IIS6 - Integrated Authentication Probs

hello again.

Further to my last post "IIS 6 help! - Cant authentication to Virtual Dir on
another machine"

I am still struggling with this.

It seems that when I use "integrated authentication" that the credentials
parsed from my browser to the web server are not being used correctly by the
webserver to authenticate me on the target resource: The target resource -
as I mentioned - is located on another machine.

How do I know this?

a) - I can see in the log files that the correct credentials are being
parsed from my browser to the webserver.
b) - Despite the fact these credentials are being parsed, i'm still being
asked to present credentials by way of the browser 'Username and Password'
dialogue box.
c) - Even if I manually present valid credentails at this dialogue box, I'm
still not able to authenticate to the target resource. After 3 attempts at
entering info into the Dialogue, I get the same 401.3 Error - "Unauthorized:
Access is denied due to an ACL set on the requested resource"

Hence - this is a general problem with the way the web server is using my
credentials to authenticate with the target resource.

If I change the Authentication method from "Integrated" to "Basic", I am
always prompted for credentials, this is expected.
This time, if I enter valid credentials, then the Web Server give me access
to the resource I need.

So the problem here seems to be in how the IIS6 Web Server parses my
credentials for authentication on the target resource, but ONLY when its
handling it via INTEGRATED AUTHENTICATION

I thought that it might be something to do with NTLM versus Kerberos,
but this just adds to my confustion as in my test instance everything should
be working with Kerberos,

Heres the setup.

Its a W2K3 native mode domain,
with a W2K3 Web Server and IIS 6.
The client machine is WinXP Pro SP1a
The user and computer accounts are both members of this W2K3 Domain,

I'm trying to digest the info I've found in the arcticle 332142,
I'll also try manually setting the authentication method by adapting the
IIS5 procedure given in 215383,


Bu I'm completely in the dark here. I could reall really use some MS help on
this.


Anyone out there?


thanks people - I really appreciate your time.

Ken
Tue Oct 21 07:29:20 CDT 2003

The "problem" isn't really a problem - it's expected behaviour.

When you use IWA, your user password is never sent across the wire - that's
what makes it more secure that Basic authentication. However, the token that
the webserver gets from the Domain Controller doesn't have permission to
logon to other network resources.

When you use Basic authentication, your username *and* password are
transmitted, in the clear, to the webserver, who can then "act" on your
behalf (as if you were logged on at the webserver) and get access to network
resources

(I'm sure the actual way this works is a little more complex, but this
should suffice for the purposes of your dilemma).

OK, so what do you do about it?

With Windows 2000 you need to enable delegation (Windows 2003 allows for
constrained delegation which is much "safer" in that you can restrict the
services that are delegated). Now, you say you have a Windows 2003 native
mode domain? If so, then you need to follow the delegation procedure
outlined in Chapter 5 ((IIRC) of the IIS 6 Resource Kit:

http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=80A1B6E6-829E-49B7-8C02-333D9C148E69

Cheers
Ken


"JayDee" <darius_falt@hotmail.com> wrote in message
news:eEtDGi8lDHA.2268@TK2MSFTNGP12.phx.gbl...
: hello again.
:
: Further to my last post "IIS 6 help! - Cant authentication to Virtual Dir
on
: another machine"
:
: I am still struggling with this.
:
: It seems that when I use "integrated authentication" that the credentials
: parsed from my browser to the web server are not being used correctly by
the
: webserver to authenticate me on the target resource: The target resource -
: as I mentioned - is located on another machine.
:
: How do I know this?
:
: a) - I can see in the log files that the correct credentials are being
: parsed from my browser to the webserver.
: b) - Despite the fact these credentials are being parsed, i'm still being
: asked to present credentials by way of the browser 'Username and Password'
: dialogue box.
: c) - Even if I manually present valid credentails at this dialogue box,
I'm
: still not able to authenticate to the target resource. After 3 attempts at
: entering info into the Dialogue, I get the same 401.3 Error -
"Unauthorized:
: Access is denied due to an ACL set on the requested resource"
:
: Hence - this is a general problem with the way the web server is using my
: credentials to authenticate with the target resource.
:
: If I change the Authentication method from "Integrated" to "Basic", I am
: always prompted for credentials, this is expected.
: This time, if I enter valid credentials, then the Web Server give me
access
: to the resource I need.
:
: So the problem here seems to be in how the IIS6 Web Server parses my
: credentials for authentication on the target resource, but ONLY when its
: handling it via INTEGRATED AUTHENTICATION
:
: I thought that it might be something to do with NTLM versus Kerberos,
: but this just adds to my confustion as in my test instance everything
should
: be working with Kerberos,
:
: Heres the setup.
:
: Its a W2K3 native mode domain,
: with a W2K3 Web Server and IIS 6.
: The client machine is WinXP Pro SP1a
: The user and computer accounts are both members of this W2K3 Domain,
:
: I'm trying to digest the info I've found in the arcticle 332142,
: I'll also try manually setting the authentication method by adapting the
: IIS5 procedure given in 215383,
:
:
: Bu I'm completely in the dark here. I could reall really use some MS help
on
: this.
:
:
: Anyone out there?
:
:
: thanks people - I really appreciate your time.
:
:

JayDee
Tue Oct 21 09:10:05 CDT 2003

Thanks for your input Ken

let me review that link, but what you're saying makes sense, in line with
the rather obfuscating MS articles I have read on the subject.

You're a very knowledgable gentleman, with a good knack for digesting and
summarising concepts. Thanks

I'm curious - is you knoweldge gained principally through emprical means or
through study?
are you a beleiver in learning or does it work better for you by
remembering, a la MCSE?

Your understanding resonates differently to the usual run of MCSE's I
normally come accross.

J



"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:OGls178lDHA.1656@tk2msftngp13.phx.gbl...
> The "problem" isn't really a problem - it's expected behaviour.
>
> When you use IWA, your user password is never sent across the wire -
that's
> what makes it more secure that Basic authentication. However, the token
that
> the webserver gets from the Domain Controller doesn't have permission to
> logon to other network resources.
>
> When you use Basic authentication, your username *and* password are
> transmitted, in the clear, to the webserver, who can then "act" on your
> behalf (as if you were logged on at the webserver) and get access to
network
> resources
>
> (I'm sure the actual way this works is a little more complex, but this
> should suffice for the purposes of your dilemma).
>
> OK, so what do you do about it?
>
> With Windows 2000 you need to enable delegation (Windows 2003 allows for
> constrained delegation which is much "safer" in that you can restrict the
> services that are delegated). Now, you say you have a Windows 2003 native
> mode domain? If so, then you need to follow the delegation procedure
> outlined in Chapter 5 ((IIRC) of the IIS 6 Resource Kit:
>
>
http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=80A1
B6E6-829E-49B7-8C02-333D9C148E69
>
> Cheers
> Ken
>
>
> "JayDee" <darius_falt@hotmail.com> wrote in message
> news:eEtDGi8lDHA.2268@TK2MSFTNGP12.phx.gbl...
> : hello again.
> :
> : Further to my last post "IIS 6 help! - Cant authentication to Virtual
Dir
> on
> : another machine"
> :
> : I am still struggling with this.
> :
> : It seems that when I use "integrated authentication" that the
credentials
> : parsed from my browser to the web server are not being used correctly by
> the
> : webserver to authenticate me on the target resource: The target
resource -
> : as I mentioned - is located on another machine.
> :
> : How do I know this?
> :
> : a) - I can see in the log files that the correct credentials are being
> : parsed from my browser to the webserver.
> : b) - Despite the fact these credentials are being parsed, i'm still
being
> : asked to present credentials by way of the browser 'Username and
Password'
> : dialogue box.
> : c) - Even if I manually present valid credentails at this dialogue box,
> I'm
> : still not able to authenticate to the target resource. After 3 attempts
at
> : entering info into the Dialogue, I get the same 401.3 Error -
> "Unauthorized:
> : Access is denied due to an ACL set on the requested resource"
> :
> : Hence - this is a general problem with the way the web server is using
my
> : credentials to authenticate with the target resource.
> :
> : If I change the Authentication method from "Integrated" to "Basic", I am
> : always prompted for credentials, this is expected.
> : This time, if I enter valid credentials, then the Web Server give me
> access
> : to the resource I need.
> :
> : So the problem here seems to be in how the IIS6 Web Server parses my
> : credentials for authentication on the target resource, but ONLY when its
> : handling it via INTEGRATED AUTHENTICATION
> :
> : I thought that it might be something to do with NTLM versus Kerberos,
> : but this just adds to my confustion as in my test instance everything
> should
> : be working with Kerberos,
> :
> : Heres the setup.
> :
> : Its a W2K3 native mode domain,
> : with a W2K3 Web Server and IIS 6.
> : The client machine is WinXP Pro SP1a
> : The user and computer accounts are both members of this W2K3 Domain,
> :
> : I'm trying to digest the info I've found in the arcticle 332142,
> : I'll also try manually setting the authentication method by adapting the
> : IIS5 procedure given in 215383,
> :
> :
> : Bu I'm completely in the dark here. I could reall really use some MS
help
> on
> : this.
> :
> :
> : Anyone out there?
> :
> :
> : thanks people - I really appreciate your time.
> :
> :
>
>

phf12
Tue Oct 21 09:38:54 CDT 2003

Ken,

I am experiencing a similar problem with a Windows 2003
server (IIS 6.0) in a Windows 2000 domain. I am flying
through the resource kit but havent found a fix yet. Any
ideas on resolving the Kerberos/Integrated Auth. issue
here?

Thanks!

Hunter


>-----Original Message-----
>The "problem" isn't really a problem - it's expected
behaviour.
>
>When you use IWA, your user password is never sent
across the wire - that's
>what makes it more secure that Basic authentication.
However, the token that
>the webserver gets from the Domain Controller doesn't
have permission to
>logon to other network resources.
>
>When you use Basic authentication, your username *and*
password are
>transmitted, in the clear, to the webserver, who can
then "act" on your
>behalf (as if you were logged on at the webserver) and
get access to network
>resources
>
>(I'm sure the actual way this works is a little more
complex, but this
>should suffice for the purposes of your dilemma).
>
>OK, so what do you do about it?
>
>With Windows 2000 you need to enable delegation (Windows
2003 allows for
>constrained delegation which is much "safer" in that you
can restrict the
>services that are delegated). Now, you say you have a
Windows 2003 native
>mode domain? If so, then you need to follow the
delegation procedure
>outlined in Chapter 5 ((IIRC) of the IIS 6 Resource Kit:
>
>http://www.microsoft.com/downloads/details.aspx?
displaylang=en&familyid=80A1B6E6-829E-49B7-8C02-
333D9C148E69
>
>Cheers
>Ken
>
>
>"JayDee" <darius_falt@hotmail.com> wrote in message
>news:eEtDGi8lDHA.2268@TK2MSFTNGP12.phx.gbl...
>: hello again.
>:
>: Further to my last post "IIS 6 help! - Cant
authentication to Virtual Dir
>on
>: another machine"
>:
>: I am still struggling with this.
>:
>: It seems that when I use "integrated authentication"
that the credentials
>: parsed from my browser to the web server are not being
used correctly by
>the
>: webserver to authenticate me on the target resource:
The target resource -
>: as I mentioned - is located on another machine.
>:
>: How do I know this?
>:
>: a) - I can see in the log files that the correct
credentials are being
>: parsed from my browser to the webserver.
>: b) - Despite the fact these credentials are being
parsed, i'm still being
>: asked to present credentials by way of the
browser 'Username and Password'
>: dialogue box.
>: c) - Even if I manually present valid credentails at
this dialogue box,
>I'm
>: still not able to authenticate to the target resource.
After 3 attempts at
>: entering info into the Dialogue, I get the same 401.3
Error -
>"Unauthorized:
>: Access is denied due to an ACL set on the requested
resource"
>:
>: Hence - this is a general problem with the way the web
server is using my
>: credentials to authenticate with the target resource.
>:
>: If I change the Authentication method
from "Integrated" to "Basic", I am
>: always prompted for credentials, this is expected.
>: This time, if I enter valid credentials, then the Web
Server give me
>access
>: to the resource I need.
>:
>: So the problem here seems to be in how the IIS6 Web
Server parses my
>: credentials for authentication on the target resource,
but ONLY when its
>: handling it via INTEGRATED AUTHENTICATION
>:
>: I thought that it might be something to do with NTLM
versus Kerberos,
>: but this just adds to my confustion as in my test
instance everything
>should
>: be working with Kerberos,
>:
>: Heres the setup.
>:
>: Its a W2K3 native mode domain,
>: with a W2K3 Web Server and IIS 6.
>: The client machine is WinXP Pro SP1a
>: The user and computer accounts are both members of
this W2K3 Domain,
>:
>: I'm trying to digest the info I've found in the
arcticle 332142,
>: I'll also try manually setting the authentication
method by adapting the
>: IIS5 procedure given in 215383,
>:
>:
>: Bu I'm completely in the dark here. I could reall
really use some MS help
>on
>: this.
>:
>:
>: Anyone out there?
>:
>:
>: thanks people - I really appreciate your time.
>:
>:
>
>
>.
>

Ken
Tue Oct 21 20:43:58 CDT 2003

I'm sorry - I don't understand when you say "you don't have a fix".

If you want to continue to use IWA in a Windows 2000 domain you need to
allow delegation.
If you have a Windows 2003 domain, then you have the additional option of
"constrained delegation"

If you do not want to enable delegation (eg for security reasons), then
you'll need to use Basic Authentication (and I suggest you run this over
SSL)

Cheers
Ken

<phf12@mcsdk12.nospam.org> wrote in message
news:0a9701c397e1$0d3f16a0$a601280a@phx.gbl...
: Ken,
:
: I am experiencing a similar problem with a Windows 2003
: server (IIS 6.0) in a Windows 2000 domain. I am flying
: through the resource kit but havent found a fix yet. Any
: ideas on resolving the Kerberos/Integrated Auth. issue
: here?
:
: Thanks!
:
: Hunter
:
:
: >-----Original Message-----
: >The "problem" isn't really a problem - it's expected
: behaviour.
: >
: >When you use IWA, your user password is never sent
: across the wire - that's
: >what makes it more secure that Basic authentication.
: However, the token that
: >the webserver gets from the Domain Controller doesn't
: have permission to
: >logon to other network resources.
: >
: >When you use Basic authentication, your username *and*
: password are
: >transmitted, in the clear, to the webserver, who can
: then "act" on your
: >behalf (as if you were logged on at the webserver) and
: get access to network
: >resources
: >
: >(I'm sure the actual way this works is a little more
: complex, but this
: >should suffice for the purposes of your dilemma).
: >
: >OK, so what do you do about it?
: >
: >With Windows 2000 you need to enable delegation (Windows
: 2003 allows for
: >constrained delegation which is much "safer" in that you
: can restrict the
: >services that are delegated). Now, you say you have a
: Windows 2003 native
: >mode domain? If so, then you need to follow the
: delegation procedure
: >outlined in Chapter 5 ((IIRC) of the IIS 6 Resource Kit:
: >
: >http://www.microsoft.com/downloads/details.aspx?
: displaylang=en&familyid=80A1B6E6-829E-49B7-8C02-
: 333D9C148E69
: >
: >Cheers
: >Ken
: >
: >
: >"JayDee" <darius_falt@hotmail.com> wrote in message
: >news:eEtDGi8lDHA.2268@TK2MSFTNGP12.phx.gbl...
: >: hello again.
: >:
: >: Further to my last post "IIS 6 help! - Cant
: authentication to Virtual Dir
: >on
: >: another machine"
: >:
: >: I am still struggling with this.
: >:
: >: It seems that when I use "integrated authentication"
: that the credentials
: >: parsed from my browser to the web server are not being
: used correctly by
: >the
: >: webserver to authenticate me on the target resource:
: The target resource -
: >: as I mentioned - is located on another machine.
: >:
: >: How do I know this?
: >:
: >: a) - I can see in the log files that the correct
: credentials are being
: >: parsed from my browser to the webserver.
: >: b) - Despite the fact these credentials are being
: parsed, i'm still being
: >: asked to present credentials by way of the
: browser 'Username and Password'
: >: dialogue box.
: >: c) - Even if I manually present valid credentails at
: this dialogue box,
: >I'm
: >: still not able to authenticate to the target resource.
: After 3 attempts at
: >: entering info into the Dialogue, I get the same 401.3
: Error -
: >"Unauthorized:
: >: Access is denied due to an ACL set on the requested
: resource"
: >:
: >: Hence - this is a general problem with the way the web
: server is using my
: >: credentials to authenticate with the target resource.
: >:
: >: If I change the Authentication method
: from "Integrated" to "Basic", I am
: >: always prompted for credentials, this is expected.
: >: This time, if I enter valid credentials, then the Web
: Server give me
: >access
: >: to the resource I need.
: >:
: >: So the problem here seems to be in how the IIS6 Web
: Server parses my
: >: credentials for authentication on the target resource,
: but ONLY when its
: >: handling it via INTEGRATED AUTHENTICATION
: >:
: >: I thought that it might be something to do with NTLM
: versus Kerberos,
: >: but this just adds to my confustion as in my test
: instance everything
: >should
: >: be working with Kerberos,
: >:
: >: Heres the setup.
: >:
: >: Its a W2K3 native mode domain,
: >: with a W2K3 Web Server and IIS 6.
: >: The client machine is WinXP Pro SP1a
: >: The user and computer accounts are both members of
: this W2K3 Domain,
: >:
: >: I'm trying to digest the info I've found in the
: arcticle 332142,
: >: I'll also try manually setting the authentication
: method by adapting the
: >: IIS5 procedure given in 215383,
: >:
: >:
: >: Bu I'm completely in the dark here. I could reall
: really use some MS help
: >on
: >: this.
: >:
: >:
: >: Anyone out there?
: >:
: >:
: >: thanks people - I really appreciate your time.
: >:
: >:
: >
: >
: >.
: >

Ken
Tue Oct 21 20:51:30 CDT 2003

Hi Jay,

I'm a firm believer that you need both experience and theoretical knowledge.

There are some things that I believe a theoretical understanding helps. I
know that the subjects I did at Uni on wide area networking, TCP/IP etc,
(plus the associated theory - ISO OSI model etc) have proved immensely
useful in troubleshooting connectivity issues, since it provides you with a
framework whereby you can break a connection down into individual pieces
(physical connectivity, point-to-point routing, end-to-end routing, name
resolution etc) and test each piece systematically until you reach the
problem.

At the same time, real life experience, sitting in front of machines and
network equipment gives you an understanding of what tools are available for
doing the testing, how they work, and what their idiosyncracies are.

An MCSE provides some background into how Windows works - however I think
you need to marry that with other theoretical knowledge (eg a good
understanding of TCP/IP if you're a network type person, or ER modelling if
you're a database developer etc)

Cheers
Ken


"JayDee" <darius_falt@hotmail.com> wrote in message
news:Oc$kI09lDHA.360@TK2MSFTNGP12.phx.gbl...
: Thanks for your input Ken
:
: let me review that link, but what you're saying makes sense, in line with
: the rather obfuscating MS articles I have read on the subject.
:
: You're a very knowledgable gentleman, with a good knack for digesting and
: summarising concepts. Thanks
:
: I'm curious - is you knoweldge gained principally through emprical means
or
: through study?
: are you a beleiver in learning or does it work better for you by
: remembering, a la MCSE?
:
: Your understanding resonates differently to the usual run of MCSE's I
: normally come accross.
:
: J

JayDee
Wed Oct 22 09:16:17 CDT 2003

Ken

Adding to my previous post,

I meslead you slightly (actually I was misleaf myself!!!)
I'm actually running in win2000 mixed mode, not win2003 native mode, for my
domain infrastructure

even though my servers are 2k3 - i havent made the jump yet, becuase I'm
still in the middle of a migration
So I cant go the whole way with constrained delegation,
but reading between the lines on the IIS RK Docs (Chap5, pp469) I have
enabled "trust computer for delegation" in the W2K3 computer account
webserver in DSA.MSC
Theres a note below this option says that this will only enable delegation
for services running under Local System.

My web app is running in IIS5 isolation mode, which means it will run under
an IWAM account not the Local System,
Suffice to say, I'm not entirely surprised that this doesnt seem to fix my
problem.

At the moment I'm stuck again.

does this mean I'm stuffed?

J



"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:OI3NF8DmDHA.2436@TK2MSFTNGP09.phx.gbl...
> Hi Jay,
>
> I'm a firm believer that you need both experience and theoretical
knowledge.
>
> There are some things that I believe a theoretical understanding helps. I
> know that the subjects I did at Uni on wide area networking, TCP/IP etc,
> (plus the associated theory - ISO OSI model etc) have proved immensely
> useful in troubleshooting connectivity issues, since it provides you with
a
> framework whereby you can break a connection down into individual pieces
> (physical connectivity, point-to-point routing, end-to-end routing, name
> resolution etc) and test each piece systematically until you reach the
> problem.
>
> At the same time, real life experience, sitting in front of machines and
> network equipment gives you an understanding of what tools are available
for
> doing the testing, how they work, and what their idiosyncracies are.
>
> An MCSE provides some background into how Windows works - however I think
> you need to marry that with other theoretical knowledge (eg a good
> understanding of TCP/IP if you're a network type person, or ER modelling
if
> you're a database developer etc)
>
> Cheers
> Ken
>
>
> "JayDee" <darius_falt@hotmail.com> wrote in message
> news:Oc$kI09lDHA.360@TK2MSFTNGP12.phx.gbl...
> : Thanks for your input Ken
> :
> : let me review that link, but what you're saying makes sense, in line
with
> : the rather obfuscating MS articles I have read on the subject.
> :
> : You're a very knowledgable gentleman, with a good knack for digesting
and
> : summarising concepts. Thanks
> :
> : I'm curious - is you knoweldge gained principally through emprical means
> or
> : through study?
> : are you a beleiver in learning or does it work better for you by
> : remembering, a la MCSE?
> :
> : Your understanding resonates differently to the usual run of MCSE's I
> : normally come accross.
> :
> : J
>
>

Ken
Thu Oct 23 02:26:53 CDT 2003

I'm not an expert in Delegation - you're probably better off asking in one
of the Windows Security groups. I could get an answer for you if you're
prepared to wait (I'll need to go and look in some of my resources...)

If it's not working, then maybe...you would need to run the site in "low
isolation", which means it would run inside inetinfo process, not dllhost
process. inetinfo runs as LocalSystem, whereas dllhost (for medium/high
isolation) is IWAM. Obviously that opens up another can of worms... :-)

However, the description on the dialogue box is a little ambigous. The WWW
Publishing Service does run as LocalSystem - it's just the web app process
that doesn't.

Cheers
Ken

"JayDee" <darius_falt@hotmail.com> wrote in message
news:%230EaQcKmDHA.3504@TK2MSFTNGP11.phx.gbl...
: Ken
:
: Adding to my previous post,
:
: I meslead you slightly (actually I was misleaf myself!!!)
: I'm actually running in win2000 mixed mode, not win2003 native mode, for
my
: domain infrastructure
:
: even though my servers are 2k3 - i havent made the jump yet, becuase I'm
: still in the middle of a migration
: So I cant go the whole way with constrained delegation,
: but reading between the lines on the IIS RK Docs (Chap5, pp469) I have
: enabled "trust computer for delegation" in the W2K3 computer account
: webserver in DSA.MSC
: Theres a note below this option says that this will only enable delegation
: for services running under Local System.
:
: My web app is running in IIS5 isolation mode, which means it will run
under
: an IWAM account not the Local System,
: Suffice to say, I'm not entirely surprised that this doesnt seem to fix my
: problem.
:
: At the moment I'm stuck again.
:
: does this mean I'm stuffed?
:
: J
:
:
:
: "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
: news:OI3NF8DmDHA.2436@TK2MSFTNGP09.phx.gbl...
: > Hi Jay,
: >
: > I'm a firm believer that you need both experience and theoretical
: knowledge.
: >
: > There are some things that I believe a theoretical understanding helps.
I
: > know that the subjects I did at Uni on wide area networking, TCP/IP etc,
: > (plus the associated theory - ISO OSI model etc) have proved immensely
: > useful in troubleshooting connectivity issues, since it provides you
with
: a
: > framework whereby you can break a connection down into individual pieces
: > (physical connectivity, point-to-point routing, end-to-end routing, name
: > resolution etc) and test each piece systematically until you reach the
: > problem.
: >
: > At the same time, real life experience, sitting in front of machines and
: > network equipment gives you an understanding of what tools are available
: for
: > doing the testing, how they work, and what their idiosyncracies are.
: >
: > An MCSE provides some background into how Windows works - however I
think
: > you need to marry that with other theoretical knowledge (eg a good
: > understanding of TCP/IP if you're a network type person, or ER modelling
: if
: > you're a database developer etc)
: >
: > Cheers
: > Ken
: >
: >
: > "JayDee" <darius_falt@hotmail.com> wrote in message
: > news:Oc$kI09lDHA.360@TK2MSFTNGP12.phx.gbl...
: > : Thanks for your input Ken
: > :
: > : let me review that link, but what you're saying makes sense, in line
: with
: > : the rather obfuscating MS articles I have read on the subject.
: > :
: > : You're a very knowledgable gentleman, with a good knack for digesting
: and
: > : summarising concepts. Thanks
: > :
: > : I'm curious - is you knoweldge gained principally through emprical
means
: > or
: > : through study?
: > : are you a beleiver in learning or does it work better for you by
: > : remembering, a la MCSE?
: > :
: > : Your understanding resonates differently to the usual run of MCSE's I
: > : normally come accross.
: > :
: > : J
: >
: >
:
:

JayDee
Thu Oct 23 04:15:30 CDT 2003

Hmmm - low isolation.
yes that makes sence, I'll try that.

I will take your advice and post access the security group as well.

Thanks again for your invaluable input ken.

I will post back here with anything I find.

"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:e6OeJcTmDHA.1740@TK2MSFTNGP12.phx.gbl...
> I'm not an expert in Delegation - you're probably better off asking in one
> of the Windows Security groups. I could get an answer for you if you're
> prepared to wait (I'll need to go and look in some of my resources...)
>
> If it's not working, then maybe...you would need to run the site in "low
> isolation", which means it would run inside inetinfo process, not dllhost
> process. inetinfo runs as LocalSystem, whereas dllhost (for medium/high
> isolation) is IWAM. Obviously that opens up another can of worms... :-)
>
> However, the description on the dialogue box is a little ambigous. The WWW
> Publishing Service does run as LocalSystem - it's just the web app process
> that doesn't.
>
> Cheers
> Ken
>
> "JayDee" <darius_falt@hotmail.com> wrote in message
> news:%230EaQcKmDHA.3504@TK2MSFTNGP11.phx.gbl...
> : Ken
> :
> : Adding to my previous post,
> :
> : I meslead you slightly (actually I was misleaf myself!!!)
> : I'm actually running in win2000 mixed mode, not win2003 native mode, for
> my
> : domain infrastructure
> :
> : even though my servers are 2k3 - i havent made the jump yet, becuase I'm
> : still in the middle of a migration
> : So I cant go the whole way with constrained delegation,
> : but reading between the lines on the IIS RK Docs (Chap5, pp469) I have
> : enabled "trust computer for delegation" in the W2K3 computer account
> : webserver in DSA.MSC
> : Theres a note below this option says that this will only enable
delegation
> : for services running under Local System.
> :
> : My web app is running in IIS5 isolation mode, which means it will run
> under
> : an IWAM account not the Local System,
> : Suffice to say, I'm not entirely surprised that this doesnt seem to fix
my
> : problem.
> :
> : At the moment I'm stuck again.
> :
> : does this mean I'm stuffed?
> :
> : J
> :
> :
> :
> : "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
> : news:OI3NF8DmDHA.2436@TK2MSFTNGP09.phx.gbl...
> : > Hi Jay,
> : >
> : > I'm a firm believer that you need both experience and theoretical
> : knowledge.
> : >
> : > There are some things that I believe a theoretical understanding
helps.
> I
> : > know that the subjects I did at Uni on wide area networking, TCP/IP
etc,
> : > (plus the associated theory - ISO OSI model etc) have proved immensely
> : > useful in troubleshooting connectivity issues, since it provides you
> with
> : a
> : > framework whereby you can break a connection down into individual
pieces
> : > (physical connectivity, point-to-point routing, end-to-end routing,
name
> : > resolution etc) and test each piece systematically until you reach the
> : > problem.
> : >
> : > At the same time, real life experience, sitting in front of machines
and
> : > network equipment gives you an understanding of what tools are
available
> : for
> : > doing the testing, how they work, and what their idiosyncracies are.
> : >
> : > An MCSE provides some background into how Windows works - however I
> think
> : > you need to marry that with other theoretical knowledge (eg a good
> : > understanding of TCP/IP if you're a network type person, or ER
modelling
> : if
> : > you're a database developer etc)
> : >
> : > Cheers
> : > Ken
> : >
> : >
> : > "JayDee" <darius_falt@hotmail.com> wrote in message
> : > news:Oc$kI09lDHA.360@TK2MSFTNGP12.phx.gbl...
> : > : Thanks for your input Ken
> : > :
> : > : let me review that link, but what you're saying makes sense, in line
> : with
> : > : the rather obfuscating MS articles I have read on the subject.
> : > :
> : > : You're a very knowledgable gentleman, with a good knack for
digesting
> : and
> : > : summarising concepts. Thanks
> : > :
> : > : I'm curious - is you knoweldge gained principally through emprical
> means
> : > or
> : > : through study?
> : > : are you a beleiver in learning or does it work better for you by
> : > : remembering, a la MCSE?
> : > :
> : > : Your understanding resonates differently to the usual run of MCSE's
I
> : > : normally come accross.
> : > :
> : > : J
> : >
> : >
> :
> :
>
>

JayDee
Thu Oct 23 05:07:53 CDT 2003

I've now tried altering the setting for the virtual directory thats pointing
at the external UNC resource
Its running in low isolation mode.
Also the computer object for the web server itself is trusted for
delegation. in AD

I'm still not successfull in getting integrated authentication to work.

Same problem exists, I'm always prompted for credentials, and even if I
manually enter valid ones, auth still fails
After 3 attempts I get "401.3"

I'll post accross to security.

J

"JayDee" <darius_falt@hotmail.com> wrote in message
news:ukkK2YUmDHA.1084@tk2msftngp13.phx.gbl...
> Hmmm - low isolation.
> yes that makes sence, I'll try that.
>
> I will take your advice and post access the security group as well.
>
> Thanks again for your invaluable input ken.
>
> I will post back here with anything I find.
>
> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
> news:e6OeJcTmDHA.1740@TK2MSFTNGP12.phx.gbl...
> > I'm not an expert in Delegation - you're probably better off asking in
one
> > of the Windows Security groups. I could get an answer for you if you're
> > prepared to wait (I'll need to go and look in some of my resources...)
> >
> > If it's not working, then maybe...you would need to run the site in "low
> > isolation", which means it would run inside inetinfo process, not
dllhost
> > process. inetinfo runs as LocalSystem, whereas dllhost (for medium/high
> > isolation) is IWAM. Obviously that opens up another can of worms... :-)
> >
> > However, the description on the dialogue box is a little ambigous. The
WWW
> > Publishing Service does run as LocalSystem - it's just the web app
process
> > that doesn't.
> >
> > Cheers
> > Ken
> >
> > "JayDee" <darius_falt@hotmail.com> wrote in message
> > news:%230EaQcKmDHA.3504@TK2MSFTNGP11.phx.gbl...
> > : Ken
> > :
> > : Adding to my previous post,
> > :
> > : I meslead you slightly (actually I was misleaf myself!!!)
> > : I'm actually running in win2000 mixed mode, not win2003 native mode,
for
> > my
> > : domain infrastructure
> > :
> > : even though my servers are 2k3 - i havent made the jump yet, becuase
I'm
> > : still in the middle of a migration
> > : So I cant go the whole way with constrained delegation,
> > : but reading between the lines on the IIS RK Docs (Chap5, pp469) I have
> > : enabled "trust computer for delegation" in the W2K3 computer account
> > : webserver in DSA.MSC
> > : Theres a note below this option says that this will only enable
> delegation
> > : for services running under Local System.
> > :
> > : My web app is running in IIS5 isolation mode, which means it will run
> > under
> > : an IWAM account not the Local System,
> > : Suffice to say, I'm not entirely surprised that this doesnt seem to
fix
> my
> > : problem.
> > :
> > : At the moment I'm stuck again.
> > :
> > : does this mean I'm stuffed?
> > :
> > : J
> > :
> > :
> > :
> > : "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
> > : news:OI3NF8DmDHA.2436@TK2MSFTNGP09.phx.gbl...
> > : > Hi Jay,
> > : >
> > : > I'm a firm believer that you need both experience and theoretical
> > : knowledge.
> > : >
> > : > There are some things that I believe a theoretical understanding
> helps.
> > I
> > : > know that the subjects I did at Uni on wide area networking, TCP/IP
> etc,
> > : > (plus the associated theory - ISO OSI model etc) have proved
immensely
> > : > useful in troubleshooting connectivity issues, since it provides you
> > with
> > : a
> > : > framework whereby you can break a connection down into individual
> pieces
> > : > (physical connectivity, point-to-point routing, end-to-end routing,
> name
> > : > resolution etc) and test each piece systematically until you reach
the
> > : > problem.
> > : >
> > : > At the same time, real life experience, sitting in front of machines
> and
> > : > network equipment gives you an understanding of what tools are
> available
> > : for
> > : > doing the testing, how they work, and what their idiosyncracies are.
> > : >
> > : > An MCSE provides some background into how Windows works - however I
> > think
> > : > you need to marry that with other theoretical knowledge (eg a good
> > : > understanding of TCP/IP if you're a network type person, or ER
> modelling
> > : if
> > : > you're a database developer etc)
> > : >
> > : > Cheers
> > : > Ken
> > : >
> > : >
> > : > "JayDee" <darius_falt@hotmail.com> wrote in message
> > : > news:Oc$kI09lDHA.360@TK2MSFTNGP12.phx.gbl...
> > : > : Thanks for your input Ken
> > : > :
> > : > : let me review that link, but what you're saying makes sense, in
line
> > : with
> > : > : the rather obfuscating MS articles I have read on the subject.
> > : > :
> > : > : You're a very knowledgable gentleman, with a good knack for
> digesting
> > : and
> > : > : summarising concepts. Thanks
> > : > :
> > : > : I'm curious - is you knoweldge gained principally through emprical
> > means
> > : > or
> > : > : through study?
> > : > : are you a beleiver in learning or does it work better for you by
> > : > : remembering, a la MCSE?
> > : > :
> > : > : Your understanding resonates differently to the usual run of
MCSE's
> I
> > : > : normally come accross.
> > : > :
> > : > : J
> > : >
> > : >
> > :
> > :
> >
> >
>
>

anonymous
Thu Oct 30 09:05:36 CST 2003

Ken,

I have set the delegation for my web server in ADUC and
Integrated Authentication is still not functioning. I
agree with using Basic & SSL (which I had instituted as a
work-around), but apparently IWA is still not working.

Thanks for your help.

Hunter

>-----Original Message-----
>I'm sorry - I don't understand when you say "you don't
have a fix".
>
>If you want to continue to use IWA in a Windows 2000
domain you need to
>allow delegation.
>If you have a Windows 2003 domain, then you have the
additional option of
>"constrained delegation"
>
>If you do not want to enable delegation (eg for security
reasons), then
>you'll need to use Basic Authentication (and I suggest
you run this over
>SSL)
>
>Cheers
>Ken
>
><phf12@mcsdk12.nospam.org> wrote in message
>news:0a9701c397e1$0d3f16a0$a601280a@phx.gbl...
>: Ken,
>:
>: I am experiencing a similar problem with a Windows 2003
>: server (IIS 6.0) in a Windows 2000 domain. I am flying
>: through the resource kit but havent found a fix yet.
Any
>: ideas on resolving the Kerberos/Integrated Auth. issue
>: here?
>:
>: Thanks!
>:
>: Hunter
>:
>:
>: >-----Original Message-----
>: >The "problem" isn't really a problem - it's expected
>: behaviour.
>: >
>: >When you use IWA, your user password is never sent
>: across the wire - that's
>: >what makes it more secure that Basic authentication.
>: However, the token that
>: >the webserver gets from the Domain Controller doesn't
>: have permission to
>: >logon to other network resources.
>: >
>: >When you use Basic authentication, your username *and*
>: password are
>: >transmitted, in the clear, to the webserver, who can
>: then "act" on your
>: >behalf (as if you were logged on at the webserver) and
>: get access to network
>: >resources
>: >
>: >(I'm sure the actual way this works is a little more
>: complex, but this
>: >should suffice for the purposes of your dilemma).
>: >
>: >OK, so what do you do about it?
>: >
>: >With Windows 2000 you need to enable delegation
(Windows
>: 2003 allows for
>: >constrained delegation which is much "safer" in that
you
>: can restrict the
>: >services that are delegated). Now, you say you have a
>: Windows 2003 native
>: >mode domain? If so, then you need to follow the
>: delegation procedure
>: >outlined in Chapter 5 ((IIRC) of the IIS 6 Resource
Kit:
>: >
>: >http://www.microsoft.com/downloads/details.aspx?
>: displaylang=en&familyid=80A1B6E6-829E-49B7-8C02-
>: 333D9C148E69
>: >
>: >Cheers
>: >Ken
>: >
>: >
>: >"JayDee" <darius_falt@hotmail.com> wrote in message
>: >news:eEtDGi8lDHA.2268@TK2MSFTNGP12.phx.gbl...
>: >: hello again.
>: >:
>: >: Further to my last post "IIS 6 help! - Cant
>: authentication to Virtual Dir
>: >on
>: >: another machine"
>: >:
>: >: I am still struggling with this.
>: >:
>: >: It seems that when I use "integrated authentication"
>: that the credentials
>: >: parsed from my browser to the web server are not
being
>: used correctly by
>: >the
>: >: webserver to authenticate me on the target resource:
>: The target resource -
>: >: as I mentioned - is located on another machine.
>: >:
>: >: How do I know this?
>: >:
>: >: a) - I can see in the log files that the correct
>: credentials are being
>: >: parsed from my browser to the webserver.
>: >: b) - Despite the fact these credentials are being
>: parsed, i'm still being
>: >: asked to present credentials by way of the
>: browser 'Username and Password'
>: >: dialogue box.
>: >: c) - Even if I manually present valid credentails at
>: this dialogue box,
>: >I'm
>: >: still not able to authenticate to the target
resource.
>: After 3 attempts at
>: >: entering info into the Dialogue, I get the same
401.3
>: Error -
>: >"Unauthorized:
>: >: Access is denied due to an ACL set on the requested
>: resource"
>: >:
>: >: Hence - this is a general problem with the way the
web
>: server is using my
>: >: credentials to authenticate with the target
resource.
>: >:
>: >: If I change the Authentication method
>: from "Integrated" to "Basic", I am
>: >: always prompted for credentials, this is expected.
>: >: This time, if I enter valid credentials, then the
Web
>: Server give me
>: >access
>: >: to the resource I need.
>: >:
>: >: So the problem here seems to be in how the IIS6 Web
>: Server parses my
>: >: credentials for authentication on the target
resource,
>: but ONLY when its
>: >: handling it via INTEGRATED AUTHENTICATION
>: >:
>: >: I thought that it might be something to do with NTLM
>: versus Kerberos,
>: >: but this just adds to my confustion as in my test
>: instance everything
>: >should
>: >: be working with Kerberos,
>: >:
>: >: Heres the setup.
>: >:
>: >: Its a W2K3 native mode domain,
>: >: with a W2K3 Web Server and IIS 6.
>: >: The client machine is WinXP Pro SP1a
>: >: The user and computer accounts are both members of
>: this W2K3 Domain,
>: >:
>: >: I'm trying to digest the info I've found in the
>: arcticle 332142,
>: >: I'll also try manually setting the authentication
>: method by adapting the
>: >: IIS5 procedure given in 215383,
>: >:
>: >:
>: >: Bu I'm completely in the dark here. I could reall
>: really use some MS help
>: >on
>: >: this.
>: >:
>: >:
>: >: Anyone out there?
>: >:
>: >:
>: >: thanks people - I really appreciate your time.
>: >:
>: >:
>: >
>: >
>: >.
>: >
>
>
>.
>