Using DNS name verses Machine Name causes 403 error

Discussion in 'ASP .Net Web Services' started by Jason, Sep 13, 2006.

  1. Jason

    Jason Guest

    Hi,

    I have developed a web service using VS2005 and is landed on a Windows 2003
    Server. The Server is an Intranet Server so I am using credentials while
    connecting to the server so authentication takes place.

    My problem is that when I connect to the server with a URL like:

    http://MYSERVER/Service/webservice.asmx I have no problem. The server Name
    is MYSERVER

    If I try and connect using it's DNS name like

    http://MYSERVER.mydomain.com/Service/webservice.asmx I receive 403 errors.
    The DNS resolves to the same IP address as above.

    My final goal is to setup a load balanced web service but before I can do
    that I need to be able to connect to a web service using DNS name..

    Can you help?

    Thanks
    Jason
     
    Jason, Sep 13, 2006
    #1
    1. Advertising

  2. Hello Jason,

    From your description, you've developed and hosted an ASP.NET webservice on
    a windows 2003 server machine and the webservice is secured through
    intergrated windows authentication in IIS. When calling the webservice, you
    found it always return 403 error if you use the DNS name but worked well if
    use the NetBios machine name to visit it, correct? if anything I missed,
    please feel free to let me know.

    As for the webservice function call, are you test it on some remote client
    machines whch are using windows 2000 or later(xp or 2003) operating system?
    If this is the case, based on my experience, it is likely due to the client
    machine failed to establish kerberos authentication with the server
    machine. When the client machine establish windows authentication with
    server, if both the client and server is windows 2000 or later operating
    system, they'll use kerberos authentication protocol. And kerberos
    authentication protocol require the servername (in the url) been registered
    with a certain service principal name in KDC(mostly is the DC in wnidows
    domain). For your case, it is possible that the DNS name you used hasn't be
    registered with your server's servername in DC.

    Here is a knowledge base article describes the problem, you can have a look
    to see whether it matches your case:

    #Authentication may fail with "401.3" Error if Web site's "Host Header"
    differs from server's NetBIOS name
    http://support.microsoft.com/?id=294382


    Also, I think this is a typical IIS specific issue. To further isolate it,
    you can create an ASP.NET page or normal html page(in the webservice's IIS
    virutal dierctory) and visit it from the same client machine to see whether
    you meet the same behavior. Another means is to disable kerberos
    authentication and force the IIS site or virutal diretory to use NTLM for
    widows authentication only. If this works, we can confirm that the problem
    did be caused by kerberos authentication. The below kb article introduce
    how to change the IIS to use NTLM or both Kerberos and NTLM as windows
    authentication protocol:

    #How to configure IIS to support both the Kerberos protocol and the NTLM
    protocol for network authentication
    http://support.microsoft.com/kb/215383/en-us

    Hope this helps. Please feel free to let me know if you got any further
    progress or need any further assistance.

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead



    ==================================================

    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    ications.



    Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    where an initial response from the community or a Microsoft Support
    Engineer within 1 business day is acceptable. Please note that each follow
    up response may take approximately 2 business days as the support
    professional working with you may need further investigation to reach the
    most efficient resolution. The offering is not appropriate for situations
    that require urgent, real-time or phone-based interactions or complex
    project analysis and dump analysis issues. Issues of this nature are best
    handled working with a dedicated Microsoft Support Engineer by contacting
    Microsoft Customer Support Services (CSS) at
    http://msdn.microsoft.com/subscriptions/support/default.aspx.

    ==================================================



    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Steven Cheng[MSFT], Sep 13, 2006
    #2
    1. Advertising

  3. Jason

    Jason Guest

    Steven,

    Thanks for your response.

    I have been trying to understand the difference between my own system and
    the current production system that works just fine using DNS name verses
    Netbios name. I did find that the production Server has an additional Server
    Principle Name set so I will try setting the SPN for my Server and see if
    that works..

    Can you tell me if 3 servers can all be set with the same SPN? In the new
    Production environment I have 3 Servers using NLB. For this approach to work
    I would need to add the same SPN to each of the Servers. Will this cause a
    problem in Active Directory??

    On a side note, while I somewhat understand the issue here when my client
    app connects to the Web service, I am a little confused why a web browser
    from the same client is able to access the web service directly with no
    errors. Why does the web browser connect while my Windows app fails??

    Also, I have credentials set and Preauthenticate=true set but the first
    connection is always anonymous so there are two hits to the web server...Is
    there anyway to stop the initial anonymous connection?? and connect first
    time with credentials??

    Thanks
    Jason



    "Steven Cheng[MSFT]" wrote:

    > Hello Jason,
    >
    > From your description, you've developed and hosted an ASP.NET webservice on
    > a windows 2003 server machine and the webservice is secured through
    > intergrated windows authentication in IIS. When calling the webservice, you
    > found it always return 403 error if you use the DNS name but worked well if
    > use the NetBios machine name to visit it, correct? if anything I missed,
    > please feel free to let me know.
    >
    > As for the webservice function call, are you test it on some remote client
    > machines whch are using windows 2000 or later(xp or 2003) operating system?
    > If this is the case, based on my experience, it is likely due to the client
    > machine failed to establish kerberos authentication with the server
    > machine. When the client machine establish windows authentication with
    > server, if both the client and server is windows 2000 or later operating
    > system, they'll use kerberos authentication protocol. And kerberos
    > authentication protocol require the servername (in the url) been registered
    > with a certain service principal name in KDC(mostly is the DC in wnidows
    > domain). For your case, it is possible that the DNS name you used hasn't be
    > registered with your server's servername in DC.
    >
    > Here is a knowledge base article describes the problem, you can have a look
    > to see whether it matches your case:
    >
    > #Authentication may fail with "401.3" Error if Web site's "Host Header"
    > differs from server's NetBIOS name
    > http://support.microsoft.com/?id=294382
    >
    >
    > Also, I think this is a typical IIS specific issue. To further isolate it,
    > you can create an ASP.NET page or normal html page(in the webservice's IIS
    > virutal dierctory) and visit it from the same client machine to see whether
    > you meet the same behavior. Another means is to disable kerberos
    > authentication and force the IIS site or virutal diretory to use NTLM for
    > widows authentication only. If this works, we can confirm that the problem
    > did be caused by kerberos authentication. The below kb article introduce
    > how to change the IIS to use NTLM or both Kerberos and NTLM as windows
    > authentication protocol:
    >
    > #How to configure IIS to support both the Kerberos protocol and the NTLM
    > protocol for network authentication
    > http://support.microsoft.com/kb/215383/en-us
    >
    > Hope this helps. Please feel free to let me know if you got any further
    > progress or need any further assistance.
    >
    > Sincerely,
    >
    > Steven Cheng
    >
    > Microsoft MSDN Online Support Lead
    >
    >
    >
    > ==================================================
    >
    > Get notification to my posts through email? Please refer to
    > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    > ications.
    >
    >
    >
    > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    > where an initial response from the community or a Microsoft Support
    > Engineer within 1 business day is acceptable. Please note that each follow
    > up response may take approximately 2 business days as the support
    > professional working with you may need further investigation to reach the
    > most efficient resolution. The offering is not appropriate for situations
    > that require urgent, real-time or phone-based interactions or complex
    > project analysis and dump analysis issues. Issues of this nature are best
    > handled working with a dedicated Microsoft Support Engineer by contacting
    > Microsoft Customer Support Services (CSS) at
    > http://msdn.microsoft.com/subscriptions/support/default.aspx.
    >
    > ==================================================
    >
    >
    >
    > This posting is provided "AS IS" with no warranties, and confers no rights.
    >
    >
     
    Jason, Sep 13, 2006
    #3
  4. Thanks for your followup Jason,

    I'm not quite sure on the multiple DNS name as SPN pointing to the same
    server, this is more specfiic to AD configuration and due to my limited
    experience on this, I would suggest you post in some server&platform
    specific newsgroup and I think this can be well answered.

    As for the different behavior between programmtic interface and IE browser,
    this is because when using IE webbrowser, the client browser may be able to
    choose downlevel NTLM protocol when using kerberos failed. However, the
    webservice proxy which use httpwebrequest class may not support such
    graceful handling for such condition.

    Anyway, I suggest you try explicitly configure the IIS site to use NTLM
    only(exclude Negotiate) to see whether it works.

    You can also post this issue in IIS specific newsgroup since it also
    involves much IIS specific configuration.

    Please feel free to let me know if you need any other information.

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Steven Cheng[MSFT], Sep 14, 2006
    #4
  5. Jason

    Jason Guest

    Thanks Steven,

    I am waiting for the Infrastructure guys to run setSPN on my Dev Server so I
    can test to see if it or at least changes the symptoms.

    I have already switched the server to NTLM only and it makes no difference..

    Thanks for your help
    Jason


    "Steven Cheng[MSFT]" wrote:

    > Thanks for your followup Jason,
    >
    > I'm not quite sure on the multiple DNS name as SPN pointing to the same
    > server, this is more specfiic to AD configuration and due to my limited
    > experience on this, I would suggest you post in some server&platform
    > specific newsgroup and I think this can be well answered.
    >
    > As for the different behavior between programmtic interface and IE browser,
    > this is because when using IE webbrowser, the client browser may be able to
    > choose downlevel NTLM protocol when using kerberos failed. However, the
    > webservice proxy which use httpwebrequest class may not support such
    > graceful handling for such condition.
    >
    > Anyway, I suggest you try explicitly configure the IIS site to use NTLM
    > only(exclude Negotiate) to see whether it works.
    >
    > You can also post this issue in IIS specific newsgroup since it also
    > involves much IIS specific configuration.
    >
    > Please feel free to let me know if you need any other information.
    >
    > Sincerely,
    >
    > Steven Cheng
    >
    > Microsoft MSDN Online Support Lead
    >
    >
    > This posting is provided "AS IS" with no warranties, and confers no rights.
    >
    >
     
    Jason, Sep 15, 2006
    #5
  6. Thanks for your reply Jason,

    I'm abit surprised that NTML also not work on your side.

    BTW, onething we can also try is use some network trace utility to capture
    the HTTP request/respose stream (for the requests made by IE and the
    webservice client proxy). I think you can find the difference focusing on
    the authentication section in the HTTP header or the whole steps how to
    connection get established.

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Steven Cheng[MSFT], Sep 18, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Iwer M?rck

    Error 403.6 when using netbios name

    Iwer M?rck, Oct 9, 2004, in forum: ASP .Net
    Replies:
    2
    Views:
    383
    Iwer M?rck
    Oct 10, 2004
  2. willem joubert

    Error 403-Error 403-Error 403

    willem joubert, Feb 8, 2005, in forum: ASP .Net Web Services
    Replies:
    1
    Views:
    183
    Bruce Johnson [C# MVP]
    Feb 8, 2005
  3. Philip K
    Replies:
    0
    Views:
    129
    Philip K
    Jun 28, 2007
  4. Sam Roberts
    Replies:
    0
    Views:
    217
    Sam Roberts
    Mar 20, 2005
  5. gavino
    Replies:
    2
    Views:
    170
    Ted Zlatanov
    Jul 27, 2006
Loading...

Share This Page