Windows Credentialing Security Problem

Discussion in 'ASP .Net' started by Joseph Geretz, Apr 22, 2004.

  1. I'm having a credentialing problem in my web application. Actually, I don't
    think this is an IIS security issue, since I'm able to access the page I'm
    requesting. However, the executing page itself is not able to access a
    specific network resource and I just can't figure out why. First of all, let
    me say this worked fine with IIS running on Win2000 Server. This has not
    worked since I upgraded to Windows Server 2003.

    My Platform: Windows Server 2003 / IIS6 / .Net Framework v1.1.4322

    My web site has a virtual directory named FPSNowAuth. This virtual directory
    disallows anonymous access and is set to use Windows Integrated security.
    Thus every page access from this virtual directory must either be
    authenticated or fail.

    Here are the relevant blocks from the Web.config file:

    <authentication mode="Windows" />
    <identity impersonate="true" userName="" password=""/>

    Thus, code executing in the context of a page request should be executing in
    the security context of the authenticated user. Here's a snippet from the
    log file:

    2004-04-22 04:28:34 192.168.1.3 GET /FPSNowAuth/browser.aspx
    dir=ftp/Dimension 81 INTDOM\Boss 192.168.1.1
    Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.0.3705) 200

    As you can see, I accessed the page '/FPSNowAuth/browser.aspx' with the
    querystring 'dir=ftp/Dimension' appended to the URL. I authenticated as
    INTDOM\Boss, the Domain Administrator. HTTP Status was 200. The page request
    succeeded. However...

    browser.aspx is a .NET page which returns a directory listing of the
    directory identified by the dir querystring parameter, in this case
    ftp/Dimension. (For a practical example of this, you may check out
    www.fpsnow.com/browser.aspx?dir=ftp/download. This is the public area of my
    site.) FPSNowAuth/ftp/Dimension is mapped to a network fileshare
    \\Dimension\User. Here we get to the heart of the problem.

    When I'm on the server, browsing the virtual directory in the IIS console, I
    can see all the folders and files subordinate to \\Dimension\User. When I
    hit this page from a browser on the server, I get a nicely formatted listing
    of these folders and files, generated by browser.aspx. However, when I hit
    this page from a browser on any other workstation, I get the following
    runtime error during the course of the page execution:

    Access to path \\Dimension\User is denied.

    This despite the fact that I have authenticated as INTDOM\Boss, as shown in
    the log file snippet. So running under the identity of INTDOM\Boss, why the
    heck am I denied access to a network resource?

    For the .NET developers among us, here's the line of code which throws the
    exception:

    DirectoryInfo[] Dirs = DirInfo.GetDirectories();

    The directory indicated by DirInfo is \\Dimension\User\. Prior to executing
    this line, I've already checked to ensure that Request.IsAuthenticated ==
    true. I've stepped through this in debug mode and confirmed that it is
    indeed true (as the log file entry indicates).

    So, I'm baffled. The page is executing under the identity of the domain
    admin, yet I get an access denied when attempting to access a network
    resource. Any ideas?

    Thank for any assistance which you can offer.

    - Joe Geretz -
     
    Joseph Geretz, Apr 22, 2004
    #1
    1. Advertising

  2. Joseph Geretz

    Ken Schaefer Guest

    I suspect (very strongly) that this is a double-hop authentication problem.
    You can confirm this by disabling IWA, and enabling Basic Auth. If all your
    problems go away, then it is the double-hop auth problem.

    With Basic Auth, the webserver has your username and password, so it can
    directly impersonate you when authenticating to the remote resource.

    With Digest or IWA auth, IIS only has a token that doesn't have access to
    remote resources. To get around this you can configure Delegation.

    a) Both the user account(s) and the server's computer account must be
    trusted for delegation in the directory. See
    http://support.microsoft.com/default.aspx?kbid=325894
    HOW TO: Configure Computer Accounts and User Accounts So That They Are
    Trusted for Delegation in Windows Server 2003 Enterprise Edition (also
    includes Windows 2000 instructions)

    b) The SPN (Service Principal Name) needs to be registered, if it isn't
    already (e.g. you are using a FQDN rather than the NetBIOS name of the
    service). Use the SetSPN.exe tool to do this. For more information on
    SetSPN.exe
    Authentication May Fail with "401.3" Error If Web Site's "Host Header"
    Differs from Server's NetBIOS
    see: http://support.microsoft.com/?id=294382

    c) The client browser and IIS server must authenticate using Kerberos not
    NTLM v2 (Not required in a windows 2003 Domain - see below) This means that:
    - Use Integrated Windows Authentication (requires restart) is checked in
    I.E.
    - IIS is sending "Negotiate" WWW-Authenticate headers
    - The client-brower can contact the KDC (the Windows Domain Controllers) to
    get an appropriate Kerberos ticket

    If you are using a Windows 2003 Domain, you can take advantage of Protocol
    Transition. This allows the user to authenticate using any protocol to IIS,
    and IIS can still get a Kerberos ticket to access the remote SQL Server.
    There is information on setting up constrained delegation (using all
    protocols) here:

    http://www.microsoft.com/resources/...resources/documentation/WindowsServ/2003/stan
    dard/proddocs/en-us/se_con_del_computer.asp
    Configuring Users and Computers for delegation (there's a couple of pages -
    use the links in the nav bar to get to them). Following the instructions on
    contrsained delegation.

    there is more information on Protocol Transition here:
    Windows 2003 Protocol Transition
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/constdel.mspx

    This article may also help:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;810572
    HOW TO: Configure an ASP.NET Application for a Delegation Scenario

    Hope this all helps!

    Cheers
    Ken



    "Joseph Geretz" <> wrote in message
    news:...
    : I'm having a credentialing problem in my web application. Actually, I
    don't
    : think this is an IIS security issue, since I'm able to access the page I'm
    : requesting. However, the executing page itself is not able to access a
    : specific network resource and I just can't figure out why. First of all,
    let
    : me say this worked fine with IIS running on Win2000 Server. This has not
    : worked since I upgraded to Windows Server 2003.
    :
    : My Platform: Windows Server 2003 / IIS6 / .Net Framework v1.1.4322
    :
    : My web site has a virtual directory named FPSNowAuth. This virtual
    directory
    : disallows anonymous access and is set to use Windows Integrated security.
    : Thus every page access from this virtual directory must either be
    : authenticated or fail.
    :
    : Here are the relevant blocks from the Web.config file:
    :
    : <authentication mode="Windows" />
    : <identity impersonate="true" userName="" password=""/>
    :
    : Thus, code executing in the context of a page request should be executing
    in
    : the security context of the authenticated user. Here's a snippet from the
    : log file:
    :
    : 2004-04-22 04:28:34 192.168.1.3 GET /FPSNowAuth/browser.aspx
    : dir=ftp/Dimension 81 INTDOM\Boss 192.168.1.1
    : Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.0.3705) 200
    :
    : As you can see, I accessed the page '/FPSNowAuth/browser.aspx' with the
    : querystring 'dir=ftp/Dimension' appended to the URL. I authenticated as
    : INTDOM\Boss, the Domain Administrator. HTTP Status was 200. The page
    request
    : succeeded. However...
    :
    : browser.aspx is a .NET page which returns a directory listing of the
    : directory identified by the dir querystring parameter, in this case
    : ftp/Dimension. (For a practical example of this, you may check out
    : www.fpsnow.com/browser.aspx?dir=ftp/download. This is the public area of
    my
    : site.) FPSNowAuth/ftp/Dimension is mapped to a network fileshare
    : \\Dimension\User. Here we get to the heart of the problem.
    :
    : When I'm on the server, browsing the virtual directory in the IIS console,
    I
    : can see all the folders and files subordinate to \\Dimension\User. When I
    : hit this page from a browser on the server, I get a nicely formatted
    listing
    : of these folders and files, generated by browser.aspx. However, when I hit
    : this page from a browser on any other workstation, I get the following
    : runtime error during the course of the page execution:
    :
    : Access to path \\Dimension\User is denied.
    :
    : This despite the fact that I have authenticated as INTDOM\Boss, as shown
    in
    : the log file snippet. So running under the identity of INTDOM\Boss, why
    the
    : heck am I denied access to a network resource?
    :
    : For the .NET developers among us, here's the line of code which throws the
    : exception:
    :
    : DirectoryInfo[] Dirs = DirInfo.GetDirectories();
    :
    : The directory indicated by DirInfo is \\Dimension\User\. Prior to
    executing
    : this line, I've already checked to ensure that Request.IsAuthenticated ==
    : true. I've stepped through this in debug mode and confirmed that it is
    : indeed true (as the log file entry indicates).
    :
    : So, I'm baffled. The page is executing under the identity of the domain
    : admin, yet I get an access denied when attempting to access a network
    : resource. Any ideas?
    :
    : Thank for any assistance which you can offer.
    :
    : - Joe Geretz -
    :
    :
     
    Ken Schaefer, Apr 22, 2004
    #2
    1. Advertising

  3. Thanks Ken,

    > I suspect (very strongly) that this is a double-hop authentication

    problem.
    > You can confirm this by disabling IWA, and enabling Basic Auth. If all

    your
    > problems go away, then it is the double-hop auth problem.


    Your suggestion is right on target. So this is a delegation issue. Thanks
    for clearing that up. You've given me quite a list of suggestions and
    refrences which I'll start to work through. If I have specific questions on
    any of these points I'll post back.

    Thanks,

    Joe Geretz

    "Ken Schaefer" <> wrote in message
    news:...
    > I suspect (very strongly) that this is a double-hop authentication

    problem.
    > You can confirm this by disabling IWA, and enabling Basic Auth. If all

    your
    > problems go away, then it is the double-hop auth problem.
    >
    > With Basic Auth, the webserver has your username and password, so it can
    > directly impersonate you when authenticating to the remote resource.
    >
    > With Digest or IWA auth, IIS only has a token that doesn't have access to
    > remote resources. To get around this you can configure Delegation.
    >
    > a) Both the user account(s) and the server's computer account must be
    > trusted for delegation in the directory. See
    > http://support.microsoft.com/default.aspx?kbid=325894
    > HOW TO: Configure Computer Accounts and User Accounts So That They Are
    > Trusted for Delegation in Windows Server 2003 Enterprise Edition (also
    > includes Windows 2000 instructions)
    >
    > b) The SPN (Service Principal Name) needs to be registered, if it isn't
    > already (e.g. you are using a FQDN rather than the NetBIOS name of the
    > service). Use the SetSPN.exe tool to do this. For more information on
    > SetSPN.exe
    > Authentication May Fail with "401.3" Error If Web Site's "Host Header"
    > Differs from Server's NetBIOS
    > see: http://support.microsoft.com/?id=294382
    >
    > c) The client browser and IIS server must authenticate using Kerberos not
    > NTLM v2 (Not required in a windows 2003 Domain - see below) This means

    that:
    > - Use Integrated Windows Authentication (requires restart) is checked in
    > I.E.
    > - IIS is sending "Negotiate" WWW-Authenticate headers
    > - The client-brower can contact the KDC (the Windows Domain Controllers)

    to
    > get an appropriate Kerberos ticket
    >
    > If you are using a Windows 2003 Domain, you can take advantage of Protocol
    > Transition. This allows the user to authenticate using any protocol to

    IIS,
    > and IIS can still get a Kerberos ticket to access the remote SQL Server.
    > There is information on setting up constrained delegation (using all
    > protocols) here:
    >
    >

    http://www.microsoft.com/resources/...resources/documentation/WindowsServ/2003/stan
    > dard/proddocs/en-us/se_con_del_computer.asp
    > Configuring Users and Computers for delegation (there's a couple of

    pages -
    > use the links in the nav bar to get to them). Following the instructions

    on
    > contrsained delegation.
    >
    > there is more information on Protocol Transition here:
    > Windows 2003 Protocol Transition
    >

    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/constdel.mspx
    >
    > This article may also help:
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;810572
    > HOW TO: Configure an ASP.NET Application for a Delegation Scenario
    >
    > Hope this all helps!
    >
    > Cheers
    > Ken
    >
    >
    >
    > "Joseph Geretz" <> wrote in message
    > news:...
    > : I'm having a credentialing problem in my web application. Actually, I
    > don't
    > : think this is an IIS security issue, since I'm able to access the page

    I'm
    > : requesting. However, the executing page itself is not able to access a
    > : specific network resource and I just can't figure out why. First of all,
    > let
    > : me say this worked fine with IIS running on Win2000 Server. This has not
    > : worked since I upgraded to Windows Server 2003.
    > :
    > : My Platform: Windows Server 2003 / IIS6 / .Net Framework v1.1.4322
    > :
    > : My web site has a virtual directory named FPSNowAuth. This virtual
    > directory
    > : disallows anonymous access and is set to use Windows Integrated

    security.
    > : Thus every page access from this virtual directory must either be
    > : authenticated or fail.
    > :
    > : Here are the relevant blocks from the Web.config file:
    > :
    > : <authentication mode="Windows" />
    > : <identity impersonate="true" userName="" password=""/>
    > :
    > : Thus, code executing in the context of a page request should be

    executing
    > in
    > : the security context of the authenticated user. Here's a snippet from

    the
    > : log file:
    > :
    > : 2004-04-22 04:28:34 192.168.1.3 GET /FPSNowAuth/browser.aspx
    > : dir=ftp/Dimension 81 INTDOM\Boss 192.168.1.1
    > : Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.0.3705)

    200
    > :
    > : As you can see, I accessed the page '/FPSNowAuth/browser.aspx' with the
    > : querystring 'dir=ftp/Dimension' appended to the URL. I authenticated as
    > : INTDOM\Boss, the Domain Administrator. HTTP Status was 200. The page
    > request
    > : succeeded. However...
    > :
    > : browser.aspx is a .NET page which returns a directory listing of the
    > : directory identified by the dir querystring parameter, in this case
    > : ftp/Dimension. (For a practical example of this, you may check out
    > : www.fpsnow.com/browser.aspx?dir=ftp/download. This is the public area of
    > my
    > : site.) FPSNowAuth/ftp/Dimension is mapped to a network fileshare
    > : \\Dimension\User. Here we get to the heart of the problem.
    > :
    > : When I'm on the server, browsing the virtual directory in the IIS

    console,
    > I
    > : can see all the folders and files subordinate to \\Dimension\User. When

    I
    > : hit this page from a browser on the server, I get a nicely formatted
    > listing
    > : of these folders and files, generated by browser.aspx. However, when I

    hit
    > : this page from a browser on any other workstation, I get the following
    > : runtime error during the course of the page execution:
    > :
    > : Access to path \\Dimension\User is denied.
    > :
    > : This despite the fact that I have authenticated as INTDOM\Boss, as shown
    > in
    > : the log file snippet. So running under the identity of INTDOM\Boss, why
    > the
    > : heck am I denied access to a network resource?
    > :
    > : For the .NET developers among us, here's the line of code which throws

    the
    > : exception:
    > :
    > : DirectoryInfo[] Dirs = DirInfo.GetDirectories();
    > :
    > : The directory indicated by DirInfo is \\Dimension\User\. Prior to
    > executing
    > : this line, I've already checked to ensure that Request.IsAuthenticated

    ==
    > : true. I've stepped through this in debug mode and confirmed that it is
    > : indeed true (as the log file entry indicates).
    > :
    > : So, I'm baffled. The page is executing under the identity of the domain
    > : admin, yet I get an access denied when attempting to access a network
    > : resource. Any ideas?
    > :
    > : Thank for any assistance which you can offer.
    > :
    > : - Joe Geretz -
    > :
    > :
    >
    >
     
    Joseph Geretz, Apr 23, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Aaron
    Replies:
    1
    Views:
    389
    John C. Bollinger
    Aug 4, 2003
  2. Marco
    Replies:
    1
    Views:
    2,462
    Roedy Green
    Jan 28, 2006
  3. Akram Baig
    Replies:
    0
    Views:
    358
    Akram Baig
    Apr 7, 2011
  4. Dinis Cruz

    Asp.Net Security Analyser (new security tool by DDPlus)

    Dinis Cruz, Oct 8, 2003, in forum: ASP .Net Security
    Replies:
    2
    Views:
    177
    Dinis Cruz
    Oct 11, 2003
  5. Michael Randrup
    Replies:
    3
    Views:
    348
    Henning Krause [MVP]
    Mar 27, 2006
Loading...

Share This Page