Using DNS name verses Machine Name causes 403 error

[Jason]

Hi,

I have developed a web service using VS2005 and is landed on a Windows 2003
Server. The Server is an Intranet Server so I am using credentials while
connecting to the server so authentication takes place.

My problem is that when I connect to the server with a URL like:

http://MYSERVER/Service/webservice.asmx I have no problem. The server Name
is MYSERVER

If I try and connect using it's DNS name like

http://MYSERVER.mydomain.com/Service/webservice.asmx I receive 403 errors.
The DNS resolves to the same IP address as above.

My final goal is to setup a load balanced web service but before I can do
that I need to be able to connect to a web service using DNS name..

Can you help?

Thanks
Jason

 

[Steven Cheng[MSFT]]

Hello Jason,

From your description, you've developed and hosted an ASP.NET webservice on
a windows 2003 server machine and the webservice is secured through
intergrated windows authentication in IIS. When calling the webservice, you
found it always return 403 error if you use the DNS name but worked well if
use the NetBios machine name to visit it, correct? if anything I missed,
please feel free to let me know.

As for the webservice function call, are you test it on some remote client
machines whch are using windows 2000 or later(xp or 2003) operating system?
If this is the case, based on my experience, it is likely due to the client
machine failed to establish kerberos authentication with the server
machine. When the client machine establish windows authentication with
server, if both the client and server is windows 2000 or later operating
system, they'll use kerberos authentication protocol. And kerberos
authentication protocol require the servername (in the url) been registered
with a certain service principal name in KDC(mostly is the DC in wnidows
domain). For your case, it is possible that the DNS name you used hasn't be
registered with your server's servername in DC.

Here is a knowledge base article describes the problem, you can have a look
to see whether it matches your case:

#Authentication may fail with "401.3" Error if Web site's "Host Header"
differs from server's NetBIOS name
http://support.microsoft.com/?id=294382


Also, I think this is a typical IIS specific issue. To further isolate it,
you can create an ASP.NET page or normal html page(in the webservice's IIS
virutal dierctory) and visit it from the same client machine to see whether
you meet the same behavior. Another means is to disable kerberos
authentication and force the IIS site or virutal diretory to use NTLM for
widows authentication only. If this works, we can confirm that the problem
did be caused by kerberos authentication. The below kb article introduce
how to change the IIS to use NTLM or both Kerberos and NTLM as windows
authentication protocol:

#How to configure IIS to support both the Kerberos protocol and the NTLM
protocol for network authentication
http://support.microsoft.com/kb/215383/en-us

Hope this helps. Please feel free to let me know if you got any further
progress or need any further assistance.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================



This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Jason]

Steven,

Thanks for your response.

I have been trying to understand the difference between my own system and
the current production system that works just fine using DNS name verses
Netbios name. I did find that the production Server has an additional Server
Principle Name set so I will try setting the SPN for my Server and see if
that works..

Can you tell me if 3 servers can all be set with the same SPN? In the new
Production environment I have 3 Servers using NLB. For this approach to work
I would need to add the same SPN to each of the Servers. Will this cause a
problem in Active Directory??

On a side note, while I somewhat understand the issue here when my client
app connects to the Web service, I am a little confused why a web browser
from the same client is able to access the web service directly with no
errors. Why does the web browser connect while my Windows app fails??

Also, I have credentials set and Preauthenticate=true set but the first
connection is always anonymous so there are two hits to the web server...Is
there anyway to stop the initial anonymous connection?? and connect first
time with credentials??

Thanks
Jason

 

[Steven Cheng[MSFT]]

Thanks for your followup Jason,

I'm not quite sure on the multiple DNS name as SPN pointing to the same
server, this is more specfiic to AD configuration and due to my limited
experience on this, I would suggest you post in some server&platform
specific newsgroup and I think this can be well answered.

As for the different behavior between programmtic interface and IE browser,
this is because when using IE webbrowser, the client browser may be able to
choose downlevel NTLM protocol when using kerberos failed. However, the
webservice proxy which use httpwebrequest class may not support such
graceful handling for such condition.

Anyway, I suggest you try explicitly configure the IIS site to use NTLM
only(exclude Negotiate) to see whether it works.

You can also post this issue in IIS specific newsgroup since it also
involves much IIS specific configuration.

Please feel free to let me know if you need any other information.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Jason]

Thanks Steven,

I am waiting for the Infrastructure guys to run setSPN on my Dev Server so I
can test to see if it or at least changes the symptoms.

I have already switched the server to NTLM only and it makes no difference..

Thanks for your help
Jason

 

[Steven Cheng[MSFT]]

Thanks for your reply Jason,

I'm abit surprised that NTML also not work on your side.

BTW, onething we can also try is use some network trace utility to capture
the HTTP request/respose stream (for the requests made by IE and the
webservice client proxy). I think you can find the difference focusing on
the authentication section in the HTTP header or the whole steps how to
connection get established.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.