Re: Integrated Authentication, Application Pools, and SQL Server

From: me (me_at_discussions.microsoft.com)
Date: 10/26/04

• Next message: KT: "Unable to resolve localhost"
• Previous message: Tom Kaminski [MVP]: "Re: going to folder above or parallel to wwwroot ?"
• In reply to: Ken Schaefer: "Re: Integrated Authentication, Application Pools, and SQL Server"
• Next in thread: Ken Schaefer: "Re: Integrated Authentication, Application Pools, and SQL Server"
• Reply: Ken Schaefer: "Re: Integrated Authentication, Application Pools, and SQL Server"
• Messages sorted by: [ date ] [ thread ]

Date: Tue, 26 Oct 2004 12:43:03 -0700

Excellent. Thanks for the link to the AuthDiag tool.

I did check the application pool user's rights and group membership. I
explicitly granted the rights you mentioned and the account was already a
member of the IIS_WPG group. Integrated Authentication is enabled, digest and
basic are not.

I actually went and created a new web application project (on the same
server but in a different location obviously). FWIW, it works perfectly if I
access it locally (from the server) and won't grant me access at all if I
access it remotely.

When I access it locally I'm using a Domain Admin account. Remotely, a mere
user account...does this jive w/what you said, "and/or any logon
restrictions that your account might have" ?? Is some user rights assignment
to blame for this?

"Ken Schaefer" wrote:

> Well, IIS is impersonating the user you are attempting to logon as, so I
> think you might want to check your username/password, and/or any logon
> restrictions that your account might have. That might be the cause of the
> error you are seeing in the security log, and also why you are seeing the
> 401.1
>
> Also, in IIS, you did check one of the authentication mechanisms?
> (Integrated or Basic or something? I didn't see any mention of that in your
> first post).
>
> Microsoft has a new tool out now called AuthDiag which is useful for
> troubleshooting issues like this. You can download it from;
> http://www.microsoft.com/downloads/details.aspx?FamilyID=e90fe777-4a21-4066-bd22-b931f7572e9a&DisplayLang=en
>
> Also, can you check, for the custom account you created for the web app pool
> that:
> a) you put it into the IIS_WPG group on the server
> b) you grant it:
> (i) Adjust memory quotas for a process
> (ii) Replace a process level token.
>
> Thanks
>
>
> "me" <me@discussions.microsoft.com> wrote in message
> news:AC034529-039D-4283-B201-CFD7BF0E242C@microsoft.com...
> > Thanks for continuing to help w/this.
> >
> > IIS returns 401.1 Unauthorized: Access is denied due to invalid
> > credentials.
> >
> > sc-status, sc-substatus, and sc-win32-status are 401, 1, and 0
> > respectively.
> > there is nothing related in the application event log. interestingly,
> > several
> > web apps are running within the application pool in question (with success
> > but while no requiring authentication)
> >
> > Corresponding security events in the log.
> > EventID 529
> >
> > Logon Failure:
> > Reason: Unknown user name or bad password
> > User Name:
> > Domain:
> > Logon Type: 3
> > Logon Process: Kerberos
> > Authentication Package: Kerberos
> > Workstation Name: -
> > Caller User Name: -
> > Caller Domain: -
> > Caller Logon ID: -
> > Caller Process ID: -
> > Transited Services: -
> > Source Network Address: xxx.xxx.xxx.xxx (my IP Address)
> > Source Port: xxxx
> >
> > Perhaps obviously, this event is erroneous
> >
> > "Ken Schaefer" wrote:
> >
> >>
> >> "me" <me@discussions.microsoft.com> wrote in message
> >> news:E294506C-3D10-49D9-9B60-3F55FEC371A1@microsoft.com...
> >> > Prior to changing application pools I (for example) am not prompted for
> >> > a
> >> > login. The site already knows my identity (I'm on the domain).
> >>
> >> Whether you are on a domain is irrelevant. The only thing that determines
> >> whether IE attempts to auto-login to the website is what IE security zone
> >> the website is in. Also, the server doesn't automatically know who you
> >> are -
> >> IE needs to send the credentials to the server.
> >>
> >> > After changing
> >> > application pools I am prompted for a login and it all ends with a
> >> > "HTTP
> >> > 401
> >> > Invalid Credentials"...
> >>
> >> The custom account for this separate application pool:
> >> a) did you put it into the IIS_WPG group on the server
> >> b) did you grant it:
> >> (i) Adjust memory quotas for a process
> >> (ii) Replace a process level token.
> >>
> >> Also, please check in the IIS web server log files, and determine the
> >> HTTP
> >> substatus code that you are receiving. There's a lot of different 401
> >> errors, and IIS6 now logs a substatus to help identify what condition is
> >> causing the 401 error.
> >>
> >> Lastly, please look in the Windows Event Logs, and see if there are any
> >> applicable events logged. Please post the event ID, source and
> >> description.
> >> Just in case its some kind of logon failure by the account configured in
> >> the
> >> web app pool configuration page.
> >>
> >> > Others have similar experiences.
> >>
> >> Possibly - but they may, or may not, be in the same situation as you.
> >>
> >> Cheers
> >> Ken
> >>
> >>
> >> > "Ken Schaefer" wrote:
> >> >
> >> >> What do you mean by "no one can login"?
> >> >>
> >> >> Cheers
> >> >> Ken
> >> >>
> >> >>
> >> >> "me" <me@discussions.microsoft.com> wrote in message
> >> >> news:FE171435-A948-42FE-9E90-99B20A250E2E@microsoft.com...
> >> >> > Yes, IIS 6 (sorry)
> >> >> >
> >> >> > Impersonation is not enabled. I don't think I explained this very
> >> >> > well.
> >> >> > Everything works fine with ASP.Net authentication until we switch
> >> >> > from
> >> >> > the
> >> >> > default app pool...then, suddenly, nobody can login.
> >> >> >
> >> >> > ??
> >> >> >
> >> >> > "Ken Schaefer" wrote:
> >> >> >
> >> >> >> Assuming IIS6:
> >> >> >>
> >> >> >> Turn on Windows Authentication in your web.config (so ASP.NET
> >> >> >> forces
> >> >> >> valid
> >> >> >> Windows credentials). Choose an appropriate authentication
> >> >> >> mechanism
> >> >> >> in
> >> >> >> IIS
> >> >> >>
> >> >> >> Do not turn on impersonation in your web.config (so that ASP.NET
> >> >> >> does
> >> >> >> not
> >> >> >> impersonate the user that has been authenticated, but instead
> >> >> >> continues
> >> >> >> to
> >> >> >> the use the App Pool identity)
> >> >> >>
> >> >> >> Does that help?
> >> >> >>
> >> >> >> Cheers
> >> >> >> Ken
> >> >> >>
> >> >> >> "me" <me@discussions.microsoft.com> wrote in message
> >> >> >> news:D7C59697-A3E1-4DFC-A270-82A58D5AB8FE@microsoft.com...
> >> >> >> > Our scenario seems to be rare. Could somebody please help?
> >> >> >> >
> >> >> >> > We want to:
> >> >> >> > 1) Access an SQL Server using an identity configured using an
> >> >> >> > Application
> >> >> >> > Pool (Cool, Easy, works fine)
> >> >> >> >
> >> >> >> > And
> >> >> >> > 2) Limit access to windows users only using ASP.Net
> >> >> >> > Autentication.
> >> >> >> > (Cool,
> >> >> >> > Easy, works fine)
> >> >> >> >
> >> >> >> > The trouble is, as soon as we configure both of these features
> >> >> >> > there's
> >> >> >> > no
> >> >> >> > way to login anymore. We don't want to use delegation to access
> >> >> >> > the
> >> >> >> > database,
> >> >> >> > we just want to access via the 1 ID configured. We don't want
> >> >> >> > anonymous
> >> >> >> > users
> >> >> >> > using the web page. Is there an article on configuring this?
> >> >> >> >
> >> >> >> > Is this even possible? It sure doesn't seem to be....
> >> >> >>
> >> >> >>
> >> >> >>
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>

• Next message: KT: "Unable to resolve localhost"
• Previous message: Tom Kaminski [MVP]: "Re: going to folder above or parallel to wwwroot ?"
• In reply to: Ken Schaefer: "Re: Integrated Authentication, Application Pools, and SQL Server"
• Next in thread: Ken Schaefer: "Re: Integrated Authentication, Application Pools, and SQL Server"
• Reply: Ken Schaefer: "Re: Integrated Authentication, Application Pools, and SQL Server"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint