473,546 Members | 2,243 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Windows Credentialing Security Problem

I'm having a credentialing problem in my web application. Actually, I don't
think this is an IIS security issue, since I'm able to access the page I'm
requesting. However, the executing page itself is not able to access a
specific network resource and I just can't figure out why. First of all, let
me say this worked fine with IIS running on Win2000 Server. This has not
worked since I upgraded to Windows Server 2003.

My Platform: Windows Server 2003 / IIS6 / .Net Framework v1.1.4322

My web site has a virtual directory named FPSNowAuth. This virtual directory
disallows anonymous access and is set to use Windows Integrated security.
Thus every page access from this virtual directory must either be
authenticated or fail.

Here are the relevant blocks from the Web.config file:

<authenticati on mode="Windows" />
<identity impersonate="tr ue" userName="" password=""/>

Thus, code executing in the context of a page request should be executing in
the security context of the authenticated user. Here's a snippet from the
log file:

2004-04-22 04:28:34 192.168.1.3 GET /FPSNowAuth/browser.aspx
dir=ftp/Dimension 81 INTDOM\Boss 192.168.1.1
Mozilla/4.0+(compatible ;+MSIE+6.0;+Win dows+NT+5.0;+.N ET+CLR+1.0.3705 ) 200

As you can see, I accessed the page '/FPSNowAuth/browser.aspx' with the
querystring 'dir=ftp/Dimension' appended to the URL. I authenticated as
INTDOM\Boss, the Domain Administrator. HTTP Status was 200. The page request
succeeded. However...

browser.aspx is a .NET page which returns a directory listing of the
directory identified by the dir querystring parameter, in this case
ftp/Dimension. (For a practical example of this, you may check out
www.fpsnow.com/browser.aspx?dir=ftp/download. This is the public area of my
site.) FPSNowAuth/ftp/Dimension is mapped to a network fileshare
\\Dimension\Use r. Here we get to the heart of the problem.

When I'm on the server, browsing the virtual directory in the IIS console, I
can see all the folders and files subordinate to \\Dimension\Use r. When I
hit this page from a browser on the server, I get a nicely formatted listing
of these folders and files, generated by browser.aspx. However, when I hit
this page from a browser on any other workstation, I get the following
runtime error during the course of the page execution:

Access to path \\Dimension\Use r is denied.

This despite the fact that I have authenticated as INTDOM\Boss, as shown in
the log file snippet. So running under the identity of INTDOM\Boss, why the
heck am I denied access to a network resource?

For the .NET developers among us, here's the line of code which throws the
exception:

DirectoryInfo[] Dirs = DirInfo.GetDire ctories();

The directory indicated by DirInfo is \\Dimension\Use r\. Prior to executing
this line, I've already checked to ensure that Request.IsAuthe nticated ==
true. I've stepped through this in debug mode and confirmed that it is
indeed true (as the log file entry indicates).

So, I'm baffled. The page is executing under the identity of the domain
admin, yet I get an access denied when attempting to access a network
resource. Any ideas?

Thank for any assistance which you can offer.

- Joe Geretz -
Nov 18 '05 #1
2 2612
I suspect (very strongly) that this is a double-hop authentication problem.
You can confirm this by disabling IWA, and enabling Basic Auth. If all your
problems go away, then it is the double-hop auth problem.

With Basic Auth, the webserver has your username and password, so it can
directly impersonate you when authenticating to the remote resource.

With Digest or IWA auth, IIS only has a token that doesn't have access to
remote resources. To get around this you can configure Delegation.

a) Both the user account(s) and the server's computer account must be
trusted for delegation in the directory. See
http://support.microsoft.com/default.aspx?kbid=325894
HOW TO: Configure Computer Accounts and User Accounts So That They Are
Trusted for Delegation in Windows Server 2003 Enterprise Edition (also
includes Windows 2000 instructions)

b) The SPN (Service Principal Name) needs to be registered, if it isn't
already (e.g. you are using a FQDN rather than the NetBIOS name of the
service). Use the SetSPN.exe tool to do this. For more information on
SetSPN.exe
Authentication May Fail with "401.3" Error If Web Site's "Host Header"
Differs from Server's NetBIOS
see: http://support.microsoft.com/?id=294382

c) The client browser and IIS server must authenticate using Kerberos not
NTLM v2 (Not required in a windows 2003 Domain - see below) This means that:
- Use Integrated Windows Authentication (requires restart) is checked in
I.E.
- IIS is sending "Negotiate" WWW-Authenticate headers
- The client-brower can contact the KDC (the Windows Domain Controllers) to
get an appropriate Kerberos ticket

If you are using a Windows 2003 Domain, you can take advantage of Protocol
Transition. This allows the user to authenticate using any protocol to IIS,
and IIS can still get a Kerberos ticket to access the remote SQL Server.
There is information on setting up constrained delegation (using all
protocols) here:

http://www.microsoft.com/resources/d...Serv/2003/stan
dard/proddocs/en-us/se_con_del_comp uter.asp
Configuring Users and Computers for delegation (there's a couple of pages -
use the links in the nav bar to get to them). Following the instructions on
contrsained delegation.

there is more information on Protocol Transition here:
Windows 2003 Protocol Transition
http://www.microsoft.com/technet/pro.../constdel.mspx

This article may also help:
http://support.microsoft.com/default...b;en-us;810572
HOW TO: Configure an ASP.NET Application for a Delegation Scenario

Hope this all helps!

Cheers
Ken

"Joseph Geretz" <jg*****@nospam .com> wrote in message
news:ut******** ******@TK2MSFTN GP09.phx.gbl...
: I'm having a credentialing problem in my web application. Actually, I
don't
: think this is an IIS security issue, since I'm able to access the page I'm
: requesting. However, the executing page itself is not able to access a
: specific network resource and I just can't figure out why. First of all,
let
: me say this worked fine with IIS running on Win2000 Server. This has not
: worked since I upgraded to Windows Server 2003.
:
: My Platform: Windows Server 2003 / IIS6 / .Net Framework v1.1.4322
:
: My web site has a virtual directory named FPSNowAuth. This virtual
directory
: disallows anonymous access and is set to use Windows Integrated security.
: Thus every page access from this virtual directory must either be
: authenticated or fail.
:
: Here are the relevant blocks from the Web.config file:
:
: <authenticati on mode="Windows" />
: <identity impersonate="tr ue" userName="" password=""/>
:
: Thus, code executing in the context of a page request should be executing
in
: the security context of the authenticated user. Here's a snippet from the
: log file:
:
: 2004-04-22 04:28:34 192.168.1.3 GET /FPSNowAuth/browser.aspx
: dir=ftp/Dimension 81 INTDOM\Boss 192.168.1.1
: Mozilla/4.0+(compatible ;+MSIE+6.0;+Win dows+NT+5.0;+.N ET+CLR+1.0.3705 ) 200
:
: As you can see, I accessed the page '/FPSNowAuth/browser.aspx' with the
: querystring 'dir=ftp/Dimension' appended to the URL. I authenticated as
: INTDOM\Boss, the Domain Administrator. HTTP Status was 200. The page
request
: succeeded. However...
:
: browser.aspx is a .NET page which returns a directory listing of the
: directory identified by the dir querystring parameter, in this case
: ftp/Dimension. (For a practical example of this, you may check out
: www.fpsnow.com/browser.aspx?dir=ftp/download. This is the public area of
my
: site.) FPSNowAuth/ftp/Dimension is mapped to a network fileshare
: \\Dimension\Use r. Here we get to the heart of the problem.
:
: When I'm on the server, browsing the virtual directory in the IIS console,
I
: can see all the folders and files subordinate to \\Dimension\Use r. When I
: hit this page from a browser on the server, I get a nicely formatted
listing
: of these folders and files, generated by browser.aspx. However, when I hit
: this page from a browser on any other workstation, I get the following
: runtime error during the course of the page execution:
:
: Access to path \\Dimension\Use r is denied.
:
: This despite the fact that I have authenticated as INTDOM\Boss, as shown
in
: the log file snippet. So running under the identity of INTDOM\Boss, why
the
: heck am I denied access to a network resource?
:
: For the .NET developers among us, here's the line of code which throws the
: exception:
:
: DirectoryInfo[] Dirs = DirInfo.GetDire ctories();
:
: The directory indicated by DirInfo is \\Dimension\Use r\. Prior to
executing
: this line, I've already checked to ensure that Request.IsAuthe nticated ==
: true. I've stepped through this in debug mode and confirmed that it is
: indeed true (as the log file entry indicates).
:
: So, I'm baffled. The page is executing under the identity of the domain
: admin, yet I get an access denied when attempting to access a network
: resource. Any ideas?
:
: Thank for any assistance which you can offer.
:
: - Joe Geretz -
:
:
Nov 18 '05 #2
Thanks Ken,
I suspect (very strongly) that this is a double-hop authentication problem. You can confirm this by disabling IWA, and enabling Basic Auth. If all your problems go away, then it is the double-hop auth problem.
Your suggestion is right on target. So this is a delegation issue. Thanks
for clearing that up. You've given me quite a list of suggestions and
refrences which I'll start to work through. If I have specific questions on
any of these points I'll post back.

Thanks,

Joe Geretz

"Ken Schaefer" <ke*******@THIS adOpenStatic.co m> wrote in message
news:uc******** ******@TK2MSFTN GP10.phx.gbl... I suspect (very strongly) that this is a double-hop authentication problem. You can confirm this by disabling IWA, and enabling Basic Auth. If all your problems go away, then it is the double-hop auth problem.

With Basic Auth, the webserver has your username and password, so it can
directly impersonate you when authenticating to the remote resource.

With Digest or IWA auth, IIS only has a token that doesn't have access to
remote resources. To get around this you can configure Delegation.

a) Both the user account(s) and the server's computer account must be
trusted for delegation in the directory. See
http://support.microsoft.com/default.aspx?kbid=325894
HOW TO: Configure Computer Accounts and User Accounts So That They Are
Trusted for Delegation in Windows Server 2003 Enterprise Edition (also
includes Windows 2000 instructions)

b) The SPN (Service Principal Name) needs to be registered, if it isn't
already (e.g. you are using a FQDN rather than the NetBIOS name of the
service). Use the SetSPN.exe tool to do this. For more information on
SetSPN.exe
Authentication May Fail with "401.3" Error If Web Site's "Host Header"
Differs from Server's NetBIOS
see: http://support.microsoft.com/?id=294382

c) The client browser and IIS server must authenticate using Kerberos not
NTLM v2 (Not required in a windows 2003 Domain - see below) This means that: - Use Integrated Windows Authentication (requires restart) is checked in
I.E.
- IIS is sending "Negotiate" WWW-Authenticate headers
- The client-brower can contact the KDC (the Windows Domain Controllers) to get an appropriate Kerberos ticket

If you are using a Windows 2003 Domain, you can take advantage of Protocol
Transition. This allows the user to authenticate using any protocol to IIS, and IIS can still get a Kerberos ticket to access the remote SQL Server.
There is information on setting up constrained delegation (using all
protocols) here:

http://www.microsoft.com/resources/d...Serv/2003/stan dard/proddocs/en-us/se_con_del_comp uter.asp
Configuring Users and Computers for delegation (there's a couple of pages - use the links in the nav bar to get to them). Following the instructions on contrsained delegation.

there is more information on Protocol Transition here:
Windows 2003 Protocol Transition
http://www.microsoft.com/technet/pro.../constdel.mspx
This article may also help:
http://support.microsoft.com/default...b;en-us;810572
HOW TO: Configure an ASP.NET Application for a Delegation Scenario

Hope this all helps!

Cheers
Ken

"Joseph Geretz" <jg*****@nospam .com> wrote in message
news:ut******** ******@TK2MSFTN GP09.phx.gbl...
: I'm having a credentialing problem in my web application. Actually, I
don't
: think this is an IIS security issue, since I'm able to access the page I'm : requesting. However, the executing page itself is not able to access a
: specific network resource and I just can't figure out why. First of all,
let
: me say this worked fine with IIS running on Win2000 Server. This has not
: worked since I upgraded to Windows Server 2003.
:
: My Platform: Windows Server 2003 / IIS6 / .Net Framework v1.1.4322
:
: My web site has a virtual directory named FPSNowAuth. This virtual
directory
: disallows anonymous access and is set to use Windows Integrated security. : Thus every page access from this virtual directory must either be
: authenticated or fail.
:
: Here are the relevant blocks from the Web.config file:
:
: <authenticati on mode="Windows" />
: <identity impersonate="tr ue" userName="" password=""/>
:
: Thus, code executing in the context of a page request should be executing in
: the security context of the authenticated user. Here's a snippet from the : log file:
:
: 2004-04-22 04:28:34 192.168.1.3 GET /FPSNowAuth/browser.aspx
: dir=ftp/Dimension 81 INTDOM\Boss 192.168.1.1
: Mozilla/4.0+(compatible ;+MSIE+6.0;+Win dows+NT+5.0;+.N ET+CLR+1.0.3705 ) 200 :
: As you can see, I accessed the page '/FPSNowAuth/browser.aspx' with the
: querystring 'dir=ftp/Dimension' appended to the URL. I authenticated as
: INTDOM\Boss, the Domain Administrator. HTTP Status was 200. The page
request
: succeeded. However...
:
: browser.aspx is a .NET page which returns a directory listing of the
: directory identified by the dir querystring parameter, in this case
: ftp/Dimension. (For a practical example of this, you may check out
: www.fpsnow.com/browser.aspx?dir=ftp/download. This is the public area of
my
: site.) FPSNowAuth/ftp/Dimension is mapped to a network fileshare
: \\Dimension\Use r. Here we get to the heart of the problem.
:
: When I'm on the server, browsing the virtual directory in the IIS console, I
: can see all the folders and files subordinate to \\Dimension\Use r. When I : hit this page from a browser on the server, I get a nicely formatted
listing
: of these folders and files, generated by browser.aspx. However, when I hit : this page from a browser on any other workstation, I get the following
: runtime error during the course of the page execution:
:
: Access to path \\Dimension\Use r is denied.
:
: This despite the fact that I have authenticated as INTDOM\Boss, as shown
in
: the log file snippet. So running under the identity of INTDOM\Boss, why
the
: heck am I denied access to a network resource?
:
: For the .NET developers among us, here's the line of code which throws the : exception:
:
: DirectoryInfo[] Dirs = DirInfo.GetDire ctories();
:
: The directory indicated by DirInfo is \\Dimension\Use r\. Prior to
executing
: this line, I've already checked to ensure that Request.IsAuthe nticated == : true. I've stepped through this in debug mode and confirmed that it is
: indeed true (as the log file entry indicates).
:
: So, I'm baffled. The page is executing under the identity of the domain
: admin, yet I get an access denied when attempting to access a network
: resource. Any ideas?
:
: Thank for any assistance which you can offer.
:
: - Joe Geretz -
:
:

Nov 18 '05 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
2566
by: epaetz | last post by:
I'm getting Not associated with a trusted SQL Server connection errors on a .Net windows service I wrote, when it's running on my application server. It's not a problem with mixed mode security. I'm set for mixed mode and I've been running the service on the app server for over a month with no problem. My database is running on a second...
4
2402
by: Kristof Despiere | last post by:
Suppose you have one domain, filled with a couple of users. What needs to be done now is I need to start a windows application from a webform by pressing a button on the webform (for example). The problem is that the user who "owns" the service is always the ASPNET account. That's not good since you don't see the actual application (because...
4
3506
by: James | last post by:
I have a VB windows forms application that accesses a Microsoft Access database that has been secured using user-level security. The application is being deployed using No-Touch deployment. The objective in utilizing this new deployment method is to reduce the maintenance overhead as well as making it easier for my users to setup and run the...
3
7471
by: Chris Paul | last post by:
I'm having trouble with PHP & PostgreSQL/OpenLDAP/Apache on Windows. I've set this up countless times on BSD (piece of cake) but I'm trying to do this on Windows now so that my developer can work on her local machine. Everything looks pretty good. OpenLDAP/cygwin works great. PostgreSQL works great. Apache runs. PHP runs. But when I...
17
5073
by: Jon B | last post by:
Hi All! I have a ASP.NET 2.0 site that works on the Windows 2000 Server. However, when I tried to view this site on my local Windows XP machine, I get "Server Unavailable". If I switch the Windows XP IIS back to ASP.NET 1.1 then I get the Configuration Error (which is understandable because I'm trying to run an ASP.NET 2 site with 1.1...
2
2384
by: Budhi Saputra Prasetya | last post by:
Hi, I managed to create a Windows Form Control and put it on my ASP .NET page. I have done the suggestion that is provided by modifying the security settings. From the stack trace, I would assume that the code throws exception when it is trying to retrieve the processes list that has certain name. Below is the code that I use to retrieve...
0
2045
by: Budhi Saputra Prasetya | last post by:
Hi, I still have the same problem with embedding Windows Control. I'll just requote what I posted last time: I managed to create a Windows Form Control and put it on my ASP .NET page. I have done the suggestion that is provided by modifying the security settings. From the stack trace, I would assume that the code throws exception when...
5
8959
by: =?Utf-8?B?cnZhbmdlbGRyb3A=?= | last post by:
Hello, I have a problem with our OnlineBackupService.exe. This is a Windows Service which is built in .Net 1.1 and basically grabs files from the file system and will try to upload them using WebServices. The service is installed by default using LocalSystem account. The exact problem is that sometimes this service is not allowed to...
4
5797
by: =?Utf-8?B?QXZhRGV2?= | last post by:
ASP.Net 2. We are migrating to Windows 2008 64 bit Server with IIS 7 from Windows 2003 32 Bit with IIS 6. A few library classes we wrote uses impersonation in code like explained in this article: http://support.microsoft.com/?id=306158#4 This doesn't work in Windows 2008 Server, we receive the following exception:
0
7507
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main...
0
7435
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language...
0
7698
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. ...
0
7947
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that...
0
7794
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the...
0
5080
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert...
0
3492
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in...
0
3472
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
1922
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.