impersonation / delegation question

Discussion in 'ASP .Net Security' started by russell.lane, Jan 20, 2006.

  1. russell.lane

    russell.lane Guest

    Greetings -

    I'm trying to set up domain login impersonation and delegation for a
    multi-tier web application. The goal is for the application, middle tier
    services, and back end database to operate under the end user's Windows
    domain login id. This is in the context of a intranet deployment, no
    firewalls.

    To begin sorting this out, I'm starting small. My first goal is to create a
    simple service that can will query the database as the login user and return
    a dataset. Here's what I've done so far:

    o Set up my user id on the DB so I can login and execute the stored
    procedure.
    o Written the simple service in ASP.Net C# that calls the stored procedure.
    o Installed the simple service on an app server remote from the DB server.
    o Configured the simple service to not allow anonymous login, and to use
    windows authentication.
    o <identity impersonate="true"> in the test service web.config
    o Created a custom domain account for the service to run under.
    o Created SPN's for the custom domain account that map the account to HTTP
    on my app server with both fully qualified and netBIOS name, including port
    number (80).
    o In ADS, enabled the custom domain account I run the service under to
    delegate to MSSQLsvc on the DB server.
    o Created an application pool whose identity is the custom domain account.
    o Assigned my test service to the new application pool.

    For initial testing, I just tried to bring the service up in IE on both the
    app server (i.e., the host where the service runs) and also from my desktop.
    In both cases I am logged onto the system where I'm running the browser with
    my Windows domain account. On both platforms, IE is set up so that the app
    server is in the intranet zone, and windows authentication is enabled.

    When I bring the service up in IE on the app server, everything is great. I
    can run the service (auto-generated form from the service WSDL), the service
    impersonates me and forwards my identity to the database, the procedure runs
    and I get the dataset back.

    When I bring the service up in IE from my desktop, IE pops up a login prompt
    (this did not happen on the app server). I enter my user name, password,
    and domain, and it's rejected.

    When I look at the security event log on the app server, I see a number of
    "Failure Audit" messages. The detail on these messages states:

    Logon failure:
    Reason: Unknown user name or bad password
    Logon type: 3
    Logon Process: Kerberos
    Authentication Package: Kerberos

    The user name, domain, workstation name, caller user name, caller domain,
    caller logon id are all blank. The source network address has the correct
    IP address for my workstation.

    Another point of information -- if I set up the web service to use basic
    authentication, everything works correctly when accessed from a browser on
    either the app server or my desktop. I get a prompt (as is expected for
    basic authentication), enter my user name, password, and domain, and I can
    access the service as desired. So, it seems like there's a Kerberos issue
    involved in here somewhere.

    I'm not sure what I'm missing here. Can anyone offer some suggestions?

    Sorry for the length. There's a lot of detail to the setup for this stuff
    and I'm not sure what piece is significant and what piece is not.

    Many thanks!!

    R
    russell.lane, Jan 20, 2006
    #1
    1. Advertising

  2. Hi,

    looks all ok so far - some notes

    - when you run the service locally it is technically no delegation - the
    token is copied to IIS and it is only a single hop to the db
    - does the client have NTFS read DACLs on the web service directory?
    - download ethereal (www.ethereal.com) - and sniff the kerberos handshake
    - is the SPN that IE requests exactly the same as you registered for the
    webserver / any other oddities?

    good resource: http://www.microsoft.com/technet/pr...3/technologies/security/kerberos/default.mspx

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Greetings -
    >
    > I'm trying to set up domain login impersonation and delegation for a
    > multi-tier web application. The goal is for the application, middle
    > tier services, and back end database to operate under the end user's
    > Windows domain login id. This is in the context of a intranet
    > deployment, no firewalls.
    >
    > To begin sorting this out, I'm starting small. My first goal is to
    > create a simple service that can will query the database as the login
    > user and return a dataset. Here's what I've done so far:
    >
    > o Set up my user id on the DB so I can login and execute the stored
    > procedure.
    > o Written the simple service in ASP.Net C# that calls the stored
    > procedure.
    > o Installed the simple service on an app server remote from the DB
    > server.
    > o Configured the simple service to not allow anonymous login, and to
    > use
    > windows authentication.
    > o <identity impersonate="true"> in the test service web.config
    > o Created a custom domain account for the service to run under.
    > o Created SPN's for the custom domain account that map the account to
    > HTTP
    > on my app server with both fully qualified and netBIOS name, including
    > port
    > number (80).
    > o In ADS, enabled the custom domain account I run the service under
    > to
    > delegate to MSSQLsvc on the DB server.
    > o Created an application pool whose identity is the custom domain
    > account.
    > o Assigned my test service to the new application pool.
    > For initial testing, I just tried to bring the service up in IE on
    > both the app server (i.e., the host where the service runs) and also
    > from my desktop. In both cases I am logged onto the system where I'm
    > running the browser with my Windows domain account. On both
    > platforms, IE is set up so that the app server is in the intranet
    > zone, and windows authentication is enabled.
    >
    > When I bring the service up in IE on the app server, everything is
    > great. I can run the service (auto-generated form from the service
    > WSDL), the service impersonates me and forwards my identity to the
    > database, the procedure runs and I get the dataset back.
    >
    > When I bring the service up in IE from my desktop, IE pops up a login
    > prompt (this did not happen on the app server). I enter my user name,
    > password, and domain, and it's rejected.
    >
    > When I look at the security event log on the app server, I see a
    > number of "Failure Audit" messages. The detail on these messages
    > states:
    >
    > Logon failure:
    > Reason: Unknown user name or bad password
    > Logon type: 3
    > Logon Process: Kerberos
    > Authentication Package: Kerberos
    > The user name, domain, workstation name, caller user name, caller
    > domain, caller logon id are all blank. The source network address has
    > the correct IP address for my workstation.
    >
    > Another point of information -- if I set up the web service to use
    > basic authentication, everything works correctly when accessed from a
    > browser on either the app server or my desktop. I get a prompt (as is
    > expected for basic authentication), enter my user name, password, and
    > domain, and I can access the service as desired. So, it seems like
    > there's a Kerberos issue involved in here somewhere.
    >
    > I'm not sure what I'm missing here. Can anyone offer some
    > suggestions?
    >
    > Sorry for the length. There's a lot of detail to the setup for this
    > stuff and I'm not sure what piece is significant and what piece is
    > not.
    >
    > Many thanks!!
    >
    > R
    >
    Dominick Baier [DevelopMentor], Jan 20, 2006
    #2
    1. Advertising

  3. russell.lane

    russell.lane Guest

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hi,
    > looks all ok so far - some notes
    >
    > - when you run the service locally it is technically no delegation - the
    > token is copied to IIS and it is only a single hop to the db
    > - does the client have NTFS read DACLs on the web service directory?
    > - download ethereal (www.ethereal.com) - and sniff the kerberos
    > handshake - is the SPN that IE requests exactly the same as you registered
    > for the webserver / any other oddities?
    >
    > good resource:
    > http://www.microsoft.com/technet/pr...3/technologies/security/kerberos/default.mspx
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> Greetings -
    >>
    >> I'm trying to set up domain login impersonation and delegation for a
    >> multi-tier web application. The goal is for the application, middle
    >> tier services, and back end database to operate under the end user's
    >> Windows domain login id. This is in the context of a intranet
    >> deployment, no firewalls.
    >>
    >> To begin sorting this out, I'm starting small. My first goal is to
    >> create a simple service that can will query the database as the login
    >> user and return a dataset. Here's what I've done so far:
    >>
    >> o Set up my user id on the DB so I can login and execute the stored
    >> procedure.
    >> o Written the simple service in ASP.Net C# that calls the stored
    >> procedure.
    >> o Installed the simple service on an app server remote from the DB
    >> server.
    >> o Configured the simple service to not allow anonymous login, and to
    >> use
    >> windows authentication.
    >> o <identity impersonate="true"> in the test service web.config
    >> o Created a custom domain account for the service to run under.
    >> o Created SPN's for the custom domain account that map the account to
    >> HTTP
    >> on my app server with both fully qualified and netBIOS name, including
    >> port
    >> number (80).
    >> o In ADS, enabled the custom domain account I run the service under
    >> to
    >> delegate to MSSQLsvc on the DB server.
    >> o Created an application pool whose identity is the custom domain
    >> account.
    >> o Assigned my test service to the new application pool.
    >> For initial testing, I just tried to bring the service up in IE on
    >> both the app server (i.e., the host where the service runs) and also
    >> from my desktop. In both cases I am logged onto the system where I'm
    >> running the browser with my Windows domain account. On both
    >> platforms, IE is set up so that the app server is in the intranet
    >> zone, and windows authentication is enabled.
    >>
    >> When I bring the service up in IE on the app server, everything is
    >> great. I can run the service (auto-generated form from the service
    >> WSDL), the service impersonates me and forwards my identity to the
    >> database, the procedure runs and I get the dataset back.
    >>
    >> When I bring the service up in IE from my desktop, IE pops up a login
    >> prompt (this did not happen on the app server). I enter my user name,
    >> password, and domain, and it's rejected.
    >>
    >> When I look at the security event log on the app server, I see a
    >> number of "Failure Audit" messages. The detail on these messages
    >> states:
    >>
    >> Logon failure:
    >> Reason: Unknown user name or bad password
    >> Logon type: 3
    >> Logon Process: Kerberos
    >> Authentication Package: Kerberos
    >> The user name, domain, workstation name, caller user name, caller
    >> domain, caller logon id are all blank. The source network address has
    >> the correct IP address for my workstation.
    >>
    >> Another point of information -- if I set up the web service to use
    >> basic authentication, everything works correctly when accessed from a
    >> browser on either the app server or my desktop. I get a prompt (as is
    >> expected for basic authentication), enter my user name, password, and
    >> domain, and I can access the service as desired. So, it seems like
    >> there's a Kerberos issue involved in here somewhere.
    >>
    >> I'm not sure what I'm missing here. Can anyone offer some
    >> suggestions?
    >>
    >> Sorry for the length. There's a lot of detail to the setup for this
    >> stuff and I'm not sure what piece is significant and what piece is
    >> not.
    >>
    >> Many thanks!!
    >>
    >> R
    >>

    >
    >
    russell.lane, Jan 23, 2006
    #3
  4. russell.lane

    russell.lane Guest

    Dominick --

    Thanks for the reply. Sorry for the empty prior response from me, operator
    error. :-(

    The account I'm trying to delegate and impersonate is my domain user
    account. Both that account and the account that the application group for
    the web service run under have read and execute permission on the server
    directory holding the service distribution through their membership in a
    general domain users group.

    I've sniffed the kerberos and other traffic using ethereal. Very nice tool,
    thanks for the pointer! Here's what I see. In the following, <clientIP> is
    the ip address the browser is running on, <serverip> is the ip address of
    the server hosting the web service, and <kerbip> is the ip address of the
    kerberos server. It's a longish transcript, sorry in advance for the
    length.

    <clientip> <serverip> HTTP GET serviceurl HTTP/1.1
    <serverip> <clientip> TCP [TCP segment of a reassembled PDU]
    <serverip> <clientip> HTTP HTTP/1.1 401 Unauthorized
    <clientip> <serverip> TCP 3152 > http [ACK] ...statistics...
    <clientip> <serverip> TCP [TCP segment of a reassembled PDU]
    <clientip> <serverip> HTTP GET serviceurl HTTP/1.1
    <serverip> <clientip> TCP http > 3152 [ACK] ...statistics...
    <serverip> <clientip> TCP [TCP segment of a reassembled PDU]
    <serverip> <clientip> HTTP KRB Error: KRB5KRB_AP_ERR_MODIFIED
    <clientip> <serverip> TCP 3152 > http [ACK] ...statistics...
    <clientip> <kerbip> KRB5 TGS-REQ
    <kerbip> <clientip> KRB5 TGS-REP
    <clientip> <serverip> TCP [TCP segment of a reassembled PDU]
    <clientip> <serverip> HTTP GET serviceurl HTTP/1.1
    <serverip> <clientip> TCP http > 3152 [ACK] ...statistics...
    <serverip> <clientip> TCP [TCP segment of a reassembled PDU]
    <serverip> <clientip> HTTP KRB Error: KRB5KRB_AP_ERR_MODIFIED
    <clientip> <serverip> TCP 3152 > http [ACK] ...statistics...

    .... some other traffic.....

    <clientip> <kerbip> KRB5 AS-REQ
    <kerbip> <clientip> KRB5 KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
    <clientip> <serverip> HTTP GET serviceurl HTTP/1.1
    <serverip> <clientip> TCP [TCP segment of a reassembled PDU]
    <serverip> <clientip> HTTP HTTP/1.1 401 Unauthorized
    <clientip> <serverip> TCP 3152 > http [ACK] ...statistics...

    Parsing the above is somewhat above my pay grade, unfortunately, but appears
    to be happening is some kind of inconsistency in the user information for my
    domain account between my machine, kerberos, and the app server.

    Any light you might be able to shed on this will be welcome, no matter how
    dim.

    Thanks!!

    R
    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hi,
    > looks all ok so far - some notes
    >
    > - when you run the service locally it is technically no delegation - the
    > token is copied to IIS and it is only a single hop to the db
    > - does the client have NTFS read DACLs on the web service directory?
    > - download ethereal (www.ethereal.com) - and sniff the kerberos
    > handshake - is the SPN that IE requests exactly the same as you registered
    > for the webserver / any other oddities?
    >
    > good resource:
    > http://www.microsoft.com/technet/pr...3/technologies/security/kerberos/default.mspx
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> Greetings -
    >>
    >> I'm trying to set up domain login impersonation and delegation for a
    >> multi-tier web application. The goal is for the application, middle
    >> tier services, and back end database to operate under the end user's
    >> Windows domain login id. This is in the context of a intranet
    >> deployment, no firewalls.
    >>
    >> To begin sorting this out, I'm starting small. My first goal is to
    >> create a simple service that can will query the database as the login
    >> user and return a dataset. Here's what I've done so far:
    >>
    >> o Set up my user id on the DB so I can login and execute the stored
    >> procedure.
    >> o Written the simple service in ASP.Net C# that calls the stored
    >> procedure.
    >> o Installed the simple service on an app server remote from the DB
    >> server.
    >> o Configured the simple service to not allow anonymous login, and to
    >> use
    >> windows authentication.
    >> o <identity impersonate="true"> in the test service web.config
    >> o Created a custom domain account for the service to run under.
    >> o Created SPN's for the custom domain account that map the account to
    >> HTTP
    >> on my app server with both fully qualified and netBIOS name, including
    >> port
    >> number (80).
    >> o In ADS, enabled the custom domain account I run the service under
    >> to
    >> delegate to MSSQLsvc on the DB server.
    >> o Created an application pool whose identity is the custom domain
    >> account.
    >> o Assigned my test service to the new application pool.
    >> For initial testing, I just tried to bring the service up in IE on
    >> both the app server (i.e., the host where the service runs) and also
    >> from my desktop. In both cases I am logged onto the system where I'm
    >> running the browser with my Windows domain account. On both
    >> platforms, IE is set up so that the app server is in the intranet
    >> zone, and windows authentication is enabled.
    >>
    >> When I bring the service up in IE on the app server, everything is
    >> great. I can run the service (auto-generated form from the service
    >> WSDL), the service impersonates me and forwards my identity to the
    >> database, the procedure runs and I get the dataset back.
    >>
    >> When I bring the service up in IE from my desktop, IE pops up a login
    >> prompt (this did not happen on the app server). I enter my user name,
    >> password, and domain, and it's rejected.
    >>
    >> When I look at the security event log on the app server, I see a
    >> number of "Failure Audit" messages. The detail on these messages
    >> states:
    >>
    >> Logon failure:
    >> Reason: Unknown user name or bad password
    >> Logon type: 3
    >> Logon Process: Kerberos
    >> Authentication Package: Kerberos
    >> The user name, domain, workstation name, caller user name, caller
    >> domain, caller logon id are all blank. The source network address has
    >> the correct IP address for my workstation.
    >>
    >> Another point of information -- if I set up the web service to use
    >> basic authentication, everything works correctly when accessed from a
    >> browser on either the app server or my desktop. I get a prompt (as is
    >> expected for basic authentication), enter my user name, password, and
    >> domain, and I can access the service as desired. So, it seems like
    >> there's a Kerberos issue involved in here somewhere.
    >>
    >> I'm not sure what I'm missing here. Can anyone offer some
    >> suggestions?
    >>
    >> Sorry for the length. There's a lot of detail to the setup for this
    >> stuff and I'm not sure what piece is significant and what piece is
    >> not.
    >>
    >> Many thanks!!
    >>
    >> R
    >>

    >
    >
    russell.lane, Jan 23, 2006
    #4
  5. Hi,

    the unauthorized http traffic is normal. That's the auth handshake.

    this is where the ricket for the web server is requests:

    <clientip> <kerbip> KRB5 TGS-REQ
    <kerbip> <clientip> KRB5 TGS-REP

    If you look into these packets is the SPN used you registered for the web
    app?

    those error messages are strange, especially KRB5KDC_ERR_PREAUTH_FAILED.

    I am not sure what's going on - please check this web site:
    http://www.microsoft.com/technet/pr...3/technologies/featured/kerberos/default.mspx

    especially:
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerbdel.mspx

    if you have any questions I am happy to answer them - if you solve it I would
    be interested too :)


    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Dominick --
    >
    > Thanks for the reply. Sorry for the empty prior response from me,
    > operator error. :-(
    >
    > The account I'm trying to delegate and impersonate is my domain user
    > account. Both that account and the account that the application group
    > for the web service run under have read and execute permission on the
    > server directory holding the service distribution through their
    > membership in a general domain users group.
    >
    > I've sniffed the kerberos and other traffic using ethereal. Very nice
    > tool, thanks for the pointer! Here's what I see. In the following,
    > <clientIP> is the ip address the browser is running on, <serverip> is
    > the ip address of the server hosting the web service, and <kerbip> is
    > the ip address of the kerberos server. It's a longish transcript,
    > sorry in advance for the length.
    >
    > <clientip> <serverip> HTTP GET serviceurl HTTP/1.1
    > <serverip> <clientip> TCP [TCP segment of a reassembled PDU]
    > <serverip> <clientip> HTTP HTTP/1.1 401 Unauthorized
    > <clientip> <serverip> TCP 3152 > http [ACK] ...statistics...
    > <clientip> <serverip> TCP [TCP segment of a reassembled PDU]
    > <clientip> <serverip> HTTP GET serviceurl HTTP/1.1
    > <serverip> <clientip> TCP http > 3152 [ACK] ...statistics...
    > <serverip> <clientip> TCP [TCP segment of a reassembled PDU]
    > <serverip> <clientip> HTTP KRB Error: KRB5KRB_AP_ERR_MODIFIED
    > <clientip> <serverip> TCP 3152 > http [ACK] ...statistics...
    > <clientip> <kerbip> KRB5 TGS-REQ
    > <kerbip> <clientip> KRB5 TGS-REP
    > <clientip> <serverip> TCP [TCP segment of a reassembled PDU]
    > <clientip> <serverip> HTTP GET serviceurl HTTP/1.1
    > <serverip> <clientip> TCP http > 3152 [ACK] ...statistics...
    > <serverip> <clientip> TCP [TCP segment of a reassembled PDU]
    > <serverip> <clientip> HTTP KRB Error: KRB5KRB_AP_ERR_MODIFIED
    > <clientip> <serverip> TCP 3152 > http [ACK] ...statistics...
    > ... some other traffic.....
    >
    > <clientip> <kerbip> KRB5 AS-REQ
    > <kerbip> <clientip> KRB5 KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
    > <clientip> <serverip> HTTP GET serviceurl HTTP/1.1
    > <serverip> <clientip> TCP [TCP segment of a reassembled PDU]
    > <serverip> <clientip> HTTP HTTP/1.1 401 Unauthorized
    > <clientip> <serverip> TCP 3152 > http [ACK] ...statistics...
    > Parsing the above is somewhat above my pay grade, unfortunately, but
    > appears to be happening is some kind of inconsistency in the user
    > information for my domain account between my machine, kerberos, and
    > the app server.
    >
    > Any light you might be able to shed on this will be welcome, no matter
    > how dim.
    >
    > Thanks!!
    >
    > R
    > "Dominick Baier [DevelopMentor]"
    > <>
    > wrote in message
    > news:...
    >> Hi,
    >> looks all ok so far - some notes
    >> - when you run the service locally it is technically no delegation -
    >> the
    >> token is copied to IIS and it is only a single hop to the db
    >> - does the client have NTFS read DACLs on the web service directory?
    >> - download ethereal (www.ethereal.com) - and sniff the kerberos
    >> handshake - is the SPN that IE requests exactly the same as you
    >> registered
    >> for the webserver / any other oddities?
    >> good resource:
    >> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/techno
    >> logies/security/kerberos/default.mspx
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> Greetings -
    >>>
    >>> I'm trying to set up domain login impersonation and delegation for a
    >>> multi-tier web application. The goal is for the application, middle
    >>> tier services, and back end database to operate under the end user's
    >>> Windows domain login id. This is in the context of a intranet
    >>> deployment, no firewalls.
    >>>
    >>> To begin sorting this out, I'm starting small. My first goal is to
    >>> create a simple service that can will query the database as the
    >>> login user and return a dataset. Here's what I've done so far:
    >>>
    >>> o Set up my user id on the DB so I can login and execute the stored
    >>> procedure.
    >>> o Written the simple service in ASP.Net C# that calls the stored
    >>> procedure.
    >>> o Installed the simple service on an app server remote from the DB
    >>> server.
    >>> o Configured the simple service to not allow anonymous login, and
    >>> to
    >>> use
    >>> windows authentication.
    >>> o <identity impersonate="true"> in the test service web.config
    >>> o Created a custom domain account for the service to run under.
    >>> o Created SPN's for the custom domain account that map the account
    >>> to
    >>> HTTP
    >>> on my app server with both fully qualified and netBIOS name,
    >>> including
    >>> port
    >>> number (80).
    >>> o In ADS, enabled the custom domain account I run the service under
    >>> to
    >>> delegate to MSSQLsvc on the DB server.
    >>> o Created an application pool whose identity is the custom domain
    >>> account.
    >>> o Assigned my test service to the new application pool.
    >>> For initial testing, I just tried to bring the service up in IE on
    >>> both the app server (i.e., the host where the service runs) and also
    >>> from my desktop. In both cases I am logged onto the system where I'm
    >>> running the browser with my Windows domain account. On both
    >>> platforms, IE is set up so that the app server is in the intranet
    >>> zone, and windows authentication is enabled.
    >>> When I bring the service up in IE on the app server, everything is
    >>> great. I can run the service (auto-generated form from the service
    >>> WSDL), the service impersonates me and forwards my identity to the
    >>> database, the procedure runs and I get the dataset back.
    >>>
    >>> When I bring the service up in IE from my desktop, IE pops up a
    >>> login prompt (this did not happen on the app server). I enter my
    >>> user name, password, and domain, and it's rejected.
    >>>
    >>> When I look at the security event log on the app server, I see a
    >>> number of "Failure Audit" messages. The detail on these messages
    >>> states:
    >>>
    >>> Logon failure:
    >>> Reason: Unknown user name or bad password
    >>> Logon type: 3
    >>> Logon Process: Kerberos
    >>> Authentication Package: Kerberos
    >>> The user name, domain, workstation name, caller user name, caller
    >>> domain, caller logon id are all blank. The source network address
    >>> has
    >>> the correct IP address for my workstation.
    >>> Another point of information -- if I set up the web service to use
    >>> basic authentication, everything works correctly when accessed from
    >>> a browser on either the app server or my desktop. I get a prompt
    >>> (as is expected for basic authentication), enter my user name,
    >>> password, and domain, and I can access the service as desired. So,
    >>> it seems like there's a Kerberos issue involved in here somewhere.
    >>>
    >>> I'm not sure what I'm missing here. Can anyone offer some
    >>> suggestions?
    >>>
    >>> Sorry for the length. There's a lot of detail to the setup for this
    >>> stuff and I'm not sure what piece is significant and what piece is
    >>> not.
    >>>
    >>> Many thanks!!
    >>>
    >>> R
    >>>
    Dominick Baier [DevelopMentor], Jan 23, 2006
    #5
  6. russell.lane

    russell.lane Guest

    Thanks, Dominick.

    I'm working through the troubleshooting guide now. When I get to the bottom
    of this I'll post what I find for general edification.

    Thanks again for your help!

    R.


    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hi,
    > the unauthorized http traffic is normal. That's the auth handshake.
    >
    > this is where the ricket for the web server is requests:
    >
    > <clientip> <kerbip> KRB5 TGS-REQ
    > <kerbip> <clientip> KRB5 TGS-REP
    >
    > If you look into these packets is the SPN used you registered for the web
    > app?
    >
    > those error messages are strange, especially KRB5KDC_ERR_PREAUTH_FAILED.
    >
    > I am not sure what's going on - please check this web site:
    > http://www.microsoft.com/technet/pr...3/technologies/featured/kerberos/default.mspx
    >
    > especially:
    > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerbdel.mspx
    >
    > if you have any questions I am happy to answer them - if you solve it I
    > would be interested too :)
    >
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> Dominick --
    >>
    >> Thanks for the reply. Sorry for the empty prior response from me,
    >> operator error. :-(
    >>
    >> The account I'm trying to delegate and impersonate is my domain user
    >> account. Both that account and the account that the application group
    >> for the web service run under have read and execute permission on the
    >> server directory holding the service distribution through their
    >> membership in a general domain users group.
    >>
    >> I've sniffed the kerberos and other traffic using ethereal. Very nice
    >> tool, thanks for the pointer! Here's what I see. In the following,
    >> <clientIP> is the ip address the browser is running on, <serverip> is
    >> the ip address of the server hosting the web service, and <kerbip> is
    >> the ip address of the kerberos server. It's a longish transcript,
    >> sorry in advance for the length.
    >>
    >> <clientip> <serverip> HTTP GET serviceurl HTTP/1.1
    >> <serverip> <clientip> TCP [TCP segment of a reassembled PDU]
    >> <serverip> <clientip> HTTP HTTP/1.1 401 Unauthorized
    >> <clientip> <serverip> TCP 3152 > http [ACK] ...statistics...
    >> <clientip> <serverip> TCP [TCP segment of a reassembled PDU]
    >> <clientip> <serverip> HTTP GET serviceurl HTTP/1.1
    >> <serverip> <clientip> TCP http > 3152 [ACK] ...statistics...
    >> <serverip> <clientip> TCP [TCP segment of a reassembled PDU]
    >> <serverip> <clientip> HTTP KRB Error: KRB5KRB_AP_ERR_MODIFIED
    >> <clientip> <serverip> TCP 3152 > http [ACK] ...statistics...
    >> <clientip> <kerbip> KRB5 TGS-REQ
    >> <kerbip> <clientip> KRB5 TGS-REP
    >> <clientip> <serverip> TCP [TCP segment of a reassembled PDU]
    >> <clientip> <serverip> HTTP GET serviceurl HTTP/1.1
    >> <serverip> <clientip> TCP http > 3152 [ACK] ...statistics...
    >> <serverip> <clientip> TCP [TCP segment of a reassembled PDU]
    >> <serverip> <clientip> HTTP KRB Error: KRB5KRB_AP_ERR_MODIFIED
    >> <clientip> <serverip> TCP 3152 > http [ACK] ...statistics...
    >> ... some other traffic.....
    >>
    >> <clientip> <kerbip> KRB5 AS-REQ
    >> <kerbip> <clientip> KRB5 KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
    >> <clientip> <serverip> HTTP GET serviceurl HTTP/1.1
    >> <serverip> <clientip> TCP [TCP segment of a reassembled PDU]
    >> <serverip> <clientip> HTTP HTTP/1.1 401 Unauthorized
    >> <clientip> <serverip> TCP 3152 > http [ACK] ...statistics...
    >> Parsing the above is somewhat above my pay grade, unfortunately, but
    >> appears to be happening is some kind of inconsistency in the user
    >> information for my domain account between my machine, kerberos, and
    >> the app server.
    >>
    >> Any light you might be able to shed on this will be welcome, no matter
    >> how dim.
    >>
    >> Thanks!!
    >>
    >> R
    >> "Dominick Baier [DevelopMentor]"
    >> <>
    >> wrote in message
    >> news:...
    >>> Hi,
    >>> looks all ok so far - some notes
    >>> - when you run the service locally it is technically no delegation -
    >>> the
    >>> token is copied to IIS and it is only a single hop to the db
    >>> - does the client have NTFS read DACLs on the web service directory?
    >>> - download ethereal (www.ethereal.com) - and sniff the kerberos
    >>> handshake - is the SPN that IE requests exactly the same as you
    >>> registered
    >>> for the webserver / any other oddities?
    >>> good resource:
    >>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/techno
    >>> logies/security/kerberos/default.mspx
    >>>
    >>> ---------------------------------------
    >>> Dominick Baier - DevelopMentor
    >>> http://www.leastprivilege.com
    >>>> Greetings -
    >>>>
    >>>> I'm trying to set up domain login impersonation and delegation for a
    >>>> multi-tier web application. The goal is for the application, middle
    >>>> tier services, and back end database to operate under the end user's
    >>>> Windows domain login id. This is in the context of a intranet
    >>>> deployment, no firewalls.
    >>>>
    >>>> To begin sorting this out, I'm starting small. My first goal is to
    >>>> create a simple service that can will query the database as the
    >>>> login user and return a dataset. Here's what I've done so far:
    >>>>
    >>>> o Set up my user id on the DB so I can login and execute the stored
    >>>> procedure.
    >>>> o Written the simple service in ASP.Net C# that calls the stored
    >>>> procedure.
    >>>> o Installed the simple service on an app server remote from the DB
    >>>> server.
    >>>> o Configured the simple service to not allow anonymous login, and
    >>>> to
    >>>> use
    >>>> windows authentication.
    >>>> o <identity impersonate="true"> in the test service web.config
    >>>> o Created a custom domain account for the service to run under.
    >>>> o Created SPN's for the custom domain account that map the account
    >>>> to
    >>>> HTTP
    >>>> on my app server with both fully qualified and netBIOS name,
    >>>> including
    >>>> port
    >>>> number (80).
    >>>> o In ADS, enabled the custom domain account I run the service under
    >>>> to
    >>>> delegate to MSSQLsvc on the DB server.
    >>>> o Created an application pool whose identity is the custom domain
    >>>> account.
    >>>> o Assigned my test service to the new application pool.
    >>>> For initial testing, I just tried to bring the service up in IE on
    >>>> both the app server (i.e., the host where the service runs) and also
    >>>> from my desktop. In both cases I am logged onto the system where I'm
    >>>> running the browser with my Windows domain account. On both
    >>>> platforms, IE is set up so that the app server is in the intranet
    >>>> zone, and windows authentication is enabled.
    >>>> When I bring the service up in IE on the app server, everything is
    >>>> great. I can run the service (auto-generated form from the service
    >>>> WSDL), the service impersonates me and forwards my identity to the
    >>>> database, the procedure runs and I get the dataset back.
    >>>>
    >>>> When I bring the service up in IE from my desktop, IE pops up a
    >>>> login prompt (this did not happen on the app server). I enter my
    >>>> user name, password, and domain, and it's rejected.
    >>>>
    >>>> When I look at the security event log on the app server, I see a
    >>>> number of "Failure Audit" messages. The detail on these messages
    >>>> states:
    >>>>
    >>>> Logon failure:
    >>>> Reason: Unknown user name or bad password
    >>>> Logon type: 3
    >>>> Logon Process: Kerberos
    >>>> Authentication Package: Kerberos
    >>>> The user name, domain, workstation name, caller user name, caller
    >>>> domain, caller logon id are all blank. The source network address
    >>>> has
    >>>> the correct IP address for my workstation.
    >>>> Another point of information -- if I set up the web service to use
    >>>> basic authentication, everything works correctly when accessed from
    >>>> a browser on either the app server or my desktop. I get a prompt
    >>>> (as is expected for basic authentication), enter my user name,
    >>>> password, and domain, and I can access the service as desired. So,
    >>>> it seems like there's a Kerberos issue involved in here somewhere.
    >>>>
    >>>> I'm not sure what I'm missing here. Can anyone offer some
    >>>> suggestions?
    >>>>
    >>>> Sorry for the length. There's a lot of detail to the setup for this
    >>>> stuff and I'm not sure what piece is significant and what piece is
    >>>> not.
    >>>>
    >>>> Many thanks!!
    >>>>
    >>>> R
    >>>>

    >
    >
    russell.lane, Jan 23, 2006
    #6
  7. russell.lane

    russell.lane Guest

    Finally got to the bottom of this last week.

    In the process of trying to figure out how to set this up, we created some
    duplicate SPNs. Specifically -- we wanted to run web services under a
    non-machine account, had created new ADS domain accounts for them to run
    under (and which we would use to manage delegation permissions), and then
    attached the same service names to more than one of these accounts.

    So, if you had ADS custom account "webservice" and another one called
    "webapp", we did something like this:

    setspn -A http/host.domain.com:80 webservice
    setspn -A http/host.domain.com:80 webapp

    When Kerberos tried to resolve authentication for http/host.domain.com:80 it
    didn't know whether to use "webservice" or "webapp", hence the Kerb error.

    This was kind of hard to find using "setspn -L" because (a) you have to know
    what SPNs are out there in the first place, and (b) you have keep track of
    which service names show up for which accounts.

    I tracked this down with ldp.exe, which makes it easier to work back from
    the service name, i.e., from an identifier like "http/host.domain.com:80".

    Thanks again for your help with this!

    R

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hi,
    > the unauthorized http traffic is normal. That's the auth handshake.
    >
    > this is where the ricket for the web server is requests:
    >
    > <clientip> <kerbip> KRB5 TGS-REQ
    > <kerbip> <clientip> KRB5 TGS-REP
    >
    > If you look into these packets is the SPN used you registered for the web
    > app?
    >
    > those error messages are strange, especially KRB5KDC_ERR_PREAUTH_FAILED.
    >
    > I am not sure what's going on - please check this web site:
    > http://www.microsoft.com/technet/pr...3/technologies/featured/kerberos/default.mspx
    >
    > especially:
    > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerbdel.mspx
    >
    > if you have any questions I am happy to answer them - if you solve it I
    > would be interested too :)
    >
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> Dominick --
    >>
    >> Thanks for the reply. Sorry for the empty prior response from me,
    >> operator error. :-(
    >>
    >> The account I'm trying to delegate and impersonate is my domain user
    >> account. Both that account and the account that the application group
    >> for the web service run under have read and execute permission on the
    >> server directory holding the service distribution through their
    >> membership in a general domain users group.
    >>
    >> I've sniffed the kerberos and other traffic using ethereal. Very nice
    >> tool, thanks for the pointer! Here's what I see. In the following,
    >> <clientIP> is the ip address the browser is running on, <serverip> is
    >> the ip address of the server hosting the web service, and <kerbip> is
    >> the ip address of the kerberos server. It's a longish transcript,
    >> sorry in advance for the length.
    >>
    >> <clientip> <serverip> HTTP GET serviceurl HTTP/1.1
    >> <serverip> <clientip> TCP [TCP segment of a reassembled PDU]
    >> <serverip> <clientip> HTTP HTTP/1.1 401 Unauthorized
    >> <clientip> <serverip> TCP 3152 > http [ACK] ...statistics...
    >> <clientip> <serverip> TCP [TCP segment of a reassembled PDU]
    >> <clientip> <serverip> HTTP GET serviceurl HTTP/1.1
    >> <serverip> <clientip> TCP http > 3152 [ACK] ...statistics...
    >> <serverip> <clientip> TCP [TCP segment of a reassembled PDU]
    >> <serverip> <clientip> HTTP KRB Error: KRB5KRB_AP_ERR_MODIFIED
    >> <clientip> <serverip> TCP 3152 > http [ACK] ...statistics...
    >> <clientip> <kerbip> KRB5 TGS-REQ
    >> <kerbip> <clientip> KRB5 TGS-REP
    >> <clientip> <serverip> TCP [TCP segment of a reassembled PDU]
    >> <clientip> <serverip> HTTP GET serviceurl HTTP/1.1
    >> <serverip> <clientip> TCP http > 3152 [ACK] ...statistics...
    >> <serverip> <clientip> TCP [TCP segment of a reassembled PDU]
    >> <serverip> <clientip> HTTP KRB Error: KRB5KRB_AP_ERR_MODIFIED
    >> <clientip> <serverip> TCP 3152 > http [ACK] ...statistics...
    >> ... some other traffic.....
    >>
    >> <clientip> <kerbip> KRB5 AS-REQ
    >> <kerbip> <clientip> KRB5 KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
    >> <clientip> <serverip> HTTP GET serviceurl HTTP/1.1
    >> <serverip> <clientip> TCP [TCP segment of a reassembled PDU]
    >> <serverip> <clientip> HTTP HTTP/1.1 401 Unauthorized
    >> <clientip> <serverip> TCP 3152 > http [ACK] ...statistics...
    >> Parsing the above is somewhat above my pay grade, unfortunately, but
    >> appears to be happening is some kind of inconsistency in the user
    >> information for my domain account between my machine, kerberos, and
    >> the app server.
    >>
    >> Any light you might be able to shed on this will be welcome, no matter
    >> how dim.
    >>
    >> Thanks!!
    >>
    >> R
    >> "Dominick Baier [DevelopMentor]"
    >> <>
    >> wrote in message
    >> news:...
    >>> Hi,
    >>> looks all ok so far - some notes
    >>> - when you run the service locally it is technically no delegation -
    >>> the
    >>> token is copied to IIS and it is only a single hop to the db
    >>> - does the client have NTFS read DACLs on the web service directory?
    >>> - download ethereal (www.ethereal.com) - and sniff the kerberos
    >>> handshake - is the SPN that IE requests exactly the same as you
    >>> registered
    >>> for the webserver / any other oddities?
    >>> good resource:
    >>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/techno
    >>> logies/security/kerberos/default.mspx
    >>>
    >>> ---------------------------------------
    >>> Dominick Baier - DevelopMentor
    >>> http://www.leastprivilege.com
    >>>> Greetings -
    >>>>
    >>>> I'm trying to set up domain login impersonation and delegation for a
    >>>> multi-tier web application. The goal is for the application, middle
    >>>> tier services, and back end database to operate under the end user's
    >>>> Windows domain login id. This is in the context of a intranet
    >>>> deployment, no firewalls.
    >>>>
    >>>> To begin sorting this out, I'm starting small. My first goal is to
    >>>> create a simple service that can will query the database as the
    >>>> login user and return a dataset. Here's what I've done so far:
    >>>>
    >>>> o Set up my user id on the DB so I can login and execute the stored
    >>>> procedure.
    >>>> o Written the simple service in ASP.Net C# that calls the stored
    >>>> procedure.
    >>>> o Installed the simple service on an app server remote from the DB
    >>>> server.
    >>>> o Configured the simple service to not allow anonymous login, and
    >>>> to
    >>>> use
    >>>> windows authentication.
    >>>> o <identity impersonate="true"> in the test service web.config
    >>>> o Created a custom domain account for the service to run under.
    >>>> o Created SPN's for the custom domain account that map the account
    >>>> to
    >>>> HTTP
    >>>> on my app server with both fully qualified and netBIOS name,
    >>>> including
    >>>> port
    >>>> number (80).
    >>>> o In ADS, enabled the custom domain account I run the service under
    >>>> to
    >>>> delegate to MSSQLsvc on the DB server.
    >>>> o Created an application pool whose identity is the custom domain
    >>>> account.
    >>>> o Assigned my test service to the new application pool.
    >>>> For initial testing, I just tried to bring the service up in IE on
    >>>> both the app server (i.e., the host where the service runs) and also
    >>>> from my desktop. In both cases I am logged onto the system where I'm
    >>>> running the browser with my Windows domain account. On both
    >>>> platforms, IE is set up so that the app server is in the intranet
    >>>> zone, and windows authentication is enabled.
    >>>> When I bring the service up in IE on the app server, everything is
    >>>> great. I can run the service (auto-generated form from the service
    >>>> WSDL), the service impersonates me and forwards my identity to the
    >>>> database, the procedure runs and I get the dataset back.
    >>>>
    >>>> When I bring the service up in IE from my desktop, IE pops up a
    >>>> login prompt (this did not happen on the app server). I enter my
    >>>> user name, password, and domain, and it's rejected.
    >>>>
    >>>> When I look at the security event log on the app server, I see a
    >>>> number of "Failure Audit" messages. The detail on these messages
    >>>> states:
    >>>>
    >>>> Logon failure:
    >>>> Reason: Unknown user name or bad password
    >>>> Logon type: 3
    >>>> Logon Process: Kerberos
    >>>> Authentication Package: Kerberos
    >>>> The user name, domain, workstation name, caller user name, caller
    >>>> domain, caller logon id are all blank. The source network address
    >>>> has
    >>>> the correct IP address for my workstation.
    >>>> Another point of information -- if I set up the web service to use
    >>>> basic authentication, everything works correctly when accessed from
    >>>> a browser on either the app server or my desktop. I get a prompt
    >>>> (as is expected for basic authentication), enter my user name,
    >>>> password, and domain, and I can access the service as desired. So,
    >>>> it seems like there's a Kerberos issue involved in here somewhere.
    >>>>
    >>>> I'm not sure what I'm missing here. Can anyone offer some
    >>>> suggestions?
    >>>>
    >>>> Sorry for the length. There's a lot of detail to the setup for this
    >>>> stuff and I'm not sure what piece is significant and what piece is
    >>>> not.
    >>>>
    >>>> Many thanks!!
    >>>>
    >>>> R
    >>>>

    >
    >
    russell.lane, Feb 1, 2006
    #7
  8. Glad you figured that out. Duplicate SPNs are the devil!

    You used the same tool and technique for finding them that I would have
    recommended too. I generally also use ldp.exe to set them in the first
    place (and also use it for configuring contrained delegation). For some
    reason, I think it easier as you can see what's in there as you go (assuming
    you know enough about LDAP to not get put off).

    Joe K.

    "russell.lane" <> wrote in message
    news:%23aT3M$...
    > Finally got to the bottom of this last week.
    >
    > In the process of trying to figure out how to set this up, we created some
    > duplicate SPNs. Specifically -- we wanted to run web services under a
    > non-machine account, had created new ADS domain accounts for them to run
    > under (and which we would use to manage delegation permissions), and then
    > attached the same service names to more than one of these accounts.
    >
    > So, if you had ADS custom account "webservice" and another one called
    > "webapp", we did something like this:
    >
    > setspn -A http/host.domain.com:80 webservice
    > setspn -A http/host.domain.com:80 webapp
    >
    > When Kerberos tried to resolve authentication for http/host.domain.com:80
    > it didn't know whether to use "webservice" or "webapp", hence the Kerb
    > error.
    >
    > This was kind of hard to find using "setspn -L" because (a) you have to
    > know what SPNs are out there in the first place, and (b) you have keep
    > track of which service names show up for which accounts.
    >
    > I tracked this down with ldp.exe, which makes it easier to work back from
    > the service name, i.e., from an identifier like "http/host.domain.com:80".
    >
    > Thanks again for your help with this!
    >
    > R
    >
    > "Dominick Baier [DevelopMentor]" <>
    > wrote in message news:...
    >> Hi,
    >> the unauthorized http traffic is normal. That's the auth handshake.
    >>
    >> this is where the ricket for the web server is requests:
    >>
    >> <clientip> <kerbip> KRB5 TGS-REQ
    >> <kerbip> <clientip> KRB5 TGS-REP
    >>
    >> If you look into these packets is the SPN used you registered for the web
    >> app?
    >>
    >> those error messages are strange, especially KRB5KDC_ERR_PREAUTH_FAILED.
    >>
    >> I am not sure what's going on - please check this web site:
    >> http://www.microsoft.com/technet/pr...3/technologies/featured/kerberos/default.mspx
    >>
    >> especially:
    >> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerbdel.mspx
    >>
    >> if you have any questions I am happy to answer them - if you solve it I
    >> would be interested too :)
    >>
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>
    >>> Dominick --
    >>>
    >>> Thanks for the reply. Sorry for the empty prior response from me,
    >>> operator error. :-(
    >>>
    >>> The account I'm trying to delegate and impersonate is my domain user
    >>> account. Both that account and the account that the application group
    >>> for the web service run under have read and execute permission on the
    >>> server directory holding the service distribution through their
    >>> membership in a general domain users group.
    >>>
    >>> I've sniffed the kerberos and other traffic using ethereal. Very nice
    >>> tool, thanks for the pointer! Here's what I see. In the following,
    >>> <clientIP> is the ip address the browser is running on, <serverip> is
    >>> the ip address of the server hosting the web service, and <kerbip> is
    >>> the ip address of the kerberos server. It's a longish transcript,
    >>> sorry in advance for the length.
    >>>
    >>> <clientip> <serverip> HTTP GET serviceurl HTTP/1.1
    >>> <serverip> <clientip> TCP [TCP segment of a reassembled PDU]
    >>> <serverip> <clientip> HTTP HTTP/1.1 401 Unauthorized
    >>> <clientip> <serverip> TCP 3152 > http [ACK] ...statistics...
    >>> <clientip> <serverip> TCP [TCP segment of a reassembled PDU]
    >>> <clientip> <serverip> HTTP GET serviceurl HTTP/1.1
    >>> <serverip> <clientip> TCP http > 3152 [ACK] ...statistics...
    >>> <serverip> <clientip> TCP [TCP segment of a reassembled PDU]
    >>> <serverip> <clientip> HTTP KRB Error: KRB5KRB_AP_ERR_MODIFIED
    >>> <clientip> <serverip> TCP 3152 > http [ACK] ...statistics...
    >>> <clientip> <kerbip> KRB5 TGS-REQ
    >>> <kerbip> <clientip> KRB5 TGS-REP
    >>> <clientip> <serverip> TCP [TCP segment of a reassembled PDU]
    >>> <clientip> <serverip> HTTP GET serviceurl HTTP/1.1
    >>> <serverip> <clientip> TCP http > 3152 [ACK] ...statistics...
    >>> <serverip> <clientip> TCP [TCP segment of a reassembled PDU]
    >>> <serverip> <clientip> HTTP KRB Error: KRB5KRB_AP_ERR_MODIFIED
    >>> <clientip> <serverip> TCP 3152 > http [ACK] ...statistics...
    >>> ... some other traffic.....
    >>>
    >>> <clientip> <kerbip> KRB5 AS-REQ
    >>> <kerbip> <clientip> KRB5 KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
    >>> <clientip> <serverip> HTTP GET serviceurl HTTP/1.1
    >>> <serverip> <clientip> TCP [TCP segment of a reassembled PDU]
    >>> <serverip> <clientip> HTTP HTTP/1.1 401 Unauthorized
    >>> <clientip> <serverip> TCP 3152 > http [ACK] ...statistics...
    >>> Parsing the above is somewhat above my pay grade, unfortunately, but
    >>> appears to be happening is some kind of inconsistency in the user
    >>> information for my domain account between my machine, kerberos, and
    >>> the app server.
    >>>
    >>> Any light you might be able to shed on this will be welcome, no matter
    >>> how dim.
    >>>
    >>> Thanks!!
    >>>
    >>> R
    >>> "Dominick Baier [DevelopMentor]"
    >>> <>
    >>> wrote in message
    >>> news:...
    >>>> Hi,
    >>>> looks all ok so far - some notes
    >>>> - when you run the service locally it is technically no delegation -
    >>>> the
    >>>> token is copied to IIS and it is only a single hop to the db
    >>>> - does the client have NTFS read DACLs on the web service directory?
    >>>> - download ethereal (www.ethereal.com) - and sniff the kerberos
    >>>> handshake - is the SPN that IE requests exactly the same as you
    >>>> registered
    >>>> for the webserver / any other oddities?
    >>>> good resource:
    >>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/techno
    >>>> logies/security/kerberos/default.mspx
    >>>>
    >>>> ---------------------------------------
    >>>> Dominick Baier - DevelopMentor
    >>>> http://www.leastprivilege.com
    >>>>> Greetings -
    >>>>>
    >>>>> I'm trying to set up domain login impersonation and delegation for a
    >>>>> multi-tier web application. The goal is for the application, middle
    >>>>> tier services, and back end database to operate under the end user's
    >>>>> Windows domain login id. This is in the context of a intranet
    >>>>> deployment, no firewalls.
    >>>>>
    >>>>> To begin sorting this out, I'm starting small. My first goal is to
    >>>>> create a simple service that can will query the database as the
    >>>>> login user and return a dataset. Here's what I've done so far:
    >>>>>
    >>>>> o Set up my user id on the DB so I can login and execute the stored
    >>>>> procedure.
    >>>>> o Written the simple service in ASP.Net C# that calls the stored
    >>>>> procedure.
    >>>>> o Installed the simple service on an app server remote from the DB
    >>>>> server.
    >>>>> o Configured the simple service to not allow anonymous login, and
    >>>>> to
    >>>>> use
    >>>>> windows authentication.
    >>>>> o <identity impersonate="true"> in the test service web.config
    >>>>> o Created a custom domain account for the service to run under.
    >>>>> o Created SPN's for the custom domain account that map the account
    >>>>> to
    >>>>> HTTP
    >>>>> on my app server with both fully qualified and netBIOS name,
    >>>>> including
    >>>>> port
    >>>>> number (80).
    >>>>> o In ADS, enabled the custom domain account I run the service under
    >>>>> to
    >>>>> delegate to MSSQLsvc on the DB server.
    >>>>> o Created an application pool whose identity is the custom domain
    >>>>> account.
    >>>>> o Assigned my test service to the new application pool.
    >>>>> For initial testing, I just tried to bring the service up in IE on
    >>>>> both the app server (i.e., the host where the service runs) and also
    >>>>> from my desktop. In both cases I am logged onto the system where I'm
    >>>>> running the browser with my Windows domain account. On both
    >>>>> platforms, IE is set up so that the app server is in the intranet
    >>>>> zone, and windows authentication is enabled.
    >>>>> When I bring the service up in IE on the app server, everything is
    >>>>> great. I can run the service (auto-generated form from the service
    >>>>> WSDL), the service impersonates me and forwards my identity to the
    >>>>> database, the procedure runs and I get the dataset back.
    >>>>>
    >>>>> When I bring the service up in IE from my desktop, IE pops up a
    >>>>> login prompt (this did not happen on the app server). I enter my
    >>>>> user name, password, and domain, and it's rejected.
    >>>>>
    >>>>> When I look at the security event log on the app server, I see a
    >>>>> number of "Failure Audit" messages. The detail on these messages
    >>>>> states:
    >>>>>
    >>>>> Logon failure:
    >>>>> Reason: Unknown user name or bad password
    >>>>> Logon type: 3
    >>>>> Logon Process: Kerberos
    >>>>> Authentication Package: Kerberos
    >>>>> The user name, domain, workstation name, caller user name, caller
    >>>>> domain, caller logon id are all blank. The source network address
    >>>>> has
    >>>>> the correct IP address for my workstation.
    >>>>> Another point of information -- if I set up the web service to use
    >>>>> basic authentication, everything works correctly when accessed from
    >>>>> a browser on either the app server or my desktop. I get a prompt
    >>>>> (as is expected for basic authentication), enter my user name,
    >>>>> password, and domain, and I can access the service as desired. So,
    >>>>> it seems like there's a Kerberos issue involved in here somewhere.
    >>>>>
    >>>>> I'm not sure what I'm missing here. Can anyone offer some
    >>>>> suggestions?
    >>>>>
    >>>>> Sorry for the length. There's a lot of detail to the setup for this
    >>>>> stuff and I'm not sure what piece is significant and what piece is
    >>>>> not.
    >>>>>
    >>>>> Many thanks!!
    >>>>>
    >>>>> R
    >>>>>

    >>
    >>

    >
    >
    Joe Kaplan \(MVP - ADSI\), Feb 1, 2006
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kelly D. Jones

    Problem with impersonation and delegation

    Kelly D. Jones, Sep 4, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    1,819
  2. jm
    Replies:
    1
    Views:
    1,925
    bruce barker
    Dec 20, 2003
  3. bruce barker

    Re: ASP.NET Impersonation / delegation

    bruce barker, Apr 28, 2004, in forum: ASP .Net
    Replies:
    7
    Views:
    4,093
    =?Utf-8?B?TWFnZGVsaW4=?=
    May 4, 2004
  4. =?Utf-8?B?UGF1bA==?=

    Impersonation/Delegation without web.config.

    =?Utf-8?B?UGF1bA==?=, Aug 5, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    887
    Patrice
    Aug 5, 2005
  5. Sam Roberts
    Replies:
    4
    Views:
    307
    Sam Roberts
    May 7, 2008
Loading...

Share This Page