IIS Remote Content and Kerberos Delegation

Discussion in 'ASP General' started by Jacob, May 20, 2004.

  1. Jacob

    Jacob Guest

    Hello All,
    I am trying to serve out some content via IIS that is hosted on a
    remote fileserver, and am unable to get the delegation working
    correctly. Our setup is as follows:

    Local LAN
    Windows 2000 domain (mixed-mode): MYDOMAIN (mydomain.net)
    Windows 2003 Server w/IIS6: WEB01
    Windows 2000 Server hosting files: FILE01
    Windows XP Pro client workstation: CLIENT01

    All computers are members of the domain. WEB01 is 'Trusted for
    Delegation'.

    Two domain users have been created:

    MYDOMAIN\joeuser
    MYDOMAIN\webdirmap

    Both are member of the Domain Users group only.

    Single web setup on WEB01, Active Directory DNS host record
    'test.dev.mydomain.net' pointing to this web. The website has no
    local content, and a single virtual directory called 'webtest' which
    is pointing to a share on FILE01 called '\\FILE01\webtest'. The web
    is set to use Windows Integrated Auth only, no Basic or Anonymous
    allowed.

    Both domain users have Read & Exec NTFS permissions to
    \\FILE01\webtest. The SMB permissions on this share are set to
    Everyone - Full Control. This share contains a single image file
    called 'shite.gif'.

    For my testing I'm sitting at CLIENT01 and attempting to browse to
    http://test.dev.mydomain.net/webtest/shite.gif using IE 6.0SP1.


    1) First I set the '\webtest' virtual dir to use a fixed set of
    credentials, connecting as 'MYDOMAIN\webdirmap'. I then browsed to the
    above URL, authenticating as 'MYDOMAIN\joeuser'. I was able to view
    the image with no problems, and the event log on WEB01 showed me
    authenticating using Kerberos as 'MYDOMAIN\joeuser'. The eventlog on
    FILE01 showed a successful Logon event (using Kerberos for both logon
    and auth packages) for 'MYDOMAIN\webdirmap', followed by a successful
    object access for 'shite.gif'. All good...

    2) Then I changed the '\webtest' virtual dir to use passthrough
    authentication, connecting as the authenticated user accessing the
    website. I browsed to the URL again (after closing the browser to
    clear the cache first). I immediately got a userid/password challenge
    dialog, into which I entered the credentials for 'MYDOMAIN\joeuser'.
    They weren't accepted and I was challenged 3 times in total before IIS
    finally came back with an 'HTTP 401.3 - Unauthorized: Access is denied
    due to an ACL set on the requested resource' error. The event logs on
    WEB01 looked OK, with a Kerberos logon as 'MYDOMAIN\joeuser'. The
    FILE01 event log however showed two event, repeated 3 times in quick
    succession (once per failed challenge I guess): a successful
    Privilege Use (Special privileges assigned to new logon:
    SeChangeNotifyPrivilege) for 'NT AUTHORITY\ANONYMOUS LOGON', followed
    by a successful Logoff event for the same user (logon type 3). No
    successful logons at all, nor any audit failures of any kind.

    I'm logging both success and failures for Object Access, Logon/Logoff,
    Account Logon and Privelege Use.

    Can anyone explain this to me? Why is the connection from WEB01 to
    FILE01 coming through as 'NT AUTHORITY\ANONYMOUS LOGON'? It should be
    coming through as 'MYDOMAIN\joeuser' if Kerberos delegation was
    working shouldn't it?

    To double-check I switched the web to use Basic auth rather than
    Windows Integrated. It worked fine with both fixed 'connect as'
    credentials (MYDOMAIN\webdirmap) and with passthrough, so I'm thinking
    it's Kerberos at fault...

    I've read all of the pertinet TechNet articles I could find, including
    the very informative
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx
    but stil have no joy making this work. Suggestions anyone?

    Thanks!

    Jacob Luebbers
    Jacob, May 20, 2004
    #1
    1. Advertising

  2. Jacob

    Ray at Guest

    I think your issue has to do with lack of tokens based on your authenticion.
    (I'm not expert at this stuff though.)

    Read these two interesting articles and make sure that you're using an
    authentication method that will send kerberos tokens.

    http://support.microsoft.com/?kbid=287537
    http://support.microsoft.com/?kbid=264921

    Ray at work

    "Jacob" <> wrote in message
    news:...
    > Hello All,
    > I am trying to serve out some content via IIS that is hosted on a
    > remote fileserver, and am unable to get the delegation working
    > correctly. Our setup is as follows:
    >
    > 2) Then I changed the '\webtest' virtual dir to use passthrough
    > authentication, connecting as the authenticated user accessing the
    > website. I browsed to the URL again (after closing the browser to
    > clear the cache first). I immediately got a userid/password challenge
    > dialog, into which I entered the credentials for 'MYDOMAIN\joeuser'.
    > They weren't accepted and I was challenged 3 times in total before IIS
    > finally came back with an 'HTTP 401.3 - Unauthorized: Access is denied
    > due to an ACL set on the requested resource' error.
    Ray at, May 20, 2004
    #2
    1. Advertising

  3. Jacob

    Jacob Guest

    Thanks Ray,
    I've already had a look at those two articles, and whilst they're
    useful I still haven't found anything that explains this.

    The IIS web is only set to accept Windows Integrated Auth - Basic and
    Anonymous are not ticked. This leaves the only question being: which
    of the two Integrated Auth 'sub-types' is being used (Kerberos or
    NTLM)? I'm almost certain it's Kerberos because the event log shows
    this:

    ---------------------------------------------------------
    Event Type: Success Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 540
    Date: 20/05/2004
    Time: 4:37:48 PM
    User: MYDOMAIN\joeuser
    Computer: WEB01
    Description:
    Successful Network Logon:
    User Name: joeuser
    Domain: MYDOMAIN
    Logon ID: (0x0,0x438597E)
    Logon Type: 3
    Logon Process: Kerberos
    Authentication Package: Kerberos
    Workstation Name:
    Logon GUID: {21188530-3308-bb42-8b30-82c6c8fbb470}
    Caller User Name: -
    Caller Domain: -
    Caller Logon ID: -
    Caller Process ID: -
    Transited Services: -
    Source Network Address: 10.0.0.76
    Source Port: 3654
    ---------------------------------------------------------

    If so, Kerberos is able to be delegated (at least SHOULD be able to -
    not for me though :p ), as can Basic. I've already tested and proven
    that Basic works, but unfortunately for me Basic is not suitable - I
    need to be able to use Integrated Auth.

    Now, to confuse things even more...

    Further testing reveals that if I first make a connection to some
    local content on the IIS web (eg a dummy.asp page which simply
    displays 'Hello World'), then DURING THE SAME SESSION, browse to the
    remote-served content eg
    http://test.dev.mydomain.net/webtest/shite.gif, it works fine!

    It seems that if my first browse request during the session is for
    remote content I don't yet have a Kerberos ticket, and therefore the
    second 'hop' from IIS server --> file server can't be made with
    delegated credentials, and so the ANONYMOUS account is used. However
    if I first request some locally-served content IIS grants me a
    Kerberos ticket which I then am able to subsequently use for the
    remote content during the same session.

    At least, this is the observed behaviour. Does this make any sense?
    Is this the way it's supposed to work?

    Regards,

    Jacob






    "Ray at <%=sLocation%> [MVP]" <myfirstname at lane34 dot com> wrote in message news:<>...
    > I think your issue has to do with lack of tokens based on your authenticion.
    > (I'm not expert at this stuff though.)
    >
    > Read these two interesting articles and make sure that you're using an
    > authentication method that will send kerberos tokens.
    >
    > http://support.microsoft.com/?kbid=287537
    > http://support.microsoft.com/?kbid=264921
    >
    > Ray at work
    >
    > "Jacob" <> wrote in message
    > news:...
    > > Hello All,
    > > I am trying to serve out some content via IIS that is hosted on a
    > > remote fileserver, and am unable to get the delegation working
    > > correctly. Our setup is as follows:
    > >
    > > 2) Then I changed the '\webtest' virtual dir to use passthrough
    > > authentication, connecting as the authenticated user accessing the
    > > website. I browsed to the URL again (after closing the browser to
    > > clear the cache first). I immediately got a userid/password challenge
    > > dialog, into which I entered the credentials for 'MYDOMAIN\joeuser'.
    > > They weren't accepted and I was challenged 3 times in total before IIS
    > > finally came back with an 'HTTP 401.3 - Unauthorized: Access is denied
    > > due to an ACL set on the requested resource' error.
    Jacob, May 21, 2004
    #3
  4. Jacob

    Ray at Guest

    "Jacob" <> wrote in message
    news:...
    > >

    > If so, Kerberos is able to be delegated (at least SHOULD be able to -
    > not for me though :p ), as can Basic. I've already tested and proven
    > that Basic works, but unfortunately for me Basic is not suitable - I
    > need to be able to use Integrated Auth.


    FWIW, I haven't been able to acheive what you're trying to do either. I
    have a VERY basic understanding of different authentication methods in
    Windows and how they tie into IIS, so I don't really have much else to
    offer. :[

    Ray at work
    Ray at, May 24, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?UHJlc3RvbiBQYXJr?=

    Kerberos Delegation Question

    =?Utf-8?B?UHJlc3RvbiBQYXJr?=, Jun 18, 2005, in forum: ASP .Net
    Replies:
    0
    Views:
    901
    =?Utf-8?B?UHJlc3RvbiBQYXJr?=
    Jun 18, 2005
  2. Replies:
    0
    Views:
    329
  3. Kerberos Delegation

    , Jan 29, 2004, in forum: ASP .Net Security
    Replies:
    1
    Views:
    111
    Paul Glavich
    Jan 30, 2004
  4. Mandy

    Kerberos delegation trauma

    Mandy, Jan 18, 2005, in forum: ASP .Net Security
    Replies:
    3
    Views:
    228
    Joe Kaplan \(MVP - ADSI\)
    Jan 19, 2005
  5. Seen The Bean
    Replies:
    2
    Views:
    177
    Ken Schaefer
    Apr 24, 2006
Loading...

Share This Page