller Domain: -
    Caller Logon ID: -
    Caller Process ID: -
    Transited Services: -
    Source Network Address: 172.16.224.1
    Source Port: 0
    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.

    Event Type: Success Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 538
    Date: 23/06/2009
    Time: 10:22:06
    User: NT AUTHORITY\ANONYMOUS LOGON
    Computer: TARGET-SERVER
    Description:
    User Logoff:
    User Name: ANONYMOUS LOGON
    Domain: NT AUTHORITY
    Logon ID: (0x0,0x7D98711)
    Logon Type: 3
    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.


    "Joe Kaplan" wrote:

    > The account to delegate to would be the domain computer account for the
    > machine running the services. I think you should be able to use the service
    > type "HOST" which is a wildcard for a bunch of stuff and typically covers
    > these built in RPC things like remote management.
    >
    > I'm not sure what this would look like in the GUI exactly. I usually make
    > this type of change using a lower level tool but hopefully this gives you
    > the idea.
    >
    > You should not need to create a new SPN though. You are just delegating to
    > an existing one. The HOST/xxx SPNs for the computer account are created
    > automatically when the machine is joined to the domain.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"
    > http://www.directoryprogramming.net
    > "Tony201" <> wrote in message
    > news:...
    > > Hi Joe,
    > >
    > > Thanks for the reply. For this application, I have already setup
    > > delegation
    > > for SQL Server access so I have an SPN for my DNS/IIS App Pool Identity.
    > > In
    > > Active Directory under the delegation tab (for IIS App Pool Identity), I
    > > have
    > > allowed delegation to the SQL Server service, however, I don't know how to
    > > allow delegation to the Service Control Manager eg, for SQL Server, under
    > > the
    > > delegation tab, I click add and then type in the account that I created
    > > the
    > > SQL Server SPN for. For allowing Service Control Manager, which user would
    > > I
    > > need to type in and then what service should I add? Alternatively, how
    > > would
    > > I setup an SPN to allow delegation to Window Services?
    > >
    > > Cheers,
    > > Tan
    > >
    > > "Joe Kaplan" wrote:
    > >
    > >> It should work although I've never tested this scenario.
    > >>
    > >> I'd suggest delegating the SPN for HOST/server to the IIS app pool
    > >> identity
    > >> (or the computer account if you use network service or system) to see if
    > >> that works. If you are using the full DNS name to connect to the remote
    > >> machine, use that SPN instead. You can also delegate both.
    > >>
    > >> If you are getting Kerberos authentication to the remote machine, then
    > >> the
    > >> constrained delegation should work here. You can check the security
    > >> event
    > >> logs on the remote machine to discover how you are authenticating. If
    > >> you
    > >> get NTLM, then it will not work.
    > >>
    > >> --
    > >> Joe Kaplan-MS MVP Directory Services Programming
    > >> Co-author of "The .NET Developer's Guide to Directory Services
    > >> Programming"
    > >> http://www.directoryprogramming.net
    > >> "Tony201" <> wrote in message
    > >> news:...
    > >> > Can I use constrained delegation to alllow my web application to
    > >> > control
    > >> > services on a remote server? At the moment, I have code that when run
    > >> > on
    > >> > my
    > >> > local machine (XP - no double hop) is able to control services on
    > >> > remote
    > >> > servers. However, when I move the web application to an IIS server, I
    > >> > get
    > >> > the
    > >> > error llisted below. I am guessing that I need to setup an SPN but
    > >> > don't
    > >> > know
    > >> > how to do it for the Service Control Manager. Any ideas?
    > >> >
    > >> > [Win32Exception (0x80004005): Access is denied]
    > >> >
    > >> > [InvalidOperationException: Cannot open Service Control Manager on
    > >> > computer
    > >> > 'serverxxxx'. This operation might require other privileges.]
    > >> >
    > >> > System.ServiceProcess.ServiceController.GetDataBaseHandleWithAccess(String
    > >> > machineName, Int32 serviceControlManaqerAccess) +35775
    > >> >
    > >> > System.ServiceProcess.ServiceController.GetDataBaseHandleWithEnumerateAccess(String
    > >> > machineName) +9
    > >> > System.ServiceProcess.ServiceController.GetServicesOfType(String
    > >> > machineName, Int32 serviceType) +143
    > >> > System.ServiceProcess.ServiceController.GetServices(String
    > >> > machineName)
    > >> > +9
    > >> > AutonomyAdmin.test.test2() +400
    > >> > AutonomyAdmin.test.Page_Load(Object sender, EventArgs e) +137
    > >> > System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object
    > >> > o,
    > >> > Object t, EventArgs e) +14
    > >> > System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object
    > >> > sender,
    > >> > EventArgs e) +35
    > >> > System.Web.UI.Control.OnLoad(EventArgs e) +99
    > >> > System.Web.UI.Control.LoadRecursive() +50
    > >> > System.Web.UI.Page.ProcessRequestMain(Boolean
    > >> > includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
    > >> > +627
    > >> >
    > >>
    > >>

    >
    >
     
    Tony201, Jun 23, 2009
    #6
  7. Tony201

    Joe Kaplan Guest

    Normally when you see an anonymous login being attempted with NTLM, it is
    because the client did not attempt Kerberos authentication to access the
    remote server.

    When you connect to the remote machine in your code to manage the service
    control manager, are you using an IP address or the host name? Kerb
    requires the use of the host name.

    You might start by using a simple console app on the web server to access
    the remote SCM and seeing what type of authentication is recorded on the
    remote machine in the security event log. What you are looking for is a
    kerberos-based authentication to that machine. If you can only get NTLM
    auth to the remote machine, you won't be able to get Kerb delegation to
    work. Hopefully this helps flesh out your mental model.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    "Tony201" <> wrote in message
    news:...
    > Hi Joe,
    >
    > You are right there is a service called HOST on the target server which I
    > have now delegated to the IIS AppPool account. However I am still getting
    > access denied. The one thing I forgot to mention in my earlier posts is
    > that
    > when I browse to the application locally (i.e on the web server), it
    > works,
    > however, when I browse to it from an XP box I get access denied.
    >
    > The thing that perplexes me is that there are no faillure audit events on
    > any of the servers including the domain controllers. The only 2 events
    > that
    > might be related i.e they are generated everytime I browse to the
    > application
    > from my XP box and they mention the web server name. I have listed these
    > below.
    >
    > Event Type: Success Audit
    > Event Source: Security
    > Event Category: Logon/Logoff
    > Event ID: 540
    > Date: 23/06/2009
    > Time: 10:22:03
    > User: NT AUTHORITY\ANONYMOUS LOGON
    > Computer: TARGET-SERVER
    > Description:
    > Successful Network Logon:
    > User Name:
    > Domain:
    > Logon ID: (0x0,0x7D98711)
    > Logon Type: 3
    > Logon Process: NtLmSsp
    > Authentication Package: NTLM
    > Workstation Name: WEB-SERVER
    > Logon GUID: -
    > Caller User Name: -
    > Caller Domain: -
    > Caller Logon ID: -
    > Caller Process ID: -
    > Transited Services: -
    > Source Network Address: 172.16.224.1
    > Source Port: 0
    > For more information, see Help and Support Center at
    > http://go.microsoft.com/fwlink/events.asp.
    >
    > Event Type: Success Audit
    > Event Source: Security
    > Event Category: Logon/Logoff
    > Event ID: 538
    > Date: 23/06/2009
    > Time: 10:22:06
    > User: NT AUTHORITY\ANONYMOUS LOGON
    > Computer: TARGET-SERVER
    > Description:
    > User Logoff:
    > User Name: ANONYMOUS LOGON
    > Domain: NT AUTHORITY
    > Logon ID: (0x0,0x7D98711)
    > Logon Type: 3
    > For more information, see Help and Support Center at
    > http://go.microsoft.com/fwlink/events.asp.
    >
    >
    > "Joe Kaplan" wrote:
    >
    >> The account to delegate to would be the domain computer account for the
    >> machine running the services. I think you should be able to use the
    >> service
    >> type "HOST" which is a wildcard for a bunch of stuff and typically covers
    >> these built in RPC things like remote management.
    >>
    >> I'm not sure what this would look like in the GUI exactly. I usually
    >> make
    >> this type of change using a lower level tool but hopefully this gives you
    >> the idea.
    >>
    >> You should not need to create a new SPN though. You are just delegating
    >> to
    >> an existing one. The HOST/xxx SPNs for the computer account are created
    >> automatically when the machine is joined to the domain.
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> "Tony201" <> wrote in message
    >> news:...
    >> > Hi Joe,
    >> >
    >> > Thanks for the reply. For this application, I have already setup
    >> > delegation
    >> > for SQL Server access so I have an SPN for my DNS/IIS App Pool
    >> > Identity.
    >> > In
    >> > Active Directory under the delegation tab (for IIS App Pool Identity),
    >> > I
    >> > have
    >> > allowed delegation to the SQL Server service, however, I don't know how
    >> > to
    >> > allow delegation to the Service Control Manager eg, for SQL Server,
    >> > under
    >> > the
    >> > delegation tab, I click add and then type in the account that I created
    >> > the
    >> > SQL Server SPN for. For allowing Service Control Manager, which user
    >> > would
    >> > I
    >> > need to type in and then what service should I add? Alternatively, how
    >> > would
    >> > I setup an SPN to allow delegation to Window Services?
    >> >
    >> > Cheers,
    >> > Tan
    >> >
    >> > "Joe Kaplan" wrote:
    >> >
    >> >> It should work although I've never tested this scenario.
    >> >>
    >> >> I'd suggest delegating the SPN for HOST/server to the IIS app pool
    >> >> identity
    >> >> (or the computer account if you use network service or system) to see
    >> >> if
    >> >> that works. If you are using the full DNS name to connect to the
    >> >> remote
    >> >> machine, use that SPN instead. You can also delegate both.
    >> >>
    >> >> If you are getting Kerberos authentication to the remote machine, then
    >> >> the
    >> >> constrained delegation should work here. You can check the security
    >> >> event
    >> >> logs on the remote machine to discover how you are authenticating. If
    >> >> you
    >> >> get NTLM, then it will not work.
    >> >>
    >> >> --
    >> >> Joe Kaplan-MS MVP Directory Services Programming
    >> >> Co-author of "The .NET Developer's Guide to Directory Services
    >> >> Programming"
    >> >> http://www.directoryprogramming.net
    >> >> "Tony201" <> wrote in message
    >> >> news:...
    >> >> > Can I use constrained delegation to alllow my web application to
    >> >> > control
    >> >> > services on a remote server? At the moment, I have code that when
    >> >> > run
    >> >> > on
    >> >> > my
    >> >> > local machine (XP - no double hop) is able to control services on
    >> >> > remote
    >> >> > servers. However, when I move the web application to an IIS server,
    >> >> > I
    >> >> > get
    >> >> > the
    >> >> > error llisted below. I am guessing that I need to setup an SPN but
    >> >> > don't
    >> >> > know
    >> >> > how to do it for the Service Control Manager. Any ideas?
    >> >> >
    >> >> > [Win32Exception (0x80004005): Access is denied]
    >> >> >
    >> >> > [InvalidOperationException: Cannot open Service Control Manager on
    >> >> > computer
    >> >> > 'serverxxxx'. This operation might require other privileges.]
    >> >> >
    >> >> > System.ServiceProcess.ServiceController.GetDataBaseHandleWithAccess(String
    >> >> > machineName, Int32 serviceControlManaqerAccess) +35775
    >> >> >
    >> >> > System.ServiceProcess.ServiceController.GetDataBaseHandleWithEnumerateAccess(String
    >> >> > machineName) +9
    >> >> > System.ServiceProcess.ServiceController.GetServicesOfType(String
    >> >> > machineName, Int32 serviceType) +143
    >> >> > System.ServiceProcess.ServiceController.GetServices(String
    >> >> > machineName)
    >> >> > +9
    >> >> > AutonomyAdmin.test.test2() +400
    >> >> > AutonomyAdmin.test.Page_Load(Object sender, EventArgs e) +137
    >> >> > System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp,
    >> >> > Object
    >> >> > o,
    >> >> > Object t, EventArgs e) +14
    >> >> > System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object
    >> >> > sender,
    >> >> > EventArgs e) +35
    >> >> > System.Web.UI.Control.OnLoad(EventArgs e) +99
    >> >> > System.Web.UI.Control.LoadRecursive() +50
    >> >> > System.Web.UI.Page.ProcessRequestMain(Boolean
    >> >> > includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
    >> >> > +627
    >> >> >
    >> >>
    >> >>

    >>
    >>
     
    Joe Kaplan, Jun 23, 2009
    #7
  8. Tony201

    Tony201 Guest

    Joe,

    I am using the hostname in my code

    dGrid.DataSource = ServiceController.GetServices("serverxxxx");

    On the web server, I tried browsing to the application using the IP address.
    This works and I get a events logged that indicate that Kerb authentication
    has taken place (see below). However, when I use the DNS name to browse to
    the application, it gives me an access denied error and I get the NT
    AUTHORITY\ANONYMOUS LOGON event. I am not sure why this is so.

    Event Type: Success Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 538
    Date: 24/06/2009
    Time: 11:35:07
    User: Domain\Username
    Computer: TargetServer
    Description:
    User Logoff:
    User Name: Username
    Domain: WEB
    Logon ID: (0x0,0x98B42A2)
    Logon Type: 3
    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.


    Event Type: Success Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 540
    Date: 24/06/2009
    Time: 11:34:36
    User: Domain\Username
    Computer: TargetServer
    Description:
    Successful Network Logon:
    User Name: Username
    Domain: Domain
    Logon ID: (0x0,0x98B42A2)
    Logon Type: 3
    Logon Process: Kerberos
    Authentication Package: Kerberos
    Workstation Name:
    Logon GUID: {2c253827-89be-8166-d10a-865d2075808e}
    Caller User Name: -
    Caller Domain: -
    Caller Logon ID: -
    Caller Process ID: -
    Transited Services: -
    Source Network Address: 172.16.224.1
    Source Port: 0
    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.

    Event Type: Success Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 576
    Date: 24/06/2009
    Time: 11:34:36
    User: Domain\Username
    Computer: TargetServer
    Description:
    Special privileges assigned to new logon:
    User Name: Username
    Domain: Domain
    Logon ID: (0x0,0x98B42A2)
    Privileges: SeSecurityPrivilege
    SeBackupPrivilege
    SeRestorePrivilege
    SeTakeOwnershipPrivilege
    SeDebugPrivilege
    SeSystemEnvironmentPrivilege
    SeLoadDriverPrivilege
    SeImpersonatePrivilege
    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.




    "Joe Kaplan" wrote:

    > Normally when you see an anonymous login being attempted with NTLM, it is
    > because the client did not attempt Kerberos authentication to access the
    > remote server.
    >
    > When you connect to the remote machine in your code to manage the service
    > control manager, are you using an IP address or the host name? Kerb
    > requires the use of the host name.
    >
    > You might start by using a simple console app on the web server to access
    > the remote SCM and seeing what type of authentication is recorded on the
    > remote machine in the security event log. What you are looking for is a
    > kerberos-based authentication to that machine. If you can only get NTLM
    > auth to the remote machine, you won't be able to get Kerb delegation to
    > work. Hopefully this helps flesh out your mental model.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"
    > http://www.directoryprogramming.net
    > "Tony201" <> wrote in message
    > news:...
    > > Hi Joe,
    > >
    > > You are right there is a service called HOST on the target server which I
    > > have now delegated to the IIS AppPool account. However I am still getting
    > > access denied. The one thing I forgot to mention in my earlier posts is
    > > that
    > > when I browse to the application locally (i.e on the web server), it
    > > works,
    > > however, when I browse to it from an XP box I get access denied.
    > >
    > > The thing that perplexes me is that there are no faillure audit events on
    > > any of the servers including the domain controllers. The only 2 events
    > > that
    > > might be related i.e they are generated everytime I browse to the
    > > application
    > > from my XP box and they mention the web server name. I have listed these
    > > below.
    > >
    > > Event Type: Success Audit
    > > Event Source: Security
    > > Event Category: Logon/Logoff
    > > Event ID: 540
    > > Date: 23/06/2009
    > > Time: 10:22:03
    > > User: NT AUTHORITY\ANONYMOUS LOGON
    > > Computer: TARGET-SERVER
    > > Description:
    > > Successful Network Logon:
    > > User Name:
    > > Domain:
    > > Logon ID: (0x0,0x7D98711)
    > > Logon Type: 3
    > > Logon Process: NtLmSsp
    > > Authentication Package: NTLM
    > > Workstation Name: WEB-SERVER
    > > Logon GUID: -
    > > Caller User Name: -
    > > Caller Domain: -
    > > Caller Logon ID: -
    > > Caller Process ID: -
    > > Transited Services: -
    > > Source Network Address: 172.16.224.1
    > > Source Port: 0
    > > For more information, see Help and Support Center at
    > > http://go.microsoft.com/fwlink/events.asp.
    > >
    > > Event Type: Success Audit
    > > Event Source: Security
    > > Event Category: Logon/Logoff
    > > Event ID: 538
    > > Date: 23/06/2009
    > > Time: 10:22:06
    > > User: NT AUTHORITY\ANONYMOUS LOGON
    > > Computer: TARGET-SERVER
    > > Description:
    > > User Logoff:
    > > User Name: ANONYMOUS LOGON
    > > Domain: NT AUTHORITY
    > > Logon ID: (0x0,0x7D98711)
    > > Logon Type: 3
    > > For more information, see Help and Support Center at
    > > http://go.microsoft.com/fwlink/events.asp.
    > >
    > >
    > > "Joe Kaplan" wrote:
    > >
    > >> The account to delegate to would be the domain computer account for the
    > >> machine running the services. I think you should be able to use the
    > >> service
    > >> type "HOST" which is a wildcard for a bunch of stuff and typically covers
    > >> these built in RPC things like remote management.
    > >>
    > >> I'm not sure what this would look like in the GUI exactly. I usually
    > >> make
    > >> this type of change using a lower level tool but hopefully this gives you
    > >> the idea.
    > >>
    > >> You should not need to create a new SPN though. You are just delegating
    > >> to
    > >> an existing one. The HOST/xxx SPNs for the computer account are created
    > >> automatically when the machine is joined to the domain.
    > >>
    > >> --
    > >> Joe Kaplan-MS MVP Directory Services Programming
    > >> Co-author of "The .NET Developer's Guide to Directory Services
    > >> Programming"
    > >> http://www.directoryprogramming.net
    > >> "Tony201" <> wrote in message
    > >> news:...
    > >> > Hi Joe,
    > >> >
    > >> > Thanks for the reply. For this application, I have already setup
    > >> > delegation
    > >> > for SQL Server access so I have an SPN for my DNS/IIS App Pool
    > >> > Identity.
    > >> > In
    > >> > Active Directory under the delegation tab (for IIS App Pool Identity),
    > >> > I
    > >> > have
    > >> > allowed delegation to the SQL Server service, however, I don't know how
    > >> > to
    > >> > allow delegation to the Service Control Manager eg, for SQL Server,
    > >> > under
    > >> > the
    > >> > delegation tab, I click add and then type in the account that I created
    > >> > the
    > >> > SQL Server SPN for. For allowing Service Control Manager, which user
    > >> > would
    > >> > I
    > >> > need to type in and then what service should I add? Alternatively, how
    > >> > would
    > >> > I setup an SPN to allow delegation to Window Services?
    > >> >
    > >> > Cheers,
    > >> > Tan
    > >> >
    > >> > "Joe Kaplan" wrote:
    > >> >
    > >> >> It should work although I've never tested this scenario.
    > >> >>
    > >> >> I'd suggest delegating the SPN for HOST/server to the IIS app pool
    > >> >> identity
    > >> >> (or the computer account if you use network service or system) to see
    > >> >> if
    > >> >> that works. If you are using the full DNS name to connect to the
    > >> >> remote
    > >> >> machine, use that SPN instead. You can also delegate both.
    > >> >>
    > >> >> If you are getting Kerberos authentication to the remote machine, then
    > >> >> the
    > >> >> constrained delegation should work here. You can check the security
    > >> >> event
    > >> >> logs on the remote machine to discover how you are authenticating. If
    > >> >> you
    > >> >> get NTLM, then it will not work.
    > >> >>
    > >> >> --
    > >> >> Joe Kaplan-MS MVP Directory Services Programming
    > >> >> Co-author of "The .NET Developer's Guide to Directory Services
    > >> >> Programming"
    > >> >> http://www.directoryprogramming.net
    > >> >> "Tony201" <> wrote in message
    > >> >> news:...
    > >> >> > Can I use constrained delegation to alllow my web application to
    > >> >> > control
    > >> >> > services on a remote server? At the moment, I have code that when
    > >> >> > run
    > >> >> > on
    > >> >> > my
    > >> >> > local machine (XP - no double hop) is able to control services on
    > >> >> > remote
    > >> >> > servers. However, when I move the web application to an IIS server,
    > >> >> > I
    > >> >> > get
    > >> >> > the
    > >> >> > error llisted below. I am guessing that I need to setup an SPN but
    > >> >> > don't
    > >> >> > know
    > >> >> > how to do it for the Service Control Manager. Any ideas?
    > >> >> >
    > >> >> > [Win32Exception (0x80004005): Access is denied]
    > >> >> >
    > >> >> > [InvalidOperationException: Cannot open Service Control Manager on
    > >> >> > computer
    > >> >> > 'serverxxxx'. This operation might require other privileges.]
    > >> >> >
    > >> >> > System.ServiceProcess.ServiceController.GetDataBaseHandleWithAccess(String
    > >> >> > machineName, Int32 serviceControlManaqerAccess) +35775
    > >> >> >
    > >> >> > System.ServiceProcess.ServiceController.GetDataBaseHandleWithEnumerateAccess(String
    > >> >> > machineName) +9
    > >> >> > System.ServiceProcess.ServiceController.GetServicesOfType(String
    > >> >> > machineName, Int32 serviceType) +143
    > >> >> > System.ServiceProcess.ServiceController.GetServices(String
    > >> >> > machineName)
    > >> >> > +9
    > >> >> > AutonomyAdmin.test.test2() +400
    > >> >> > AutonomyAdmin.test.Page_Load(Object sender, EventArgs e) +137
    > >> >> > System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp,
    > >> >> > Object
    > >> >> > o,
    > >> >> > Object t, EventArgs e) +14
    > >> >> > System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object
    > >> >> > sender,
    > >> >> > EventArgs e) +35
    > >> >> > System.Web.UI.Control.OnLoad(EventArgs e) +99
    > >> >> > System.Web.UI.Control.LoadRecursive() +50
    > >> >> > System.Web.UI.Page.ProcessRequestMain(Boolean
    > >> >> > includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
    > >> >> > +627
    > >> >> >
    > >> >>
    > >> >>
    > >>
    > >>

    >
    >
     
    Tony201, Jun 24, 2009
    #8
  9. Tony201

    Joe Kaplan Guest

    The event logs we need to know about are the ones on the server running the
    services you are controlling remotely.

    Can you show what happens when you have a console app that accesses the
    remote server running the services in terms of the security audits on the
    remote server?

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    "Tony201" <> wrote in message
    news:...
    > Joe,
    >
    > I am using the hostname in my code
    >
    > dGrid.DataSource = ServiceController.GetServices("serverxxxx");
    >
    > On the web server, I tried browsing to the application using the IP
    > address.
    > This works and I get a events logged that indicate that Kerb
    > authentication
    > has taken place (see below). However, when I use the DNS name to browse to
    > the application, it gives me an access denied error and I get the NT
    > AUTHORITY\ANONYMOUS LOGON event. I am not sure why this is so.
    >
    > Event Type: Success Audit
    > Event Source: Security
    > Event Category: Logon/Logoff
    > Event ID: 538
    > Date: 24/06/2009
    > Time: 11:35:07
    > User: Domain\Username
    > Computer: TargetServer
    > Description:
    > User Logoff:
    > User Name: Username
    > Domain: WEB
    > Logon ID: (0x0,0x98B42A2)
    > Logon Type: 3
    > For more information, see Help and Support Center at
    > http://go.microsoft.com/fwlink/events.asp.
    >
    >
    > Event Type: Success Audit
    > Event Source: Security
    > Event Category: Logon/Logoff
    > Event ID: 540
    > Date: 24/06/2009
    > Time: 11:34:36
    > User: Domain\Username
    > Computer: TargetServer
    > Description:
    > Successful Network Logon:
    > User Name: Username
    > Domain: Domain
    > Logon ID: (0x0,0x98B42A2)
    > Logon Type: 3
    > Logon Process: Kerberos
    > Authentication Package: Kerberos
    > Workstation Name:
    > Logon GUID: {2c253827-89be-8166-d10a-865d2075808e}
    > Caller User Name: -
    > Caller Domain: -
    > Caller Logon ID: -
    > Caller Process ID: -
    > Transited Services: -
    > Source Network Address: 172.16.224.1
    > Source Port: 0
    > For more information, see Help and Support Center at
    > http://go.microsoft.com/fwlink/events.asp.
    >
    > Event Type: Success Audit
    > Event Source: Security
    > Event Category: Logon/Logoff
    > Event ID: 576
    > Date: 24/06/2009
    > Time: 11:34:36
    > User: Domain\Username
    > Computer: TargetServer
    > Description:
    > Special privileges assigned to new logon:
    > User Name: Username
    > Domain: Domain
    > Logon ID: (0x0,0x98B42A2)
    > Privileges: SeSecurityPrivilege
    > SeBackupPrivilege
    > SeRestorePrivilege
    > SeTakeOwnershipPrivilege
    > SeDebugPrivilege
    > SeSystemEnvironmentPrivilege
    > SeLoadDriverPrivilege
    > SeImpersonatePrivilege
    > For more information, see Help and Support Center at
    > http://go.microsoft.com/fwlink/events.asp.
    >
    >
    >
    >
    > "Joe Kaplan" wrote:
    >
    >> Normally when you see an anonymous login being attempted with NTLM, it is
    >> because the client did not attempt Kerberos authentication to access the
    >> remote server.
    >>
    >> When you connect to the remote machine in your code to manage the service
    >> control manager, are you using an IP address or the host name? Kerb
    >> requires the use of the host name.
    >>
    >> You might start by using a simple console app on the web server to access
    >> the remote SCM and seeing what type of authentication is recorded on the
    >> remote machine in the security event log. What you are looking for is a
    >> kerberos-based authentication to that machine. If you can only get NTLM
    >> auth to the remote machine, you won't be able to get Kerb delegation to
    >> work. Hopefully this helps flesh out your mental model.
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> "Tony201" <> wrote in message
    >> news:...
    >> > Hi Joe,
    >> >
    >> > You are right there is a service called HOST on the target server which
    >> > I
    >> > have now delegated to the IIS AppPool account. However I am still
    >> > getting
    >> > access denied. The one thing I forgot to mention in my earlier posts is
    >> > that
    >> > when I browse to the application locally (i.e on the web server), it
    >> > works,
    >> > however, when I browse to it from an XP box I get access denied.
    >> >
    >> > The thing that perplexes me is that there are no faillure audit events
    >> > on
    >> > any of the servers including the domain controllers. The only 2 events
    >> > that
    >> > might be related i.e they are generated everytime I browse to the
    >> > application
    >> > from my XP box and they mention the web server name. I have listed
    >> > these
    >> > below.
    >> >
    >> > Event Type: Success Audit
    >> > Event Source: Security
    >> > Event Category: Logon/Logoff
    >> > Event ID: 540
    >> > Date: 23/06/2009
    >> > Time: 10:22:03
    >> > User: NT AUTHORITY\ANONYMOUS LOGON
    >> > Computer: TARGET-SERVER
    >> > Description:
    >> > Successful Network Logon:
    >> > User Name:
    >> > Domain:
    >> > Logon ID: (0x0,0x7D98711)
    >> > Logon Type: 3
    >> > Logon Process: NtLmSsp
    >> > Authentication Package: NTLM
    >> > Workstation Name: WEB-SERVER
    >> > Logon GUID: -
    >> > Caller User Name: -
    >> > Caller Domain: -
    >> > Caller Logon ID: -
    >> > Caller Process ID: -
    >> > Transited Services: -
    >> > Source Network Address: 172.16.224.1
    >> > Source Port: 0
    >> > For more information, see Help and Support Center at
    >> > http://go.microsoft.com/fwlink/events.asp.
    >> >
    >> > Event Type: Success Audit
    >> > Event Source: Security
    >> > Event Category: Logon/Logoff
    >> > Event ID: 538
    >> > Date: 23/06/2009
    >> > Time: 10:22:06
    >> > User: NT AUTHORITY\ANONYMOUS LOGON
    >> > Computer: TARGET-SERVER
    >> > Description:
    >> > User Logoff:
    >> > User Name: ANONYMOUS LOGON
    >> > Domain: NT AUTHORITY
    >> > Logon ID: (0x0,0x7D98711)
    >> > Logon Type: 3
    >> > For more information, see Help and Support Center at
    >> > http://go.microsoft.com/fwlink/events.asp.
    >> >
    >> >
    >> > "Joe Kaplan" wrote:
    >> >
    >> >> The account to delegate to would be the domain computer account for
    >> >> the
    >> >> machine running the services. I think you should be able to use the
    >> >> service
    >> >> type "HOST" which is a wildcard for a bunch of stuff and typically
    >> >> covers
    >> >> these built in RPC things like remote management.
    >> >>
    >> >> I'm not sure what this would look like in the GUI exactly. I usually
    >> >> make
    >> >> this type of change using a lower level tool but hopefully this gives
    >> >> you
    >> >> the idea.
    >> >>
    >> >> You should not need to create a new SPN though. You are just
    >> >> delegating
    >> >> to
    >> >> an existing one. The HOST/xxx SPNs for the computer account are
    >> >> created
    >> >> automatically when the machine is joined to the domain.
    >> >>
    >> >> --
    >> >> Joe Kaplan-MS MVP Directory Services Programming
    >> >> Co-author of "The .NET Developer's Guide to Directory Services
    >> >> Programming"
    >> >> http://www.directoryprogramming.net
    >> >> "Tony201" <> wrote in message
    >> >> news:...
    >> >> > Hi Joe,
    >> >> >
    >> >> > Thanks for the reply. For this application, I have already setup
    >> >> > delegation
    >> >> > for SQL Server access so I have an SPN for my DNS/IIS App Pool
    >> >> > Identity.
    >> >> > In
    >> >> > Active Directory under the delegation tab (for IIS App Pool
    >> >> > Identity),
    >> >> > I
    >> >> > have
    >> >> > allowed delegation to the SQL Server service, however, I don't know
    >> >> > how
    >> >> > to
    >> >> > allow delegation to the Service Control Manager eg, for SQL Server,
    >> >> > under
    >> >> > the
    >> >> > delegation tab, I click add and then type in the account that I
    >> >> > created
    >> >> > the
    >> >> > SQL Server SPN for. For allowing Service Control Manager, which user
    >> >> > would
    >> >> > I
    >> >> > need to type in and then what service should I add? Alternatively,
    >> >> > how
    >> >> > would
    >> >> > I setup an SPN to allow delegation to Window Services?
    >> >> >
    >> >> > Cheers,
    >> >> > Tan
    >> >> >
    >> >> > "Joe Kaplan" wrote:
    >> >> >
    >> >> >> It should work although I've never tested this scenario.
    >> >> >>
    >> >> >> I'd suggest delegating the SPN for HOST/server to the IIS app pool
    >> >> >> identity
    >> >> >> (or the computer account if you use network service or system) to
    >> >> >> see
    >> >> >> if
    >> >> >> that works. If you are using the full DNS name to connect to the
    >> >> >> remote
    >> >> >> machine, use that SPN instead. You can also delegate both.
    >> >> >>
    >> >> >> If you are getting Kerberos authentication to the remote machine,
    >> >> >> then
    >> >> >> the
    >> >> >> constrained delegation should work here. You can check the
    >> >> >> security
    >> >> >> event
    >> >> >> logs on the remote machine to discover how you are authenticating.
    >> >> >> If
    >> >> >> you
    >> >> >> get NTLM, then it will not work.
    >> >> >>
    >> >> >> --
    >> >> >> Joe Kaplan-MS MVP Directory Services Programming
    >> >> >> Co-author of "The .NET Developer's Guide to Directory Services
    >> >> >> Programming"
    >> >> >> http://www.directoryprogramming.net
    >> >> >> "Tony201" <> wrote in message
    >> >> >> news:...
    >> >> >> > Can I use constrained delegation to alllow my web application to
    >> >> >> > control
    >> >> >> > services on a remote server? At the moment, I have code that when
    >> >> >> > run
    >> >> >> > on
    >> >> >> > my
    >> >> >> > local machine (XP - no double hop) is able to control services on
    >> >> >> > remote
    >> >> >> > servers. However, when I move the web application to an IIS
    >> >> >> > server,
    >> >> >> > I
    >> >> >> > get
    >> >> >> > the
    >> >> >> > error llisted below. I am guessing that I need to setup an SPN
    >> >> >> > but
    >> >> >> > don't
    >> >> >> > know
    >> >> >> > how to do it for the Service Control Manager. Any ideas?
    >> >> >> >
    >> >> >> > [Win32Exception (0x80004005): Access is denied]
    >> >> >> >
    >> >> >> > [InvalidOperationException: Cannot open Service Control Manager
    >> >> >> > on
    >> >> >> > computer
    >> >> >> > 'serverxxxx'. This operation might require other privileges.]
    >> >> >> >
    >> >> >> > System.ServiceProcess.ServiceController.GetDataBaseHandleWithAccess(String
    >> >> >> > machineName, Int32 serviceControlManaqerAccess) +35775
    >> >> >> >
    >> >> >> > System.ServiceProcess.ServiceController.GetDataBaseHandleWithEnumerateAccess(String
    >> >> >> > machineName) +9
    >> >> >> >
    >> >> >> > System.ServiceProcess.ServiceController.GetServicesOfType(String
    >> >> >> > machineName, Int32 serviceType) +143
    >> >> >> > System.ServiceProcess.ServiceController.GetServices(String
    >> >> >> > machineName)
    >> >> >> > +9
    >> >> >> > AutonomyAdmin.test.test2() +400
    >> >> >> > AutonomyAdmin.test.Page_Load(Object sender, EventArgs e) +137
    >> >> >> > System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp,
    >> >> >> > Object
    >> >> >> > o,
    >> >> >> > Object t, EventArgs e) +14
    >> >> >> > System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object
    >> >> >> > sender,
    >> >> >> > EventArgs e) +35
    >> >> >> > System.Web.UI.Control.OnLoad(EventArgs e) +99
    >> >> >> > System.Web.UI.Control.LoadRecursive() +50
    >> >> >> > System.Web.UI.Page.ProcessRequestMain(Boolean
    >> >> >> > includeStagesBeforeAsyncPoint, Boolean
    >> >> >> > includeStagesAfterAsyncPoint)
    >> >> >> > +627
    >> >> >> >
    >> >> >>
    >> >> >>
    >> >>
    >> >>

    >>
    >>
     
    Joe Kaplan, Jun 25, 2009
    #9
  10. Tony201

    Tony201 Guest

    Hi Joe,

    I have finally solved it. I needed to delegate to the cifs service. I will
    run further tests and let you know how I go.

    Cheers,
    Tan

    "Joe Kaplan" wrote:

    > The event logs we need to know about are the ones on the server running the
    > services you are controlling remotely.
    >
    > Can you show what happens when you have a console app that accesses the
    > remote server running the services in terms of the security audits on the
    > remote server?
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"
    > http://www.directoryprogramming.net
    > "Tony201" <> wrote in message
    > news:...
    > > Joe,
    > >
    > > I am using the hostname in my code
    > >
    > > dGrid.DataSource = ServiceController.GetServices("serverxxxx");
    > >
    > > On the web server, I tried browsing to the application using the IP
    > > address.
    > > This works and I get a events logged that indicate that Kerb
    > > authentication
    > > has taken place (see below). However, when I use the DNS name to browse to
    > > the application, it gives me an access denied error and I get the NT
    > > AUTHORITY\ANONYMOUS LOGON event. I am not sure why this is so.
    > >
    > > Event Type: Success Audit
    > > Event Source: Security
    > > Event Category: Logon/Logoff
    > > Event ID: 538
    > > Date: 24/06/2009
    > > Time: 11:35:07
    > > User: Domain\Username
    > > Computer: TargetServer
    > > Description:
    > > User Logoff:
    > > User Name: Username
    > > Domain: WEB
    > > Logon ID: (0x0,0x98B42A2)
    > > Logon Type: 3
    > > For more information, see Help and Support Center at
    > > http://go.microsoft.com/fwlink/events.asp.
    > >
    > >
    > > Event Type: Success Audit
    > > Event Source: Security
    > > Event Category: Logon/Logoff
    > > Event ID: 540
    > > Date: 24/06/2009
    > > Time: 11:34:36
    > > User: Domain\Username
    > > Computer: TargetServer
    > > Description:
    > > Successful Network Logon:
    > > User Name: Username
    > > Domain: Domain
    > > Logon ID: (0x0,0x98B42A2)
    > > Logon Type: 3
    > > Logon Process: Kerberos
    > > Authentication Package: Kerberos
    > > Workstation Name:
    > > Logon GUID: {2c253827-89be-8166-d10a-865d2075808e}
    > > Caller User Name: -
    > > Caller Domain: -
    > > Caller Logon ID: -
    > > Caller Process ID: -
    > > Transited Services: -
    > > Source Network Address: 172.16.224.1
    > > Source Port: 0
    > > For more information, see Help and Support Center at
    > > http://go.microsoft.com/fwlink/events.asp.
    > >
    > > Event Type: Success Audit
    > > Event Source: Security
    > > Event Category: Logon/Logoff
    > > Event ID: 576
    > > Date: 24/06/2009
    > > Time: 11:34:36
    > > User: Domain\Username
    > > Computer: TargetServer
    > > Description:
    > > Special privileges assigned to new logon:
    > > User Name: Username
    > > Domain: Domain
    > > Logon ID: (0x0,0x98B42A2)
    > > Privileges: SeSecurityPrivilege
    > > SeBackupPrivilege
    > > SeRestorePrivilege
    > > SeTakeOwnershipPrivilege
    > > SeDebugPrivilege
    > > SeSystemEnvironmentPrivilege
    > > SeLoadDriverPrivilege
    > > SeImpersonatePrivilege
    > > For more information, see Help and Support Center at
    > > http://go.microsoft.com/fwlink/events.asp.
    > >
    > >
    > >
    > >
    > > "Joe Kaplan" wrote:
    > >
    > >> Normally when you see an anonymous login being attempted with NTLM, it is
    > >> because the client did not attempt Kerberos authentication to access the
    > >> remote server.
    > >>
    > >> When you connect to the remote machine in your code to manage the service
    > >> control manager, are you using an IP address or the host name? Kerb
    > >> requires the use of the host name.
    > >>
    > >> You might start by using a simple console app on the web server to access
    > >> the remote SCM and seeing what type of authentication is recorded on the
    > >> remote machine in the security event log. What you are looking for is a
    > >> kerberos-based authentication to that machine. If you can only get NTLM
    > >> auth to the remote machine, you won't be able to get Kerb delegation to
    > >> work. Hopefully this helps flesh out your mental model.
    > >>
    > >> --
    > >> Joe Kaplan-MS MVP Directory Services Programming
    > >> Co-author of "The .NET Developer's Guide to Directory Services
    > >> Programming"
    > >> http://www.directoryprogramming.net
    > >> "Tony201" <> wrote in message
    > >> news:...
    > >> > Hi Joe,
    > >> >
    > >> > You are right there is a service called HOST on the target server which
    > >> > I
    > >> > have now delegated to the IIS AppPool account. However I am still
    > >> > getting
    > >> > access denied. The one thing I forgot to mention in my earlier posts is
    > >> > that
    > >> > when I browse to the application locally (i.e on the web server), it
    > >> > works,
    > >> > however, when I browse to it from an XP box I get access denied.
    > >> >
    > >> > The thing that perplexes me is that there are no faillure audit events
    > >> > on
    > >> > any of the servers including the domain controllers. The only 2 events
    > >> > that
    > >> > might be related i.e they are generated everytime I browse to the
    > >> > application
    > >> > from my XP box and they mention the web server name. I have listed
    > >> > these
    > >> > below.
    > >> >
    > >> > Event Type: Success Audit
    > >> > Event Source: Security
    > >> > Event Category: Logon/Logoff
    > >> > Event ID: 540
    > >> > Date: 23/06/2009
    > >> > Time: 10:22:03
    > >> > User: NT AUTHORITY\ANONYMOUS LOGON
    > >> > Computer: TARGET-SERVER
    > >> > Description:
    > >> > Successful Network Logon:
    > >> > User Name:
    > >> > Domain:
    > >> > Logon ID: (0x0,0x7D98711)
    > >> > Logon Type: 3
    > >> > Logon Process: NtLmSsp
    > >> > Authentication Package: NTLM
    > >> > Workstation Name: WEB-SERVER
    > >> > Logon GUID: -
    > >> > Caller User Name: -
    > >> > Caller Domain: -
    > >> > Caller Logon ID: -
    > >> > Caller Process ID: -
    > >> > Transited Services: -
    > >> > Source Network Address: 172.16.224.1
    > >> > Source Port: 0
    > >> > For more information, see Help and Support Center at
    > >> > http://go.microsoft.com/fwlink/events.asp.
    > >> >
    > >> > Event Type: Success Audit
    > >> > Event Source: Security
    > >> > Event Category: Logon/Logoff
    > >> > Event ID: 538
    > >> > Date: 23/06/2009
    > >> > Time: 10:22:06
    > >> > User: NT AUTHORITY\ANONYMOUS LOGON
    > >> > Computer: TARGET-SERVER
    > >> > Description:
    > >> > User Logoff:
    > >> > User Name: ANONYMOUS LOGON
    > >> > Domain: NT AUTHORITY
    > >> > Logon ID: (0x0,0x7D98711)
    > >> > Logon Type: 3
    > >> > For more information, see Help and Support Center at
    > >> > http://go.microsoft.com/fwlink/events.asp.
    > >> >
    > >> >
    > >> > "Joe Kaplan" wrote:
    > >> >
    > >> >> The account to delegate to would be the domain computer account for
    > >> >> the
    > >> >> machine running the services. I think you should be able to use the
    > >> >> service
    > >> >> type "HOST" which is a wildcard for a bunch of stuff and typically
    > >> >> covers
    > >> >> these built in RPC things like remote management.
    > >> >>
    > >> >> I'm not sure what this would look like in the GUI exactly. I usually
    > >> >> make
    > >> >> this type of change using a lower level tool but hopefully this gives
    > >> >> you
    > >> >> the idea.
    > >> >>
    > >> >> You should not need to create a new SPN though. You are just
    > >> >> delegating
    > >> >> to
    > >> >> an existing one. The HOST/xxx SPNs for the computer account are
    > >> >> created
    > >> >> automatically when the machine is joined to the domain.
    > >> >>
    > >> >> --
    > >> >> Joe Kaplan-MS MVP Directory Services Programming
    > >> >> Co-author of "The .NET Developer's Guide to Directory Services
    > >> >> Programming"
    > >> >> http://www.directoryprogramming.net
    > >> >> "Tony201" <> wrote in message
    > >> >> news:...
    > >> >> > Hi Joe,
    > >> >> >
    > >> >> > Thanks for the reply. For this application, I have already setup
    > >> >> > delegation
    > >> >> > for SQL Server access so I have an SPN for my DNS/IIS App Pool
    > >> >> > Identity.
    > >> >> > In
    > >> >> > Active Directory under the delegation tab (for IIS App Pool
    > >> >> > Identity),
    > >> >> > I
    > >> >> > have
    > >> >> > allowed delegation to the SQL Server service, however, I don't know
    > >> >> > how
    > >> >> > to
    > >> >> > allow delegation to the Service Control Manager eg, for SQL Server,
    > >> >> > under
    > >> >> > the
    > >> >> > delegation tab, I click add and then type in the account that I
    > >> >> > created
    > >> >> > the
    > >> >> > SQL Server SPN for. For allowing Service Control Manager, which user
    > >> >> > would
    > >> >> > I
    > >> >> > need to type in and then what service should I add? Alternatively,
    > >> >> > how
    > >> >> > would
    > >> >> > I setup an SPN to allow delegation to Window Services?
    > >> >> >
    > >> >> > Cheers,
    > >> >> > Tan
    > >> >> >
    > >> >> > "Joe Kaplan" wrote:
    > >> >> >
    > >> >> >> It should work although I've never tested this scenario.
    > >> >> >>
    > >> >> >> I'd suggest delegating the SPN for HOST/server to the IIS app pool
    > >> >> >> identity
    > >> >> >> (or the computer account if you use network service or system) to
    > >> >> >> see
    > >> >> >> if
    > >> >> >> that works. If you are using the full DNS name to connect to the
    > >> >> >> remote
    > >> >> >> machine, use that SPN instead. You can also delegate both.
    > >> >> >>
    > >> >> >> If you are getting Kerberos authentication to the remote machine,
    > >> >> >> then
    > >> >> >> the
    > >> >> >> constrained delegation should work here. You can check the
    > >> >> >> security
    > >> >> >> event
    > >> >> >> logs on the remote machine to discover how you are authenticating.
    > >> >> >> If
    > >> >> >> you
    > >> >> >> get NTLM, then it will not work.
    > >> >> >>
    > >> >> >> --
    > >> >> >> Joe Kaplan-MS MVP Directory Services Programming
    > >> >> >> Co-author of "The .NET Developer's Guide to Directory Services
    > >> >> >> Programming"
    > >> >> >> http://www.directoryprogramming.net
    > >> >> >> "Tony201" <> wrote in message
    > >> >> >> news:...
    > >> >> >> > Can I use constrained delegation to alllow my web application to
    > >> >> >> > control
    > >> >> >> > services on a remote server? At the moment, I have code that when
    > >> >> >> > run
    > >> >> >> > on
    > >> >> >> > my
    > >> >> >> > local machine (XP - no double hop) is able to control services on
    > >> >> >> > remote
    > >> >> >> > servers. However, when I move the web application to an IIS
    > >> >> >> > server,
    > >> >> >> > I
    > >> >> >> > get
    > >> >> >> > the
    > >> >> >> > error llisted below. I am guessing that I need to setup an SPN
    > >> >> >> > but
    > >> >> >> > don't
     
    Tony201, Jun 29, 2009
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    0
    Views:
    344
  2. Paul
    Replies:
    0
    Views:
    190
  3. Seen The Bean
    Replies:
    2
    Views:
    190
    Ken Schaefer
    Apr 24, 2006
  4. Olivier Matrot
    Replies:
    2
    Views:
    206
    Olivier Matrot
    Mar 15, 2007
  5. Sam Roberts
    Replies:
    4
    Views:
    322
    Sam Roberts
    May 7, 2008
Loading...

Share This Page