473,498 Members | 2,018 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Credentials not passed on when using ASP.NET

Hi there,

I am having trouble getting an ASP.NET web application to connect to another
computer and passing the proper credentials and I hope someone can help me.

I have a stand-alone Windows 2003 Server, ServerA, running as a Web Server
that uses ASP.NET. The default.aspx file tries to access a file in a share
on another computer, ServerB. ServerA and ServerB are on the same domain and
are both running Windows 2003 Server.

The Domain Controller is running Windows 2000 Server. I want to use
Integrated Windows Authentication to access the file. When I connect to the
Web site and then check the event viewer on ServerB, I can see that ServerA
is using the Anonymous Logon to connect to ServerB instead of passing
through my windows credentials. On ServerA, I have done the following:

In IIS, set the authentication to Integrated Windows Authentication and
deselected Allow Anonymous logon

Did the following according to
http://support.microsoft.com/default...b;en-us;871179

In my application pool, I set the Identity to a domain user,
MyDomain\SvcAcct

Added the user, MyDomain\SvcAcct to the IIS_WPG group

As the domain administrator, I ran Setspn on ServerA . When this didn't
work, I repeated it on the Primary Domain Controller of the domain and that
didn't work either. How I ran the command is listed below:

Setspn -A HTTP/<netbios nameMyDomain\SvcAcct

Then I followed the instructions at
http://technet2.microsoft.com/Window....mspx?mfr=true
and on the Primary Domain Controller of the domain I also went into Active
Directory Services Users and Groups and selected the "Trust this computer
for delegation" option for ServerA and I also followed the instructions at
http://technet2.microsoft.com/Window....mspx?mfr=true
and I selected the "Account is trusted for delegation" option for the
MyDomain\SvcAcct user.

Following http://support.microsoft.com/kb/215383/, on ServerA, I ran the
following:

Cscript adsutil.vbs set w3svc/1/NTAuthenticationProviders "Negotiate,NTLM"

I signed in to my client computer as MyDomain\UserA

In IE 6.0, on the client computer, as instructed in
http://support.microsoft.com/kb/810572/, I selected the "Enable Integrated
Windows Authentication (requires restart)" option on the Advanced tab and
then cleared my cache and close my IE 6.0 session and started another.

In my web.config file for the website, I added the following line after the
</authorizationclosing tag:

<identity impersonate="true" />

When I connect to the Website on ServerA from the client computer, I am not
prompted for credentials and that is what I would expect. When I turn on
auditing, I can also see that UserA is accessing the default.aspx file for
the Website and that is also what I would expect. However, the event viewer
on ServerB shows that the Anonymous Logon is what is being used to connect
to it.

When I run the Auth Diagnostics 1.0 tool from Microsoft that is refered to
in http://support.microsoft.com/default...b;en-us;871179 on my
Website on ServerA, I see the message, "Service Principal name (SPN) for
user 'MyDomain\SvcAcct' not found in Active Directory"

Anything I see on the Internet says to run Setspn for this problem but we
have done this. Am I doing something wrong when I do this? Is there another
reason why the credentials are not being passed on?

When I try this with a straight html file, I am able to access the file.

What am I doing wrong when setting up my spn?

Thanks,

Jennifer
Jul 12 '06 #1
3 2606
With your environment (Win2K AD), you'll need a pure Kerberos authentication
path to get delegation to work as S4U will not be an option. As such, the
keys to getting this to work are:

- Ensure that the browser client is authenticating with IIS using Kerberos,
not NTLM
- Ensure that the web server can access the file share using Kerberos auth,
not NTLM

If those two things happen and your IIS app pool identity is trusted for
delegation (and impersonation is enabled in ASP.NET), then this will work.

I'd start by concentrating on getting Kerberos auth between the browser and
IIS. You can tell if this is working by enabling logon event auditing in
local security policy and checking the security event log to see how the
user was authenticated.

If you are getting NTLM instead of Kerberos, you need to make sure that the
SPN on the app pool identity account is correct and *has not been duplicated
in AD anywhere* and you need to make sure that IIS is configured for
Negotiate authentication and not just NTLM. There is a metabase property
that controls this. You can see what types are requested from the server by
the values in the WWW-authenticate header that the server sends back with
its 401.1 response.

This probably goes without saying, by the server name in the URL used to
access the site must match the SPN.

The same process applies for the file share. Make sure the computer account
on the second machine has a valid CIFS SPN (although HOST should work was
well) that matches the name used to access the file share. Check the event
logs to see what type of authentication is being negotiated.

Troubleshooting Kerberos delegation can be painful, but my experience is
that it really does work the way the documentation says it does.
Unfortunately, the documentation is fairly complex and there are quite a few
variables.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Jay-nospam" <ja*******@beyond2020.comwrote in message
news:Ce******************************@magma.ca...
Hi there,

I am having trouble getting an ASP.NET web application to connect to
another
computer and passing the proper credentials and I hope someone can help
me.

I have a stand-alone Windows 2003 Server, ServerA, running as a Web Server
that uses ASP.NET. The default.aspx file tries to access a file in a share
on another computer, ServerB. ServerA and ServerB are on the same domain
and
are both running Windows 2003 Server.

The Domain Controller is running Windows 2000 Server. I want to use
Integrated Windows Authentication to access the file. When I connect to
the
Web site and then check the event viewer on ServerB, I can see that
ServerA
is using the Anonymous Logon to connect to ServerB instead of passing
through my windows credentials. On ServerA, I have done the following:

In IIS, set the authentication to Integrated Windows Authentication and
deselected Allow Anonymous logon

Did the following according to
http://support.microsoft.com/default...b;en-us;871179

In my application pool, I set the Identity to a domain user,
MyDomain\SvcAcct

Added the user, MyDomain\SvcAcct to the IIS_WPG group

As the domain administrator, I ran Setspn on ServerA . When this didn't
work, I repeated it on the Primary Domain Controller of the domain and
that
didn't work either. How I ran the command is listed below:

Setspn -A HTTP/<netbios nameMyDomain\SvcAcct

Then I followed the instructions at
http://technet2.microsoft.com/Window....mspx?mfr=true
and on the Primary Domain Controller of the domain I also went into Active
Directory Services Users and Groups and selected the "Trust this computer
for delegation" option for ServerA and I also followed the instructions at
http://technet2.microsoft.com/Window....mspx?mfr=true
and I selected the "Account is trusted for delegation" option for the
MyDomain\SvcAcct user.

Following http://support.microsoft.com/kb/215383/, on ServerA, I ran the
following:

Cscript adsutil.vbs set w3svc/1/NTAuthenticationProviders "Negotiate,NTLM"

I signed in to my client computer as MyDomain\UserA

In IE 6.0, on the client computer, as instructed in
http://support.microsoft.com/kb/810572/, I selected the "Enable Integrated
Windows Authentication (requires restart)" option on the Advanced tab and
then cleared my cache and close my IE 6.0 session and started another.

In my web.config file for the website, I added the following line after
the
</authorizationclosing tag:

<identity impersonate="true" />

When I connect to the Website on ServerA from the client computer, I am
not
prompted for credentials and that is what I would expect. When I turn on
auditing, I can also see that UserA is accessing the default.aspx file for
the Website and that is also what I would expect. However, the event
viewer
on ServerB shows that the Anonymous Logon is what is being used to connect
to it.

When I run the Auth Diagnostics 1.0 tool from Microsoft that is refered to
in http://support.microsoft.com/default...b;en-us;871179 on my
Website on ServerA, I see the message, "Service Principal name (SPN) for
user 'MyDomain\SvcAcct' not found in Active Directory"

Anything I see on the Internet says to run Setspn for this problem but we
have done this. Am I doing something wrong when I do this? Is there
another
reason why the credentials are not being passed on?

When I try this with a straight html file, I am able to access the file.

What am I doing wrong when setting up my spn?

Thanks,

Jennifer

Jul 12 '06 #2
Thanks for the information. My server name didn't match my SPN. When I fixed
that, it worked fine.

Do you know why I am still getting an error message from the Auth
Diagnostics tool on the 1st server (my WebServer)? The message is:
"Service Principal name (SPN) for user 'MyDomain\SvcAcct' not found in
Active Directory"
This message gives me the impression that I haven't set up the SPN properly
on the Web Server but it seems to work now and I don't know what I have done
incorrectly. Any suggestions?

Thanks,

Jennifer

"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.comwrote
in message news:eb**************@TK2MSFTNGP04.phx.gbl...
With your environment (Win2K AD), you'll need a pure Kerberos
authentication path to get delegation to work as S4U will not be an
option. As such, the keys to getting this to work are:

- Ensure that the browser client is authenticating with IIS using
Kerberos, not NTLM
- Ensure that the web server can access the file share using Kerberos
auth, not NTLM

If those two things happen and your IIS app pool identity is trusted for
delegation (and impersonation is enabled in ASP.NET), then this will work.

I'd start by concentrating on getting Kerberos auth between the browser
and IIS. You can tell if this is working by enabling logon event auditing
in local security policy and checking the security event log to see how
the user was authenticated.

If you are getting NTLM instead of Kerberos, you need to make sure that
the SPN on the app pool identity account is correct and *has not been
duplicated in AD anywhere* and you need to make sure that IIS is
configured for Negotiate authentication and not just NTLM. There is a
metabase property that controls this. You can see what types are
requested from the server by the values in the WWW-authenticate header
that the server sends back with its 401.1 response.

This probably goes without saying, by the server name in the URL used to
access the site must match the SPN.

The same process applies for the file share. Make sure the computer
account on the second machine has a valid CIFS SPN (although HOST should
work was well) that matches the name used to access the file share. Check
the event logs to see what type of authentication is being negotiated.

Troubleshooting Kerberos delegation can be painful, but my experience is
that it really does work the way the documentation says it does.
Unfortunately, the documentation is fairly complex and there are quite a
few variables.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Jay-nospam" <ja*******@beyond2020.comwrote in message
news:Ce******************************@magma.ca...
>Hi there,

I am having trouble getting an ASP.NET web application to connect to
another
computer and passing the proper credentials and I hope someone can help
me.

I have a stand-alone Windows 2003 Server, ServerA, running as a Web
Server
that uses ASP.NET. The default.aspx file tries to access a file in a
share
on another computer, ServerB. ServerA and ServerB are on the same domain
and
are both running Windows 2003 Server.

The Domain Controller is running Windows 2000 Server. I want to use
Integrated Windows Authentication to access the file. When I connect to
the
Web site and then check the event viewer on ServerB, I can see that
ServerA
is using the Anonymous Logon to connect to ServerB instead of passing
through my windows credentials. On ServerA, I have done the following:

In IIS, set the authentication to Integrated Windows Authentication and
deselected Allow Anonymous logon

Did the following according to
http://support.microsoft.com/default...b;en-us;871179

In my application pool, I set the Identity to a domain user,
MyDomain\SvcAcct

Added the user, MyDomain\SvcAcct to the IIS_WPG group

As the domain administrator, I ran Setspn on ServerA . When this didn't
work, I repeated it on the Primary Domain Controller of the domain and
that
didn't work either. How I ran the command is listed below:

Setspn -A HTTP/<netbios nameMyDomain\SvcAcct

Then I followed the instructions at
http://technet2.microsoft.com/Window....mspx?mfr=true
and on the Primary Domain Controller of the domain I also went into
Active
Directory Services Users and Groups and selected the "Trust this computer
for delegation" option for ServerA and I also followed the instructions
at
http://technet2.microsoft.com/Window....mspx?mfr=true
and I selected the "Account is trusted for delegation" option for the
MyDomain\SvcAcct user.

Following http://support.microsoft.com/kb/215383/, on ServerA, I ran the
following:

Cscript adsutil.vbs set w3svc/1/NTAuthenticationProviders
"Negotiate,NTLM"

I signed in to my client computer as MyDomain\UserA

In IE 6.0, on the client computer, as instructed in
http://support.microsoft.com/kb/810572/, I selected the "Enable
Integrated
Windows Authentication (requires restart)" option on the Advanced tab and
then cleared my cache and close my IE 6.0 session and started another.

In my web.config file for the website, I added the following line after
the
</authorizationclosing tag:

<identity impersonate="true" />

When I connect to the Website on ServerA from the client computer, I am
not
prompted for credentials and that is what I would expect. When I turn on
auditing, I can also see that UserA is accessing the default.aspx file
for
the Website and that is also what I would expect. However, the event
viewer
on ServerB shows that the Anonymous Logon is what is being used to
connect
to it.

When I run the Auth Diagnostics 1.0 tool from Microsoft that is refered
to
in http://support.microsoft.com/default...b;en-us;871179 on my
Website on ServerA, I see the message, "Service Principal name (SPN) for
user 'MyDomain\SvcAcct' not found in Active Directory"

Anything I see on the Internet says to run Setspn for this problem but we
have done this. Am I doing something wrong when I do this? Is there
another
reason why the credentials are not being passed on?

When I try this with a straight html file, I am able to access the file.

What am I doing wrong when setting up my spn?

Thanks,

Jennifer


Jul 12 '06 #3
I'd use an LDAP query tool to check the SPN (ldp.exe, adfind, etc.). Either
query the forest by servicePrincipalName=HTTP/xxxx or query the forest by
the user (sAMAccountName=xxxx) and look at the servicePrincipalName
attribute. I have no idea what the auth diagnostics tool is doing, so I
don't know if that info is misleading or not.

If the security event log on the IIS box says you are getting Kerberos auth,
you are getting Kerberos auth.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Jay-nospam" <ja*******@beyond2020.comwrote in message
news:wr******************************@magma.ca...
Thanks for the information. My server name didn't match my SPN. When I
fixed that, it worked fine.

Do you know why I am still getting an error message from the Auth
Diagnostics tool on the 1st server (my WebServer)? The message is:
"Service Principal name (SPN) for user 'MyDomain\SvcAcct' not found in
Active Directory"
This message gives me the impression that I haven't set up the SPN
properly on the Web Server but it seems to work now and I don't know what
I have done incorrectly. Any suggestions?

Thanks,

Jennifer

"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.comwrote
in message news:eb**************@TK2MSFTNGP04.phx.gbl...
>With your environment (Win2K AD), you'll need a pure Kerberos
authentication path to get delegation to work as S4U will not be an
option. As such, the keys to getting this to work are:

- Ensure that the browser client is authenticating with IIS using
Kerberos, not NTLM
- Ensure that the web server can access the file share using Kerberos
auth, not NTLM

If those two things happen and your IIS app pool identity is trusted for
delegation (and impersonation is enabled in ASP.NET), then this will
work.

I'd start by concentrating on getting Kerberos auth between the browser
and IIS. You can tell if this is working by enabling logon event
auditing in local security policy and checking the security event log to
see how the user was authenticated.

If you are getting NTLM instead of Kerberos, you need to make sure that
the SPN on the app pool identity account is correct and *has not been
duplicated in AD anywhere* and you need to make sure that IIS is
configured for Negotiate authentication and not just NTLM. There is a
metabase property that controls this. You can see what types are
requested from the server by the values in the WWW-authenticate header
that the server sends back with its 401.1 response.

This probably goes without saying, by the server name in the URL used to
access the site must match the SPN.

The same process applies for the file share. Make sure the computer
account on the second machine has a valid CIFS SPN (although HOST should
work was well) that matches the name used to access the file share.
Check the event logs to see what type of authentication is being
negotiated.

Troubleshooting Kerberos delegation can be painful, but my experience is
that it really does work the way the documentation says it does.
Unfortunately, the documentation is fairly complex and there are quite a
few variables.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Jay-nospam" <ja*******@beyond2020.comwrote in message
news:Ce******************************@magma.ca. ..
>>Hi there,

I am having trouble getting an ASP.NET web application to connect to
another
computer and passing the proper credentials and I hope someone can help
me.

I have a stand-alone Windows 2003 Server, ServerA, running as a Web
Server
that uses ASP.NET. The default.aspx file tries to access a file in a
share
on another computer, ServerB. ServerA and ServerB are on the same domain
and
are both running Windows 2003 Server.

The Domain Controller is running Windows 2000 Server. I want to use
Integrated Windows Authentication to access the file. When I connect to
the
Web site and then check the event viewer on ServerB, I can see that
ServerA
is using the Anonymous Logon to connect to ServerB instead of passing
through my windows credentials. On ServerA, I have done the following:

In IIS, set the authentication to Integrated Windows Authentication and
deselected Allow Anonymous logon

Did the following according to
http://support.microsoft.com/default...b;en-us;871179

In my application pool, I set the Identity to a domain user,
MyDomain\SvcAcct

Added the user, MyDomain\SvcAcct to the IIS_WPG group

As the domain administrator, I ran Setspn on ServerA . When this didn't
work, I repeated it on the Primary Domain Controller of the domain and
that
didn't work either. How I ran the command is listed below:

Setspn -A HTTP/<netbios nameMyDomain\SvcAcct

Then I followed the instructions at
http://technet2.microsoft.com/Window....mspx?mfr=true
and on the Primary Domain Controller of the domain I also went into
Active
Directory Services Users and Groups and selected the "Trust this
computer
for delegation" option for ServerA and I also followed the instructions
at
http://technet2.microsoft.com/Window....mspx?mfr=true
and I selected the "Account is trusted for delegation" option for the
MyDomain\SvcAcct user.

Following http://support.microsoft.com/kb/215383/, on ServerA, I ran the
following:

Cscript adsutil.vbs set w3svc/1/NTAuthenticationProviders
"Negotiate,NTLM"

I signed in to my client computer as MyDomain\UserA

In IE 6.0, on the client computer, as instructed in
http://support.microsoft.com/kb/810572/, I selected the "Enable
Integrated
Windows Authentication (requires restart)" option on the Advanced tab
and
then cleared my cache and close my IE 6.0 session and started another.

In my web.config file for the website, I added the following line after
the
</authorizationclosing tag:

<identity impersonate="true" />

When I connect to the Website on ServerA from the client computer, I am
not
prompted for credentials and that is what I would expect. When I turn on
auditing, I can also see that UserA is accessing the default.aspx file
for
the Website and that is also what I would expect. However, the event
viewer
on ServerB shows that the Anonymous Logon is what is being used to
connect
to it.

When I run the Auth Diagnostics 1.0 tool from Microsoft that is refered
to
in http://support.microsoft.com/default...b;en-us;871179 on my
Website on ServerA, I see the message, "Service Principal name (SPN) for
user 'MyDomain\SvcAcct' not found in Active Directory"

Anything I see on the Internet says to run Setspn for this problem but
we
have done this. Am I doing something wrong when I do this? Is there
another
reason why the credentials are not being passed on?

When I try this with a straight html file, I am able to access the file.

What am I doing wrong when setting up my spn?

Thanks,

Jennifer



Jul 12 '06 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
4
2173
.NET IIS to IIS credentials problem...
by: Grind Boy | last post by:
Hi, I'm writing this off the top of my head as I don't have the exact information to hand. We are attempting to set up a secure internet site using ASP.NET on IIS5. We are having some...
ASP.NET
1
5237
Please help - Passing credentials to windows integrated authentication
by: jadher | last post by:
I try to access an asp page in a machine that has windows integrated authentication turned on. I use System.Net.Networkcredentials as well as System.Net.Webrequest and Webresponse. I receive...
ASP.NET
3
8402
Pass through credentials to web service
by: cmueller | last post by:
Hey all - I'm in a bit of a bind concerning web services and integrated authentication. I'll give you a little background as to what I'm trying to do ... I have a client application that...
ASP.NET
3
13697
Default credentials
by: Wild Wind | last post by:
Hello, I have an application which calls a web service across the Internet from a client machine. The site that I have deployed the application to is such that to browse the Internet using a...
.NET Framework
0
1526
Lots of Problems Setting Credentials on Web Service Proxy
by: Jim_H | last post by:
I am trying to set the Credentials property of my web service proxy and I cannot seem to get anything to work. I am calling a remote asmx page from an aspx and they each reside on different web...
.NET Framework
3
10894
System.IO alternative user credentials? Is it possible?
by: Dmitry | last post by:
I am trying to figure out how to pass set of credentials to System.IO Challenge is: App is running under one set of credentials, but via GUI user have a chance to enter another set. I would like...
C# / C Sharp
2
5951
Default credentials not working
by: mbrand | last post by:
When trying to connect to my web service from a client application, the System.Net.CredentialCache.DefaultCredentials doesn't authenticate properly. I can see in the event viewer on the server...
.NET Framework
3
6728
Does NetworkCredential itself encrypt user credentials?
by: antonyliu2002 | last post by:
I have a website (call it WinAuthWeb) that uses Integrated Windows Authentication. In my ASP.NET web application, I collect user name, password and domain info and pass them to WinAuthWeb for...
ASP.NET
0
1149
Network Credentials problem
by: Fresno Bob | last post by:
This is a little off topic but I am finding security in a non domain environment totally mystifying Can anyone help me. I work in a workgroup environment as opposed to domain controlled. The...
ASP.NET
0
6993
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
7162
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
7197
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
7375
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General
0
5456
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Career Advice
1
4899
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new...
Microsoft Access / VBA
0
4584
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
C# / C Sharp
0
3078
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
0
287
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us