J
Jacob
Hello All,
I am trying to serve out some content via IIS that is hosted on a
remote fileserver, and am unable to get the delegation working
correctly. Our setup is as follows:
Local LAN
Windows 2000 domain (mixed-mode): MYDOMAIN (mydomain.net)
Windows 2003 Server w/IIS6: WEB01
Windows 2000 Server hosting files: FILE01
Windows XP Pro client workstation: CLIENT01
All computers are members of the domain. WEB01 is 'Trusted for
Delegation'.
Two domain users have been created:
MYDOMAIN\joeuser
MYDOMAIN\webdirmap
Both are member of the Domain Users group only.
Single web setup on WEB01, Active Directory DNS host record
'test.dev.mydomain.net' pointing to this web. The website has no
local content, and a single virtual directory called 'webtest' which
is pointing to a share on FILE01 called '\\FILE01\webtest'. The web
is set to use Windows Integrated Auth only, no Basic or Anonymous
allowed.
Both domain users have Read & Exec NTFS permissions to
\\FILE01\webtest. The SMB permissions on this share are set to
Everyone - Full Control. This share contains a single image file
called 'shite.gif'.
For my testing I'm sitting at CLIENT01 and attempting to browse to
http://test.dev.mydomain.net/webtest/shite.gif using IE 6.0SP1.
1) First I set the '\webtest' virtual dir to use a fixed set of
credentials, connecting as 'MYDOMAIN\webdirmap'. I then browsed to the
above URL, authenticating as 'MYDOMAIN\joeuser'. I was able to view
the image with no problems, and the event log on WEB01 showed me
authenticating using Kerberos as 'MYDOMAIN\joeuser'. The eventlog on
FILE01 showed a successful Logon event (using Kerberos for both logon
and auth packages) for 'MYDOMAIN\webdirmap', followed by a successful
object access for 'shite.gif'. All good...
2) Then I changed the '\webtest' virtual dir to use passthrough
authentication, connecting as the authenticated user accessing the
website. I browsed to the URL again (after closing the browser to
clear the cache first). I immediately got a userid/password challenge
dialog, into which I entered the credentials for 'MYDOMAIN\joeuser'.
They weren't accepted and I was challenged 3 times in total before IIS
finally came back with an 'HTTP 401.3 - Unauthorized: Access is denied
due to an ACL set on the requested resource' error. The event logs on
WEB01 looked OK, with a Kerberos logon as 'MYDOMAIN\joeuser'. The
FILE01 event log however showed two event, repeated 3 times in quick
succession (once per failed challenge I guess): a successful
Privilege Use (Special privileges assigned to new logon:
SeChangeNotifyPrivilege) for 'NT AUTHORITY\ANONYMOUS LOGON', followed
by a successful Logoff event for the same user (logon type 3). No
successful logons at all, nor any audit failures of any kind.
I'm logging both success and failures for Object Access, Logon/Logoff,
Account Logon and Privelege Use.
Can anyone explain this to me? Why is the connection from WEB01 to
FILE01 coming through as 'NT AUTHORITY\ANONYMOUS LOGON'? It should be
coming through as 'MYDOMAIN\joeuser' if Kerberos delegation was
working shouldn't it?
To double-check I switched the web to use Basic auth rather than
Windows Integrated. It worked fine with both fixed 'connect as'
credentials (MYDOMAIN\webdirmap) and with passthrough, so I'm thinking
it's Kerberos at fault...
I've read all of the pertinet TechNet articles I could find, including
the very informative
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx
but stil have no joy making this work. Suggestions anyone?
Thanks!
Jacob Luebbers
I am trying to serve out some content via IIS that is hosted on a
remote fileserver, and am unable to get the delegation working
correctly. Our setup is as follows:
Local LAN
Windows 2000 domain (mixed-mode): MYDOMAIN (mydomain.net)
Windows 2003 Server w/IIS6: WEB01
Windows 2000 Server hosting files: FILE01
Windows XP Pro client workstation: CLIENT01
All computers are members of the domain. WEB01 is 'Trusted for
Delegation'.
Two domain users have been created:
MYDOMAIN\joeuser
MYDOMAIN\webdirmap
Both are member of the Domain Users group only.
Single web setup on WEB01, Active Directory DNS host record
'test.dev.mydomain.net' pointing to this web. The website has no
local content, and a single virtual directory called 'webtest' which
is pointing to a share on FILE01 called '\\FILE01\webtest'. The web
is set to use Windows Integrated Auth only, no Basic or Anonymous
allowed.
Both domain users have Read & Exec NTFS permissions to
\\FILE01\webtest. The SMB permissions on this share are set to
Everyone - Full Control. This share contains a single image file
called 'shite.gif'.
For my testing I'm sitting at CLIENT01 and attempting to browse to
http://test.dev.mydomain.net/webtest/shite.gif using IE 6.0SP1.
1) First I set the '\webtest' virtual dir to use a fixed set of
credentials, connecting as 'MYDOMAIN\webdirmap'. I then browsed to the
above URL, authenticating as 'MYDOMAIN\joeuser'. I was able to view
the image with no problems, and the event log on WEB01 showed me
authenticating using Kerberos as 'MYDOMAIN\joeuser'. The eventlog on
FILE01 showed a successful Logon event (using Kerberos for both logon
and auth packages) for 'MYDOMAIN\webdirmap', followed by a successful
object access for 'shite.gif'. All good...
2) Then I changed the '\webtest' virtual dir to use passthrough
authentication, connecting as the authenticated user accessing the
website. I browsed to the URL again (after closing the browser to
clear the cache first). I immediately got a userid/password challenge
dialog, into which I entered the credentials for 'MYDOMAIN\joeuser'.
They weren't accepted and I was challenged 3 times in total before IIS
finally came back with an 'HTTP 401.3 - Unauthorized: Access is denied
due to an ACL set on the requested resource' error. The event logs on
WEB01 looked OK, with a Kerberos logon as 'MYDOMAIN\joeuser'. The
FILE01 event log however showed two event, repeated 3 times in quick
succession (once per failed challenge I guess): a successful
Privilege Use (Special privileges assigned to new logon:
SeChangeNotifyPrivilege) for 'NT AUTHORITY\ANONYMOUS LOGON', followed
by a successful Logoff event for the same user (logon type 3). No
successful logons at all, nor any audit failures of any kind.
I'm logging both success and failures for Object Access, Logon/Logoff,
Account Logon and Privelege Use.
Can anyone explain this to me? Why is the connection from WEB01 to
FILE01 coming through as 'NT AUTHORITY\ANONYMOUS LOGON'? It should be
coming through as 'MYDOMAIN\joeuser' if Kerberos delegation was
working shouldn't it?
To double-check I switched the web to use Basic auth rather than
Windows Integrated. It worked fine with both fixed 'connect as'
credentials (MYDOMAIN\webdirmap) and with passthrough, so I'm thinking
it's Kerberos at fault...
I've read all of the pertinet TechNet articles I could find, including
the very informative
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx
but stil have no joy making this work. Suggestions anyone?
Thanks!
Jacob Luebbers
), as can Basic. I've already tested and proven