By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
457,714 Members | 1,340 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 457,714 IT Pros & Developers. It's quick & easy.

IIS Remote Content and Kerberos Delegation

P: n/a
Hello All,
I am trying to serve out some content via IIS that is hosted on a
remote fileserver, and am unable to get the delegation working
correctly. Our setup is as follows:

Local LAN
Windows 2000 domain (mixed-mode): MYDOMAIN (mydomain.net)
Windows 2003 Server w/IIS6: WEB01
Windows 2000 Server hosting files: FILE01
Windows XP Pro client workstation: CLIENT01

All computers are members of the domain. WEB01 is 'Trusted for
Delegation'.

Two domain users have been created:

MYDOMAIN\joeuser
MYDOMAIN\webdirmap

Both are member of the Domain Users group only.

Single web setup on WEB01, Active Directory DNS host record
'test.dev.mydomain.net' pointing to this web. The website has no
local content, and a single virtual directory called 'webtest' which
is pointing to a share on FILE01 called '\\FILE01\webtest'. The web
is set to use Windows Integrated Auth only, no Basic or Anonymous
allowed.

Both domain users have Read & Exec NTFS permissions to
\\FILE01\webtest. The SMB permissions on this share are set to
Everyone - Full Control. This share contains a single image file
called 'shite.gif'.

For my testing I'm sitting at CLIENT01 and attempting to browse to
http://test.dev.mydomain.net/webtest/shite.gif using IE 6.0SP1.
1) First I set the '\webtest' virtual dir to use a fixed set of
credentials, connecting as 'MYDOMAIN\webdirmap'. I then browsed to the
above URL, authenticating as 'MYDOMAIN\joeuser'. I was able to view
the image with no problems, and the event log on WEB01 showed me
authenticating using Kerberos as 'MYDOMAIN\joeuser'. The eventlog on
FILE01 showed a successful Logon event (using Kerberos for both logon
and auth packages) for 'MYDOMAIN\webdirmap', followed by a successful
object access for 'shite.gif'. All good...

2) Then I changed the '\webtest' virtual dir to use passthrough
authentication, connecting as the authenticated user accessing the
website. I browsed to the URL again (after closing the browser to
clear the cache first). I immediately got a userid/password challenge
dialog, into which I entered the credentials for 'MYDOMAIN\joeuser'.
They weren't accepted and I was challenged 3 times in total before IIS
finally came back with an 'HTTP 401.3 - Unauthorized: Access is denied
due to an ACL set on the requested resource' error. The event logs on
WEB01 looked OK, with a Kerberos logon as 'MYDOMAIN\joeuser'. The
FILE01 event log however showed two event, repeated 3 times in quick
succession (once per failed challenge I guess): a successful
Privilege Use (Special privileges assigned to new logon:
SeChangeNotifyPrivilege) for 'NT AUTHORITY\ANONYMOUS LOGON', followed
by a successful Logoff event for the same user (logon type 3). No
successful logons at all, nor any audit failures of any kind.

I'm logging both success and failures for Object Access, Logon/Logoff,
Account Logon and Privelege Use.

Can anyone explain this to me? Why is the connection from WEB01 to
FILE01 coming through as 'NT AUTHORITY\ANONYMOUS LOGON'? It should be
coming through as 'MYDOMAIN\joeuser' if Kerberos delegation was
working shouldn't it?

To double-check I switched the web to use Basic auth rather than
Windows Integrated. It worked fine with both fixed 'connect as'
credentials (MYDOMAIN\webdirmap) and with passthrough, so I'm thinking
it's Kerberos at fault...

I've read all of the pertinet TechNet articles I could find, including
the very informative
http://www.microsoft.com/technet/pro.../remstorg.mspx
but stil have no joy making this work. Suggestions anyone?

Thanks!

Jacob Luebbers
Jul 19 '05 #1
Share this Question
Share on Google+
3 Replies


P: n/a
I think your issue has to do with lack of tokens based on your authenticion.
(I'm not expert at this stuff though.)

Read these two interesting articles and make sure that you're using an
authentication method that will send kerberos tokens.

http://support.microsoft.com/?kbid=287537
http://support.microsoft.com/?kbid=264921

Ray at work

"Jacob" <ja****@globalknowledgeconsultants.com> wrote in message
news:23**************************@posting.google.c om...
Hello All,
I am trying to serve out some content via IIS that is hosted on a
remote fileserver, and am unable to get the delegation working
correctly. Our setup is as follows:

2) Then I changed the '\webtest' virtual dir to use passthrough
authentication, connecting as the authenticated user accessing the
website. I browsed to the URL again (after closing the browser to
clear the cache first). I immediately got a userid/password challenge
dialog, into which I entered the credentials for 'MYDOMAIN\joeuser'.
They weren't accepted and I was challenged 3 times in total before IIS
finally came back with an 'HTTP 401.3 - Unauthorized: Access is denied
due to an ACL set on the requested resource' error.

Jul 19 '05 #2

P: n/a
Thanks Ray,
I've already had a look at those two articles, and whilst they're
useful I still haven't found anything that explains this.

The IIS web is only set to accept Windows Integrated Auth - Basic and
Anonymous are not ticked. This leaves the only question being: which
of the two Integrated Auth 'sub-types' is being used (Kerberos or
NTLM)? I'm almost certain it's Kerberos because the event log shows
this:

---------------------------------------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 20/05/2004
Time: 4:37:48 PM
User: MYDOMAIN\joeuser
Computer: WEB01
Description:
Successful Network Logon:
User Name: joeuser
Domain: MYDOMAIN
Logon ID: (0x0,0x438597E)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {21188530-3308-bb42-8b30-82c6c8fbb470}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.0.0.76
Source Port: 3654
---------------------------------------------------------

If so, Kerberos is able to be delegated (at least SHOULD be able to -
not for me though :-P ), as can Basic. I've already tested and proven
that Basic works, but unfortunately for me Basic is not suitable - I
need to be able to use Integrated Auth.

Now, to confuse things even more...

Further testing reveals that if I first make a connection to some
local content on the IIS web (eg a dummy.asp page which simply
displays 'Hello World'), then DURING THE SAME SESSION, browse to the
remote-served content eg
http://test.dev.mydomain.net/webtest/shite.gif, it works fine!

It seems that if my first browse request during the session is for
remote content I don't yet have a Kerberos ticket, and therefore the
second 'hop' from IIS server --> file server can't be made with
delegated credentials, and so the ANONYMOUS account is used. However
if I first request some locally-served content IIS grants me a
Kerberos ticket which I then am able to subsequently use for the
remote content during the same session.

At least, this is the observed behaviour. Does this make any sense?
Is this the way it's supposed to work?

Regards,

Jacob


"Ray at <%=sLocation%> [MVP]" <myfirstname at lane34 dot com> wrote in message news:<O1**************@TK2MSFTNGP12.phx.gbl>...
I think your issue has to do with lack of tokens based on your authenticion.
(I'm not expert at this stuff though.)

Read these two interesting articles and make sure that you're using an
authentication method that will send kerberos tokens.

http://support.microsoft.com/?kbid=287537
http://support.microsoft.com/?kbid=264921

Ray at work

"Jacob" <ja****@globalknowledgeconsultants.com> wrote in message
news:23**************************@posting.google.c om...
Hello All,
I am trying to serve out some content via IIS that is hosted on a
remote fileserver, and am unable to get the delegation working
correctly. Our setup is as follows:

2) Then I changed the '\webtest' virtual dir to use passthrough
authentication, connecting as the authenticated user accessing the
website. I browsed to the URL again (after closing the browser to
clear the cache first). I immediately got a userid/password challenge
dialog, into which I entered the credentials for 'MYDOMAIN\joeuser'.
They weren't accepted and I was challenged 3 times in total before IIS
finally came back with an 'HTTP 401.3 - Unauthorized: Access is denied
due to an ACL set on the requested resource' error.

Jul 19 '05 #3

P: n/a

"Jacob" <ja****@globalknowledgeconsultants.com> wrote in message
news:23**************************@posting.google.c om...

If so, Kerberos is able to be delegated (at least SHOULD be able to -
not for me though :-P ), as can Basic. I've already tested and proven
that Basic works, but unfortunately for me Basic is not suitable - I
need to be able to use Integrated Auth.


FWIW, I haven't been able to acheive what you're trying to do either. I
have a VERY basic understanding of different authentication methods in
Windows and how they tie into IIS, so I don't really have much else to
offer. :[

Ray at work
Jul 19 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.