Re: IIS Remote Content and Kerberos Delegation

From: Jacob (jacobl_at_globalknowledgeconsultants.com)
Date: 05/21/04 

Date: 21 May 2004 00:19:48 -0700

Thanks Ray,
  I've already had a look at those two articles, and whilst they're
useful I still haven't found anything that explains this.

The IIS web is only set to accept Windows Integrated Auth - Basic and
Anonymous are not ticked. This leaves the only question being: which
of the two Integrated Auth 'sub-types' is being used (Kerberos or
NTLM)? I'm almost certain it's Kerberos because the event log shows
this:

---------------------------------------------------------
        Event Type: Success Audit
        Event Source: Security
        Event Category: Logon/Logoff
        Event ID: 540
        Date: 20/05/2004
        Time: 4:37:48 PM
        User: MYDOMAIN\joeuser
        Computer: WEB01
        Description:
        Successful Network Logon:
                 User Name: joeuser
                 Domain: MYDOMAIN
                 Logon ID: (0x0,0x438597E)
                 Logon Type: 3
                 Logon Process: Kerberos
                 Authentication Package: Kerberos
                 Workstation Name:
                 Logon GUID: {21188530-3308-bb42-8b30-82c6c8fbb470}
                 Caller User Name: -
                 Caller Domain: -
                 Caller Logon ID: -
                 Caller Process ID: -
                 Transited Services: -
                 Source Network Address: 10.0.0.76
                 Source Port: 3654
---------------------------------------------------------

If so, Kerberos is able to be delegated (at least SHOULD be able to -
not for me though :-P ), as can Basic. I've already tested and proven
that Basic works, but unfortunately for me Basic is not suitable - I
need to be able to use Integrated Auth.

Now, to confuse things even more...

Further testing reveals that if I first make a connection to some
local content on the IIS web (eg a dummy.asp page which simply
displays 'Hello World'), then DURING THE SAME SESSION, browse to the
remote-served content eg
http://test.dev.mydomain.net/webtest/***.gif, it works fine!

It seems that if my first browse request during the session is for
remote content I don't yet have a Kerberos ticket, and therefore the
second 'hop' from IIS server --> file server can't be made with
delegated credentials, and so the ANONYMOUS account is used. However
if I first request some locally-served content IIS grants me a
Kerberos ticket which I then am able to subsequently use for the
remote content during the same session.

At least, this is the observed behaviour. Does this make any sense?
Is this the way it's supposed to work?

Regards,

Jacob

"Ray at <%=sLocation%> [MVP]" <myfirstname at lane34 dot com> wrote in message news:<O1DvLZnPEHA.2444@TK2MSFTNGP12.phx.gbl>...
> I think your issue has to do with lack of tokens based on your authenticion.
> (I'm not expert at this stuff though.)
>
> Read these two interesting articles and make sure that you're using an
> authentication method that will send kerberos tokens.
>
> http://support.microsoft.com/?kbid=287537
> http://support.microsoft.com/?kbid=264921
>
> Ray at work
>
> "Jacob" <jacobl@globalknowledgeconsultants.com> wrote in message
> news:2369d983.0405192359.6af1899d@posting.google.com...
> > Hello All,
> > I am trying to serve out some content via IIS that is hosted on a
> > remote fileserver, and am unable to get the delegation working
> > correctly. Our setup is as follows:
> >
> > 2) Then I changed the '\webtest' virtual dir to use passthrough
> > authentication, connecting as the authenticated user accessing the
> > website. I browsed to the URL again (after closing the browser to
> > clear the cache first). I immediately got a userid/password challenge
> > dialog, into which I entered the credentials for 'MYDOMAIN\joeuser'.
> > They weren't accepted and I was challenged 3 times in total before IIS
> > finally came back with an 'HTTP 401.3 - Unauthorized: Access is denied
> > due to an ACL set on the requested resource' error.