Re: Windows Authentication problem with IIS6 (Win2k3)

From: David Slinn (dslinn_at_accesscomm.ca)
Date: 07/08/04 

Date: Wed, 7 Jul 2004 22:09:10 -0600

Jeff - Thank you SOOOOO much - your suggestion to check out the IIS
Operations Guide (which I didn't even know existed) led me to the page
titled "Force NTLM Authentication". It showed how to open the IIS
MetaBase.xml file in notepad and locate the NTAuthenticationProviders
property. Once I found it, this is what it was set to:

    NTAuthenticationProviders=""Negotiate, NTLM""

* Note the double quotes on either end.

The page talked about deleting Negotiate part, but I found that my error was
actually caused by the double quotation marks - evidently left there by the
adsutil.vbs script I had run previously. It "inserted" a quoted string
inside the existing quotes - which caused IIS all sorts of grief. I removed
the extra quotes, setting it to NTAuthenticationProviders="Negotiate, NTLM".
Presto - it worked instantly. For good measure, I also tried
NTAuthenticationProviders="NTLM". That also worked great. The only
difference being that the dual provider caused the IE login dialog to
appear, regardless of the IE setting regarding Enabling Integrated Windows
Authentication. I have a hunch that may be related to that fact that my IIS
Application Pool runs as a domain user and not as a local machine account,
but I'll investigate further later.

There was obviously a bit of luck involved in finding this error - I hope
this post helps the next person to encounter this issue and saves them the
frustrated I've gone through the past 24 hours.

Still - I can't complain too much - I still prefer a tightly locked-down
system that you have to open as opposed to previous IIS incarnations that
are causing all kinds of security grievances. I sleep better at night
knowing that if it took me this long to get something working, with full
Administrator rights, documentation and access, script-kiddies have got
their work cut out for them. :)

- Dave

"Jeff Cochran" <jeff.nospam@zina.com> wrote in message
news:40ef76a7.1070541647@msnews.microsoft.com...
> On Wed, 7 Jul 2004 12:31:50 -0600, "Dave Slinn" <dslinn@accesscomm.ca>
> wrote:
>
> [ Answered inline ]
>
> >I have been wrestling with IIS6 security settings - I used to be able to
do
> >this under older versions of IIS, but I can't seem to get it to work
right
> >in IIS6.
> >
> >We have a Windows 2003 Domain (pure 2K3). I want to use Windows
> >Authentication for our Intranet applications that we write using ASP.NET.
> >
> >I believe the problem to be something related to the Kerberos technology,
> >but I don't know enough about it to resolve my issue. Basically, when I
> >enable Integrated Windows Authentication as the Authentication method for
my
> >application, users (who are logged on locally to the same network as the
web
> >server) are prompted for a login and password. After entering the
username
> >and password and clicking OK, the login dialog reappears, asking for the
> >info again (even though it's still filled in). Clicking OK again and the
> >same thing happens. The third time you click OK, you get the following
> >error:
> >
> > - HTTP Error 401.2 - Unauthorized: Access is denied due to server
> >configuration. Internet Information Services (IIS)
> >
> >Checking the Event log, under the Security category, multiple entries of
the
> >following exists:
> >
> >Error Event ID: 529 - Failure Audit
> > Logon Failure:
> > Reason: Unknown user name or bad password
> > User Name:
> > Domain:
> > Logon Type: 3
> > Logon Process: Kerberos
> > Authentication Package: Kerberos
> > Workstation Name: -
> > Caller User Name: -
> > Caller Domain: -
> > Caller Logon ID: -
> > Caller Process ID: -
> > Transited Services: -
> > Source Network Address: 172.16.87.77
> > Source Port: 0
> >
> >
> >First off - why is the browser prompting for a login name and password in
> >the first place? Shouldn't integrated windows authentication use their
> >Windows credentials? Oh yeah - I have checked - their browsers DO have
the
> >Enable Integrated Windows Authentication setting checked in their browser
> >(which is IE6) advanced settings.
>
> But that doesn't mean IE will pass credentials. If IE suspects the
> site is not in an intranet or trusted zone, it doesn't pass
> credentials. Add your domain to the intranet security zone in IE.
>
> >Secondly, I know I am not typing a bad username or password - it's the
same
> >one I use to log on to Windows in the first place. At first I thought
the
> >account was locked out, but that wasn't it.
>
> Is the web server in the domain? I'm assuming it's a domain account
> you use.
>
> >After spending several hours trying to find some help on the web and in
the
> >MS knowledgebase, I came across a couple of articles (mostly relating to
> >Windows 2000) that talked about Kerberos and Delegation.
> >
> >One article talked about ensuring the computer can be trusted for
> >delegation - so, in Active Directory, I changed the Computer Account for
the
> >Web server (on the Delegation tab) from "Do not trust this computer
> >delegation" to "Trust this computer for delegation to any server
(Kerberos
> >only)". There is a third option, "Trust this computer for delegation to
> >specified services only" where it then offers to Use Kerberos only or Any
> >authentication protocol and you can define services for the account.
Would
> >that option make a difference? What services do I add underneath?
> >
> >I also tried another article suggestion, which was to modify the IIS
> >MetaBase using the adsutil.vbs script to set the "Negotiate,NTLM"
parameter.
> >At first, neither option was set. Then I set both (Negotiate and NTLM).
No
> >change. Then tried just NTLM - still no luck.
> >
> >The same article discussed using the SetSPN resource kit tool to add the
> >HTTP protocol, which I also did, and then I added HOST, but alas, neither
> >setting helped.
> >
> >For some reason, I just can't seem to get Integrated Windows
Authetication
> >to work on this web server (Windows 2003 Web Edition).
> >
> >Basically, I am looking for a checklist of things I can check and
> >doublecheck to see if there is a configuration setting that I am missing
to
> >get this to work.
>
> Have you looked at:
>
> http://www.iisfaq.com/Default.aspx?tabid=2531
>
http://www.microsoft.com/resources/documentation/iis/6/all/proddocs/en-us/sec_auth_aboutauth.mspx
>
> Jeff

Relevant Pages

  • Re: Windows Authentication problem with IIS6 (Win2k3)
    ... Jeff - Thank you SOOOOO much - your suggestion to check out the IIS ... regardless of the IE setting regarding Enabling Integrated Windows ... Application Pool runs as a domain user and not as a local machine account, ... Shouldn't integrated windows authentication use their ...
    (microsoft.public.inetserver.iis.security)
  • 403.1 and Integrated Windows Authentication
    ... First of all let me thank Jerry III for correctly identifying why IIS 6.0 ... was rejecting my attempts to use Integrated Windows Authentication. ... I created a registry file which modifies the ... their settings for them. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Management Point Fails to install - HELP !!!
    ... Integrated Windows Authentication must be selected. ... member of newdomain\IIS_WPG group. ... None of IIS_ account is disabled. ...
    (microsoft.public.sms.setup)
  • RE: Soap, Authentication & IIS anonymous user
    ... authentication in IIS and only enable the integrated authentication. ... each user will login in with his own account or one windows account ... with the windows account in Integrated windows authentication, ...
    (microsoft.public.inetserver.iis.security)
  • RE: IIS Integrated Windows Authentication problem
    ... to "Show friendly HTTP error messages." ... Make sure that all the accounts have the "Access this computer from the ... > - After extensive searching in the IIS logs, ... >>to Integrated Windows Authentication only. ...
    (microsoft.public.inetserver.iis.security)
Quantcast