impersonation / delegation question

[russell.lane]

Greetings -

I'm trying to set up domain login impersonation and delegation for a
multi-tier web application. The goal is for the application, middle tier
services, and back end database to operate under the end user's Windows
domain login id. This is in the context of a intranet deployment, no
firewalls.

To begin sorting this out, I'm starting small. My first goal is to create a
simple service that can will query the database as the login user and return
a dataset. Here's what I've done so far:

o Set up my user id on the DB so I can login and execute the stored
procedure.
o Written the simple service in ASP.Net C# that calls the stored procedure.
o Installed the simple service on an app server remote from the DB server.
o Configured the simple service to not allow anonymous login, and to use
windows authentication.
o <identity impersonate="true"> in the test service web.config
o Created a custom domain account for the service to run under.
o Created SPN's for the custom domain account that map the account to HTTP
on my app server with both fully qualified and netBIOS name, including port
number (80).
o In ADS, enabled the custom domain account I run the service under to
delegate to MSSQLsvc on the DB server.
o Created an application pool whose identity is the custom domain account.
o Assigned my test service to the new application pool.

For initial testing, I just tried to bring the service up in IE on both the
app server (i.e., the host where the service runs) and also from my desktop.
In both cases I am logged onto the system where I'm running the browser with
my Windows domain account. On both platforms, IE is set up so that the app
server is in the intranet zone, and windows authentication is enabled.

When I bring the service up in IE on the app server, everything is great. I
can run the service (auto-generated form from the service WSDL), the service
impersonates me and forwards my identity to the database, the procedure runs
and I get the dataset back.

When I bring the service up in IE from my desktop, IE pops up a login prompt
(this did not happen on the app server). I enter my user name, password,
and domain, and it's rejected.

When I look at the security event log on the app server, I see a number of
"Failure Audit" messages. The detail on these messages states:

Logon failure:
Reason: Unknown user name or bad password
Logon type: 3
Logon Process: Kerberos
Authentication Package: Kerberos

The user name, domain, workstation name, caller user name, caller domain,
caller logon id are all blank. The source network address has the correct
IP address for my workstation.

Another point of information -- if I set up the web service to use basic
authentication, everything works correctly when accessed from a browser on
either the app server or my desktop. I get a prompt (as is expected for
basic authentication), enter my user name, password, and domain, and I can
access the service as desired. So, it seems like there's a Kerberos issue
involved in here somewhere.

I'm not sure what I'm missing here. Can anyone offer some suggestions?

Sorry for the length. There's a lot of detail to the setup for this stuff
and I'm not sure what piece is significant and what piece is not.

Many thanks!!

R

 

[Dominick Baier [DevelopMentor]]

Hi,

looks all ok so far - some notes

- when you run the service locally it is technically no delegation - the
token is copied to IIS and it is only a single hop to the db
- does the client have NTFS read DACLs on the web service directory?
- download ethereal (www.ethereal.com) - and sniff the kerberos handshake
- is the SPN that IE requests exactly the same as you registered for the
webserver / any other oddities?

good resource: http://www.microsoft.com/technet/pr...3/technologies/security/kerberos/default.mspx

 

[russell.lane]

Hi,
looks all ok so far - some notes

- when you run the service locally it is technically no delegation - the
token is copied to IIS and it is only a single hop to the db
- does the client have NTFS read DACLs on the web service directory?
- download ethereal (www.ethereal.com) - and sniff the kerberos
handshake - is the SPN that IE requests exactly the same as you registered
for the webserver / any other oddities?

good resource:
http://www.microsoft.com/technet/pr...3/technologies/security/kerberos/default.mspx

 

[russell.lane]

Dominick --

Thanks for the reply. Sorry for the empty prior response from me, operator
error. :-(

The account I'm trying to delegate and impersonate is my domain user
account. Both that account and the account that the application group for
the web service run under have read and execute permission on the server
directory holding the service distribution through their membership in a
general domain users group.

I've sniffed the kerberos and other traffic using ethereal. Very nice tool,
thanks for the pointer! Here's what I see. In the following, <clientIP> is
the ip address the browser is running on, <serverip> is the ip address of
the server hosting the web service, and <kerbip> is the ip address of the
kerberos server. It's a longish transcript, sorry in advance for the
length.

<clientip> <serverip> HTTP GET serviceurl HTTP/1.1
<serverip> <clientip> TCP [TCP segment of a reassembled PDU]
<serverip> <clientip> HTTP HTTP/1.1 401 Unauthorized
<clientip> <serverip> TCP 3152 > http [ACK] ...statistics...
<clientip> <serverip> TCP [TCP segment of a reassembled PDU]
<clientip> <serverip> HTTP GET serviceurl HTTP/1.1
<serverip> <clientip> TCP http > 3152 [ACK] ...statistics...
<serverip> <clientip> TCP [TCP segment of a reassembled PDU]
<serverip> <clientip> HTTP KRB Error: KRB5KRB_AP_ERR_MODIFIED
<clientip> <serverip> TCP 3152 > http [ACK] ...statistics...
<clientip> <kerbip> KRB5 TGS-REQ
<kerbip> <clientip> KRB5 TGS-REP
<clientip> <serverip> TCP [TCP segment of a reassembled PDU]
<clientip> <serverip> HTTP GET serviceurl HTTP/1.1
<serverip> <clientip> TCP http > 3152 [ACK] ...statistics...
<serverip> <clientip> TCP [TCP segment of a reassembled PDU]
<serverip> <clientip> HTTP KRB Error: KRB5KRB_AP_ERR_MODIFIED
<clientip> <serverip> TCP 3152 > http [ACK] ...statistics...

.... some other traffic.....

<clientip> <kerbip> KRB5 AS-REQ
<kerbip> <clientip> KRB5 KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
<clientip> <serverip> HTTP GET serviceurl HTTP/1.1
<serverip> <clientip> TCP [TCP segment of a reassembled PDU]
<serverip> <clientip> HTTP HTTP/1.1 401 Unauthorized
<clientip> <serverip> TCP 3152 > http [ACK] ...statistics...

Parsing the above is somewhat above my pay grade, unfortunately, but appears
to be happening is some kind of inconsistency in the user information for my
domain account between my machine, kerberos, and the app server.

Any light you might be able to shed on this will be welcome, no matter how
dim.

Thanks!!

R

 

[Dominick Baier [DevelopMentor]]

Hi,

the unauthorized http traffic is normal. That's the auth handshake.

this is where the ricket for the web server is requests:

<clientip> <kerbip> KRB5 TGS-REQ
<kerbip> <clientip> KRB5 TGS-REP

If you look into these packets is the SPN used you registered for the web
app?

those error messages are strange, especially KRB5KDC_ERR_PREAUTH_FAILED.

I am not sure what's going on - please check this web site:
http://www.microsoft.com/technet/pr...3/technologies/featured/kerberos/default.mspx

especially:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerbdel.mspx

if you have any questions I am happy to answer them - if you solve it I would
be interested too


---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Dominick --

Thanks for the reply. Sorry for the empty prior response from me,
operator error. :-(

The account I'm trying to delegate and impersonate is my domain user
account. Both that account and the account that the application group
for the web service run under have read and execute permission on the
server directory holding the service distribution through their
membership in a general domain users group.

I've sniffed the kerberos and other traffic using ethereal. Very nice
tool, thanks for the pointer! Here's what I see. In the following,
<clientIP> is the ip address the browser is running on, <serverip> is
the ip address of the server hosting the web service, and <kerbip> is
the ip address of the kerberos server. It's a longish transcript,
sorry in advance for the length.

<clientip> <serverip> HTTP GET serviceurl HTTP/1.1
<serverip> <clientip> TCP [TCP segment of a reassembled PDU]
<serverip> <clientip> HTTP HTTP/1.1 401 Unauthorized
<clientip> <serverip> TCP 3152 > http [ACK] ...statistics...
<clientip> <serverip> TCP [TCP segment of a reassembled PDU]
<clientip> <serverip> HTTP GET serviceurl HTTP/1.1
<serverip> <clientip> TCP http > 3152 [ACK] ...statistics...
<serverip> <clientip> TCP [TCP segment of a reassembled PDU]
<serverip> <clientip> HTTP KRB Error: KRB5KRB_AP_ERR_MODIFIED
<clientip> <serverip> TCP 3152 > http [ACK] ...statistics...
<clientip> <kerbip> KRB5 TGS-REQ
<kerbip> <clientip> KRB5 TGS-REP
<clientip> <serverip> TCP [TCP segment of a reassembled PDU]
<clientip> <serverip> HTTP GET serviceurl HTTP/1.1
<serverip> <clientip> TCP http > 3152 [ACK] ...statistics...
<serverip> <clientip> TCP [TCP segment of a reassembled PDU]
<serverip> <clientip> HTTP KRB Error: KRB5KRB_AP_ERR_MODIFIED
<clientip> <serverip> TCP 3152 > http [ACK] ...statistics...
... some other traffic.....

<clientip> <kerbip> KRB5 AS-REQ
<kerbip> <clientip> KRB5 KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
<clientip> <serverip> HTTP GET serviceurl HTTP/1.1
<serverip> <clientip> TCP [TCP segment of a reassembled PDU]
<serverip> <clientip> HTTP HTTP/1.1 401 Unauthorized
<clientip> <serverip> TCP 3152 > http [ACK] ...statistics...
Parsing the above is somewhat above my pay grade, unfortunately, but
appears to be happening is some kind of inconsistency in the user
information for my domain account between my machine, kerberos, and
the app server.

Any light you might be able to shed on this will be welcome, no matter
how dim.

Thanks!!

R
"Dominick Baier [DevelopMentor]"
<[email protected]>
wrote in message

Hi,
looks all ok so far - some notes
- when you run the service locally it is technically no delegation -
the
token is copied to IIS and it is only a single hop to the db
- does the client have NTFS read DACLs on the web service directory?
- download ethereal (www.ethereal.com) - and sniff the kerberos
handshake - is the SPN that IE requests exactly the same as you
registered
for the webserver / any other oddities?
good resource:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/techno
logies/security/kerberos/default.mspx

 

[russell.lane]

Thanks, Dominick.

I'm working through the troubleshooting guide now. When I get to the bottom
of this I'll post what I find for general edification.

Thanks again for your help!

R.

Hi,
the unauthorized http traffic is normal. That's the auth handshake.

this is where the ricket for the web server is requests:

<clientip> <kerbip> KRB5 TGS-REQ
<kerbip> <clientip> KRB5 TGS-REP

If you look into these packets is the SPN used you registered for the web
app?

those error messages are strange, especially KRB5KDC_ERR_PREAUTH_FAILED.

I am not sure what's going on - please check this web site:
http://www.microsoft.com/technet/pr...3/technologies/featured/kerberos/default.mspx

especially:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerbdel.mspx

if you have any questions I am happy to answer them - if you solve it I
would be interested too


---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Dominick --

Thanks for the reply. Sorry for the empty prior response from me,
operator error. :-(

The account I'm trying to delegate and impersonate is my domain user
account. Both that account and the account that the application group
for the web service run under have read and execute permission on the
server directory holding the service distribution through their
membership in a general domain users group.

I've sniffed the kerberos and other traffic using ethereal. Very nice
tool, thanks for the pointer! Here's what I see. In the following,
<clientIP> is the ip address the browser is running on, <serverip> is
the ip address of the server hosting the web service, and <kerbip> is
the ip address of the kerberos server. It's a longish transcript,
sorry in advance for the length.

<clientip> <serverip> HTTP GET serviceurl HTTP/1.1
<serverip> <clientip> TCP [TCP segment of a reassembled PDU]
<serverip> <clientip> HTTP HTTP/1.1 401 Unauthorized
<clientip> <serverip> TCP 3152 > http [ACK] ...statistics...
<clientip> <serverip> TCP [TCP segment of a reassembled PDU]
<clientip> <serverip> HTTP GET serviceurl HTTP/1.1
<serverip> <clientip> TCP http > 3152 [ACK] ...statistics...
<serverip> <clientip> TCP [TCP segment of a reassembled PDU]
<serverip> <clientip> HTTP KRB Error: KRB5KRB_AP_ERR_MODIFIED
<clientip> <serverip> TCP 3152 > http [ACK] ...statistics...
<clientip> <kerbip> KRB5 TGS-REQ
<kerbip> <clientip> KRB5 TGS-REP
<clientip> <serverip> TCP [TCP segment of a reassembled PDU]
<clientip> <serverip> HTTP GET serviceurl HTTP/1.1
<serverip> <clientip> TCP http > 3152 [ACK] ...statistics...
<serverip> <clientip> TCP [TCP segment of a reassembled PDU]
<serverip> <clientip> HTTP KRB Error: KRB5KRB_AP_ERR_MODIFIED
<clientip> <serverip> TCP 3152 > http [ACK] ...statistics...
... some other traffic.....

<clientip> <kerbip> KRB5 AS-REQ
<kerbip> <clientip> KRB5 KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
<clientip> <serverip> HTTP GET serviceurl HTTP/1.1
<serverip> <clientip> TCP [TCP segment of a reassembled PDU]
<serverip> <clientip> HTTP HTTP/1.1 401 Unauthorized
<clientip> <serverip> TCP 3152 > http [ACK] ...statistics...
Parsing the above is somewhat above my pay grade, unfortunately, but
appears to be happening is some kind of inconsistency in the user
information for my domain account between my machine, kerberos, and
the app server.

Any light you might be able to shed on this will be welcome, no matter
how dim.

Thanks!!

R
"Dominick Baier [DevelopMentor]"
<[email protected]>
wrote in message

Hi,
looks all ok so far - some notes
- when you run the service locally it is technically no delegation -
the
token is copied to IIS and it is only a single hop to the db
- does the client have NTFS read DACLs on the web service directory?
- download ethereal (www.ethereal.com) - and sniff the kerberos
handshake - is the SPN that IE requests exactly the same as you
registered
for the webserver / any other oddities?
good resource:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/techno
logies/security/kerberos/default.mspx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Greetings -

I'm trying to set up domain login impersonation and delegation for a
multi-tier web application. The goal is for the application, middle
tier services, and back end database to operate under the end user's
Windows domain login id. This is in the context of a intranet
deployment, no firewalls.

To begin sorting this out, I'm starting small. My first goal is to
create a simple service that can will query the database as the
login user and return a dataset. Here's what I've done so far:

o Set up my user id on the DB so I can login and execute the stored
procedure.
o Written the simple service in ASP.Net C# that calls the stored
procedure.
o Installed the simple service on an app server remote from the DB
server.
o Configured the simple service to not allow anonymous login, and
to
use
windows authentication.
o <identity impersonate="true"> in the test service web.config
o Created a custom domain account for the service to run under.
o Created SPN's for the custom domain account that map the account
to
HTTP
on my app server with both fully qualified and netBIOS name,
including
port
number (80).
o In ADS, enabled the custom domain account I run the service under
to
delegate to MSSQLsvc on the DB server.
o Created an application pool whose identity is the custom domain
account.
o Assigned my test service to the new application pool.
For initial testing, I just tried to bring the service up in IE on
both the app server (i.e., the host where the service runs) and also
from my desktop. In both cases I am logged onto the system where I'm
running the browser with my Windows domain account. On both
platforms, IE is set up so that the app server is in the intranet
zone, and windows authentication is enabled.
When I bring the service up in IE on the app server, everything is
great. I can run the service (auto-generated form from the service
WSDL), the service impersonates me and forwards my identity to the
database, the procedure runs and I get the dataset back.

When I bring the service up in IE from my desktop, IE pops up a
login prompt (this did not happen on the app server). I enter my
user name, password, and domain, and it's rejected.

When I look at the security event log on the app server, I see a
number of "Failure Audit" messages. The detail on these messages
states:

Logon failure:
Reason: Unknown user name or bad password
Logon type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
The user name, domain, workstation name, caller user name, caller
domain, caller logon id are all blank. The source network address
has
the correct IP address for my workstation.
Another point of information -- if I set up the web service to use
basic authentication, everything works correctly when accessed from
a browser on either the app server or my desktop. I get a prompt
(as is expected for basic authentication), enter my user name,
password, and domain, and I can access the service as desired. So,
it seems like there's a Kerberos issue involved in here somewhere.

I'm not sure what I'm missing here. Can anyone offer some
suggestions?

Sorry for the length. There's a lot of detail to the setup for this
stuff and I'm not sure what piece is significant and what piece is
not.

Many thanks!!

R

 

[russell.lane]

Finally got to the bottom of this last week.

In the process of trying to figure out how to set this up, we created some
duplicate SPNs. Specifically -- we wanted to run web services under a
non-machine account, had created new ADS domain accounts for them to run
under (and which we would use to manage delegation permissions), and then
attached the same service names to more than one of these accounts.

So, if you had ADS custom account "webservice" and another one called
"webapp", we did something like this:

setspn -A http/host.domain.com:80 webservice
setspn -A http/host.domain.com:80 webapp

When Kerberos tried to resolve authentication for http/host.domain.com:80 it
didn't know whether to use "webservice" or "webapp", hence the Kerb error.

This was kind of hard to find using "setspn -L" because (a) you have to know
what SPNs are out there in the first place, and (b) you have keep track of
which service names show up for which accounts.

I tracked this down with ldp.exe, which makes it easier to work back from
the service name, i.e., from an identifier like "http/host.domain.com:80".

Thanks again for your help with this!

R

Hi,
the unauthorized http traffic is normal. That's the auth handshake.

this is where the ricket for the web server is requests:

<clientip> <kerbip> KRB5 TGS-REQ
<kerbip> <clientip> KRB5 TGS-REP

If you look into these packets is the SPN used you registered for the web
app?

those error messages are strange, especially KRB5KDC_ERR_PREAUTH_FAILED.

I am not sure what's going on - please check this web site:
http://www.microsoft.com/technet/pr...3/technologies/featured/kerberos/default.mspx

especially:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerbdel.mspx

if you have any questions I am happy to answer them - if you solve it I
would be interested too


---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Dominick --

Thanks for the reply. Sorry for the empty prior response from me,
operator error. :-(

The account I'm trying to delegate and impersonate is my domain user
account. Both that account and the account that the application group
for the web service run under have read and execute permission on the
server directory holding the service distribution through their
membership in a general domain users group.

I've sniffed the kerberos and other traffic using ethereal. Very nice
tool, thanks for the pointer! Here's what I see. In the following,
<clientIP> is the ip address the browser is running on, <serverip> is
the ip address of the server hosting the web service, and <kerbip> is
the ip address of the kerberos server. It's a longish transcript,
sorry in advance for the length.

<clientip> <serverip> HTTP GET serviceurl HTTP/1.1
<serverip> <clientip> TCP [TCP segment of a reassembled PDU]
<serverip> <clientip> HTTP HTTP/1.1 401 Unauthorized
<clientip> <serverip> TCP 3152 > http [ACK] ...statistics...
<clientip> <serverip> TCP [TCP segment of a reassembled PDU]
<clientip> <serverip> HTTP GET serviceurl HTTP/1.1
<serverip> <clientip> TCP http > 3152 [ACK] ...statistics...
<serverip> <clientip> TCP [TCP segment of a reassembled PDU]
<serverip> <clientip> HTTP KRB Error: KRB5KRB_AP_ERR_MODIFIED
<clientip> <serverip> TCP 3152 > http [ACK] ...statistics...
<clientip> <kerbip> KRB5 TGS-REQ
<kerbip> <clientip> KRB5 TGS-REP
<clientip> <serverip> TCP [TCP segment of a reassembled PDU]
<clientip> <serverip> HTTP GET serviceurl HTTP/1.1
<serverip> <clientip> TCP http > 3152 [ACK] ...statistics...
<serverip> <clientip> TCP [TCP segment of a reassembled PDU]
<serverip> <clientip> HTTP KRB Error: KRB5KRB_AP_ERR_MODIFIED
<clientip> <serverip> TCP 3152 > http [ACK] ...statistics...
... some other traffic.....

<clientip> <kerbip> KRB5 AS-REQ
<kerbip> <clientip> KRB5 KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
<clientip> <serverip> HTTP GET serviceurl HTTP/1.1
<serverip> <clientip> TCP [TCP segment of a reassembled PDU]
<serverip> <clientip> HTTP HTTP/1.1 401 Unauthorized
<clientip> <serverip> TCP 3152 > http [ACK] ...statistics...
Parsing the above is somewhat above my pay grade, unfortunately, but
appears to be happening is some kind of inconsistency in the user
information for my domain account between my machine, kerberos, and
the app server.

Any light you might be able to shed on this will be welcome, no matter
how dim.

Thanks!!

R
"Dominick Baier [DevelopMentor]"
<[email protected]>
wrote in message

Hi,
looks all ok so far - some notes
- when you run the service locally it is technically no delegation -
the
token is copied to IIS and it is only a single hop to the db
- does the client have NTFS read DACLs on the web service directory?
- download ethereal (www.ethereal.com) - and sniff the kerberos
handshake - is the SPN that IE requests exactly the same as you
registered
for the webserver / any other oddities?
good resource:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/techno
logies/security/kerberos/default.mspx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Greetings -

I'm trying to set up domain login impersonation and delegation for a
multi-tier web application. The goal is for the application, middle
tier services, and back end database to operate under the end user's
Windows domain login id. This is in the context of a intranet
deployment, no firewalls.

To begin sorting this out, I'm starting small. My first goal is to
create a simple service that can will query the database as the
login user and return a dataset. Here's what I've done so far:

o Set up my user id on the DB so I can login and execute the stored
procedure.
o Written the simple service in ASP.Net C# that calls the stored
procedure.
o Installed the simple service on an app server remote from the DB
server.
o Configured the simple service to not allow anonymous login, and
to
use
windows authentication.
o <identity impersonate="true"> in the test service web.config
o Created a custom domain account for the service to run under.
o Created SPN's for the custom domain account that map the account
to
HTTP
on my app server with both fully qualified and netBIOS name,
including
port
number (80).
o In ADS, enabled the custom domain account I run the service under
to
delegate to MSSQLsvc on the DB server.
o Created an application pool whose identity is the custom domain
account.
o Assigned my test service to the new application pool.
For initial testing, I just tried to bring the service up in IE on
both the app server (i.e., the host where the service runs) and also
from my desktop. In both cases I am logged onto the system where I'm
running the browser with my Windows domain account. On both
platforms, IE is set up so that the app server is in the intranet
zone, and windows authentication is enabled.
When I bring the service up in IE on the app server, everything is
great. I can run the service (auto-generated form from the service
WSDL), the service impersonates me and forwards my identity to the
database, the procedure runs and I get the dataset back.

When I bring the service up in IE from my desktop, IE pops up a
login prompt (this did not happen on the app server). I enter my
user name, password, and domain, and it's rejected.

When I look at the security event log on the app server, I see a
number of "Failure Audit" messages. The detail on these messages
states:

Logon failure:
Reason: Unknown user name or bad password
Logon type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
The user name, domain, workstation name, caller user name, caller
domain, caller logon id are all blank. The source network address
has
the correct IP address for my workstation.
Another point of information -- if I set up the web service to use
basic authentication, everything works correctly when accessed from
a browser on either the app server or my desktop. I get a prompt
(as is expected for basic authentication), enter my user name,
password, and domain, and I can access the service as desired. So,
it seems like there's a Kerberos issue involved in here somewhere.

I'm not sure what I'm missing here. Can anyone offer some
suggestions?

Sorry for the length. There's a lot of detail to the setup for this
stuff and I'm not sure what piece is significant and what piece is
not.

Many thanks!!

R

 

[Joe Kaplan \(MVP - ADSI\)]

Glad you figured that out. Duplicate SPNs are the devil!

You used the same tool and technique for finding them that I would have
recommended too. I generally also use ldp.exe to set them in the first
place (and also use it for configuring contrained delegation). For some
reason, I think it easier as you can see what's in there as you go (assuming
you know enough about LDAP to not get put off).

Joe K.

Finally got to the bottom of this last week.

In the process of trying to figure out how to set this up, we created some
duplicate SPNs. Specifically -- we wanted to run web services under a
non-machine account, had created new ADS domain accounts for them to run
under (and which we would use to manage delegation permissions), and then
attached the same service names to more than one of these accounts.

So, if you had ADS custom account "webservice" and another one called
"webapp", we did something like this:

setspn -A http/host.domain.com:80 webservice
setspn -A http/host.domain.com:80 webapp

When Kerberos tried to resolve authentication for http/host.domain.com:80
it didn't know whether to use "webservice" or "webapp", hence the Kerb
error.

This was kind of hard to find using "setspn -L" because (a) you have to
know what SPNs are out there in the first place, and (b) you have keep
track of which service names show up for which accounts.

I tracked this down with ldp.exe, which makes it easier to work back from
the service name, i.e., from an identifier like "http/host.domain.com:80".

Thanks again for your help with this!

R

Hi,
the unauthorized http traffic is normal. That's the auth handshake.

this is where the ricket for the web server is requests:

<clientip> <kerbip> KRB5 TGS-REQ
<kerbip> <clientip> KRB5 TGS-REP

If you look into these packets is the SPN used you registered for the web
app?

those error messages are strange, especially KRB5KDC_ERR_PREAUTH_FAILED.

I am not sure what's going on - please check this web site:
http://www.microsoft.com/technet/pr...3/technologies/featured/kerberos/default.mspx

especially:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerbdel.mspx

if you have any questions I am happy to answer them - if you solve it I
would be interested too


---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Dominick --

Thanks for the reply. Sorry for the empty prior response from me,
operator error. :-(

The account I'm trying to delegate and impersonate is my domain user
account. Both that account and the account that the application group
for the web service run under have read and execute permission on the
server directory holding the service distribution through their
membership in a general domain users group.

I've sniffed the kerberos and other traffic using ethereal. Very nice
tool, thanks for the pointer! Here's what I see. In the following,
<clientIP> is the ip address the browser is running on, <serverip> is
the ip address of the server hosting the web service, and <kerbip> is
the ip address of the kerberos server. It's a longish transcript,
sorry in advance for the length.

<clientip> <serverip> HTTP GET serviceurl HTTP/1.1
<serverip> <clientip> TCP [TCP segment of a reassembled PDU]
<serverip> <clientip> HTTP HTTP/1.1 401 Unauthorized
<clientip> <serverip> TCP 3152 > http [ACK] ...statistics...
<clientip> <serverip> TCP [TCP segment of a reassembled PDU]
<clientip> <serverip> HTTP GET serviceurl HTTP/1.1
<serverip> <clientip> TCP http > 3152 [ACK] ...statistics...
<serverip> <clientip> TCP [TCP segment of a reassembled PDU]
<serverip> <clientip> HTTP KRB Error: KRB5KRB_AP_ERR_MODIFIED
<clientip> <serverip> TCP 3152 > http [ACK] ...statistics...
<clientip> <kerbip> KRB5 TGS-REQ
<kerbip> <clientip> KRB5 TGS-REP
<clientip> <serverip> TCP [TCP segment of a reassembled PDU]
<clientip> <serverip> HTTP GET serviceurl HTTP/1.1
<serverip> <clientip> TCP http > 3152 [ACK] ...statistics...
<serverip> <clientip> TCP [TCP segment of a reassembled PDU]
<serverip> <clientip> HTTP KRB Error: KRB5KRB_AP_ERR_MODIFIED
<clientip> <serverip> TCP 3152 > http [ACK] ...statistics...
... some other traffic.....

<clientip> <kerbip> KRB5 AS-REQ
<kerbip> <clientip> KRB5 KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
<clientip> <serverip> HTTP GET serviceurl HTTP/1.1
<serverip> <clientip> TCP [TCP segment of a reassembled PDU]
<serverip> <clientip> HTTP HTTP/1.1 401 Unauthorized
<clientip> <serverip> TCP 3152 > http [ACK] ...statistics...
Parsing the above is somewhat above my pay grade, unfortunately, but
appears to be happening is some kind of inconsistency in the user
information for my domain account between my machine, kerberos, and
the app server.

Any light you might be able to shed on this will be welcome, no matter
how dim.

Thanks!!

R
"Dominick Baier [DevelopMentor]"
<[email protected]>
wrote in message
Hi,
looks all ok so far - some notes
- when you run the service locally it is technically no delegation -
the
token is copied to IIS and it is only a single hop to the db
- does the client have NTFS read DACLs on the web service directory?
- download ethereal (www.ethereal.com) - and sniff the kerberos
handshake - is the SPN that IE requests exactly the same as you
registered
for the webserver / any other oddities?
good resource:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/techno
logies/security/kerberos/default.mspx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Greetings -

I'm trying to set up domain login impersonation and delegation for a
multi-tier web application. The goal is for the application, middle
tier services, and back end database to operate under the end user's
Windows domain login id. This is in the context of a intranet
deployment, no firewalls.

To begin sorting this out, I'm starting small. My first goal is to
create a simple service that can will query the database as the
login user and return a dataset. Here's what I've done so far:

o Set up my user id on the DB so I can login and execute the stored
procedure.
o Written the simple service in ASP.Net C# that calls the stored
procedure.
o Installed the simple service on an app server remote from the DB
server.
o Configured the simple service to not allow anonymous login, and
to
use
windows authentication.
o <identity impersonate="true"> in the test service web.config
o Created a custom domain account for the service to run under.
o Created SPN's for the custom domain account that map the account
to
HTTP
on my app server with both fully qualified and netBIOS name,
including
port
number (80).
o In ADS, enabled the custom domain account I run the service under
to
delegate to MSSQLsvc on the DB server.
o Created an application pool whose identity is the custom domain
account.
o Assigned my test service to the new application pool.
For initial testing, I just tried to bring the service up in IE on
both the app server (i.e., the host where the service runs) and also
from my desktop. In both cases I am logged onto the system where I'm
running the browser with my Windows domain account. On both
platforms, IE is set up so that the app server is in the intranet
zone, and windows authentication is enabled.
When I bring the service up in IE on the app server, everything is
great. I can run the service (auto-generated form from the service
WSDL), the service impersonates me and forwards my identity to the
database, the procedure runs and I get the dataset back.

When I bring the service up in IE from my desktop, IE pops up a
login prompt (this did not happen on the app server). I enter my
user name, password, and domain, and it's rejected.

When I look at the security event log on the app server, I see a
number of "Failure Audit" messages. The detail on these messages
states:

Logon failure:
Reason: Unknown user name or bad password
Logon type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
The user name, domain, workstation name, caller user name, caller
domain, caller logon id are all blank. The source network address
has
the correct IP address for my workstation.
Another point of information -- if I set up the web service to use
basic authentication, everything works correctly when accessed from
a browser on either the app server or my desktop. I get a prompt
(as is expected for basic authentication), enter my user name,
password, and domain, and I can access the service as desired. So,
it seems like there's a Kerberos issue involved in here somewhere.

I'm not sure what I'm missing here. Can anyone offer some
suggestions?

Sorry for the length. There's a lot of detail to the setup for this
stuff and I'm not sure what piece is significant and what piece is
not.

Many thanks!!

R