Windows Authentication problem with IIS6 (Win2k3)

From: Dave Slinn (dslinn_at_accesscomm.ca)
Date: 07/07/04 

Date: Wed, 7 Jul 2004 12:31:50 -0600

I have been wrestling with IIS6 security settings - I used to be able to do
this under older versions of IIS, but I can't seem to get it to work right
in IIS6.

We have a Windows 2003 Domain (pure 2K3). I want to use Windows
Authentication for our Intranet applications that we write using ASP.NET.

I believe the problem to be something related to the Kerberos technology,
but I don't know enough about it to resolve my issue. Basically, when I
enable Integrated Windows Authentication as the Authentication method for my
application, users (who are logged on locally to the same network as the web
server) are prompted for a login and password. After entering the username
and password and clicking OK, the login dialog reappears, asking for the
info again (even though it's still filled in). Clicking OK again and the
same thing happens. The third time you click OK, you get the following
error:

 - HTTP Error 401.2 - Unauthorized: Access is denied due to server
configuration. Internet Information Services (IIS)

Checking the Event log, under the Security category, multiple entries of the
following exists:

Error Event ID: 529 - Failure Audit
    Logon Failure:
    Reason: Unknown user name or bad password
    User Name:
    Domain:
    Logon Type: 3
    Logon Process: Kerberos
    Authentication Package: Kerberos
    Workstation Name: -
    Caller User Name: -
    Caller Domain: -
    Caller Logon ID: -
    Caller Process ID: -
    Transited Services: -
    Source Network Address: 172.16.87.77
    Source Port: 0

First off - why is the browser prompting for a login name and password in
the first place? Shouldn't integrated windows authentication use their
Windows credentials? Oh yeah - I have checked - their browsers DO have the
Enable Integrated Windows Authentication setting checked in their browser
(which is IE6) advanced settings.

Secondly, I know I am not typing a bad username or password - it's the same
one I use to log on to Windows in the first place. At first I thought the
account was locked out, but that wasn't it.

After spending several hours trying to find some help on the web and in the
MS knowledgebase, I came across a couple of articles (mostly relating to
Windows 2000) that talked about Kerberos and Delegation.

One article talked about ensuring the computer can be trusted for
delegation - so, in Active Directory, I changed the Computer Account for the
Web server (on the Delegation tab) from "Do not trust this computer
delegation" to "Trust this computer for delegation to any server (Kerberos
only)". There is a third option, "Trust this computer for delegation to
specified services only" where it then offers to Use Kerberos only or Any
authentication protocol and you can define services for the account. Would
that option make a difference? What services do I add underneath?

I also tried another article suggestion, which was to modify the IIS
MetaBase using the adsutil.vbs script to set the "Negotiate,NTLM" parameter.
At first, neither option was set. Then I set both (Negotiate and NTLM). No
change. Then tried just NTLM - still no luck.

The same article discussed using the SetSPN resource kit tool to add the
HTTP protocol, which I also did, and then I added HOST, but alas, neither
setting helped.

For some reason, I just can't seem to get Integrated Windows Authetication
to work on this web server (Windows 2003 Web Edition).

Basically, I am looking for a checklist of things I can check and
doublecheck to see if there is a configuration setting that I am missing to
get this to work.

If I can provide any more information that I haven't included, please ask...

Relevant Pages

  • Re: Serializing credentials and reauthenticating. How?
    ... if your calling process is trusted for delegation with any protocol in AD ... In IIS, to get Kerberos you need to enable IWA auth and ensure the metabase ... We may go SSL/Basic from client to ALSB. ...
    (microsoft.public.dotnet.security)
  • Windows Authentication problem with IIS6 (Win2k3)
    ... I believe the problem to be something related to the Kerberos technology, ... Internet Information Services (IIS) ... Shouldn't integrated windows authentication use their ... Windows 2000) that talked about Kerberos and Delegation. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Delegation / IIS6 / share located on another computer
    ... Can you look in the Security Event log of the webserver, and verify that the client is actually authenticating using Kerberos? ... SERVER B is in the Local Intranet zone and I have "Automatic logon only in Intranet Zone" enabled. ... IIS and Kerberos Part 2 - What are Service Principal Names? ... I have read a lot of articles on how to configure delegation correctly to enable me to use IWA to gain access to an IIS site which is based on a shared folder located on another computer in the domain but it doesn't let me in and was wondering if someone knew why. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Delegation / IIS6 / share located on another computer
    ... IIS and Kerberos Part 1 - What is Kerberos and how does it work? ... I have read a lot of articles on how to configure delegation correctly to enable me to use IWA to gain access to an IIS site which is based on a shared folder located on another computer in the domain but it doesn't let me in and was wondering if someone knew why. ... SERVER A - has the shared folder ...
    (microsoft.public.inetserver.iis.security)
  • Re: Windows Auth -- double hop issue??
    ... Integrated Windows Authentication covers two separate authentication ... Kerberos is the preferred method of IWA, and is supported by IE v5 and ... NTLM v2 can not be natively delegated. ... resource on the same machine using NTLM, you need to enable delegation. ...
    (microsoft.public.dotnet.framework.aspnet)
Loading