Welcome to HostingForumz.com!
FAQFAQ      ProfileProfile    Private MessagesPrivate Messages   Log inLog in

REPOST - IIS6 /WebDAV/NTLM/Kerberos and Remote Storage

  
   Web Hosting Problem Solving Community! (Home) -> IIS RSS
Next:  missing web service extensions for asp.net on iis..  
Author Message
anonymous1614

External


Since: Apr 07, 2004
Posts: 4



(Msg. 1) Posted: Thu Apr 15, 2004 12:31 pm
Post subject: REPOST - IIS6 /WebDAV/NTLM/Kerberos and Remote Storage
Archived from groups: microsoft>public>inetserver>iis (more info?)
Hello,

The following is a repost in an attempt to re-engage David
Wang (or others) as I was away for a while and was not
able to continue the thread. It has since gone dormant.
Any comments would be greatly appreciated.

______
I'm trying to setup an II6 server to serve up a directory
structure on a Win2K server. I enable the WebDAV Service
Extention, I create a virtual dir in IIS6, I give the VD
r+w+index+directory browsing. I setup the Connect As
dialog to use pass though authentication. Directory
security has anonymous turned off and Integrated Windows
auth turned on. I setup the Share and NTFS perms on the
Win2K directory.

When I attempt to open the web folder in the browser, I
get challenged, after providing my credentials 3 times, I
get turned away with a 401.1 error page.

I did some poking around and found an article that talks
about what I *think* is the problem.

http://www.microsoft.com/technet/prodtechnol/windowsserver2
003/technologies/webapp/iis/remstorg.mspx#XSLTsection124121
120120

(See: Protocol Transition and NTLM in the article)

Is NTLM and Kerberos the problem? I think the 2K server
wants to use NTLM and the 2K3 server wants to use
Kerberos, but the tickets aren't being passed properly.
(I don't know why the 2K server would be using NTLM
though, both servers are in AD and should default to
Kerberos, correct?). There is a setting I can make in AD
on the 2K3 server object that would allow the tranlstion
to take place (at least that's how I understand it)---
"Trust computer for delegation", but this seems to
indicate that there are security concerns--are there?

Am I headed in the right direction? Why am I challenged
to authenticate in the first place if pass-through is
enabled? Is there a way around this?

____

Is this IIS6 server in a domain.
Are you using Custom AppPool Identity.

--
//David

___


The IIS6 server and the Win2K server are both in the same
OU.

Since I don't know what Custom AppPool Identity is, I
would think the answer is no.

Thanks for your response.

 >> Stay informed about: REPOST - IIS6 /WebDAV/NTLM/Kerberos and Remote Storage 
Back to top
Login to vote
kenremove

External


Since: Aug 23, 2003
Posts: 3041



(Msg. 2) Posted: Sun Apr 18, 2004 7:07 pm
Post subject: Re: REPOST - IIS6 /WebDAV/NTLM/Kerberos and Remote Storage [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
A few points:

a) You are probably running into a double-hop issue, because of using IWA.

b) You need to verify what authentication mechanism that IIS and the browser
are using to authentication.
1) check the IIS metabase to ensure the "negotiate,NTLM" is set as the
authentication provider, not just "NTLM". Negotiate indicates to use
Kerberos
2) Your browser must support Kerberos - i.e. IE v5+ running on Windows
2000, XP or 2003 Server. Additionally the checkbox "Use Integrated Windows
Authentication (requires a restart)" must be checked in IE.
3) Use a packet sniffer to verify that "negotiate" is the authentication
mechanism, or if NTLM is the authentication mechanism, that you are using
Protocol Transition.

c) For the credentials to be passed back to the remote storage
- You need to enable both the computer and user accounts for delegation
in Active Directory
- If you are using a Windows 2003 Domain, you can use Protocol
Transition but only if you use "Constrained Delegation", then choose "Use
any authentication Protocol" - this means that the the initial
authentication can be non-Kerberos, but a Kerberos ticket will be issued to
the webserver to contact the remote service.
- Ensure an appropriate SPN (Service Principal Name) is registered in
the directory (AD). Kerberos tickets target a service principal name. If the
SPN isn't registered in the directory, then an encrypted session key can not
be generated by the KDC. You can use the Windows 2000 Res Kit setSPN.exe
tool if you need to register additional SPNs

NOTE: Protocol Transition is *not* available in a Windows 2000 domain, nor
is constrained delegation. If you are using a Windows 2000 domain (even if
the remote storage is Windows 2003 Server), you *must* use Kerberos to
authenticate to IIS from the client browser. For Kerberos to work, the
client browser must be able to contact the KDC (DCs in the Active Directory
world), so Kerberos is not suitable for an application where the browser is
on the non-secure site of a firewall. In this case, you're best off using
Basic Authentication secured with SSL.

HTH

Cheers
Ken






"Ariel" <anonymous.RemoveThis@discussions.microsoft.com> wrote in message
news:1887e01c42307$0a35d5a0$a001280a@phx.gbl...
: Hello,
:
: The following is a repost in an attempt to re-engage David
: Wang (or others) as I was away for a while and was not
: able to continue the thread. It has since gone dormant.
: Any comments would be greatly appreciated.
:
: ______
: I'm trying to setup an II6 server to serve up a directory
: structure on a Win2K server. I enable the WebDAV Service
: Extention, I create a virtual dir in IIS6, I give the VD
: r+w+index+directory browsing. I setup the Connect As
: dialog to use pass though authentication. Directory
: security has anonymous turned off and Integrated Windows
: auth turned on. I setup the Share and NTFS perms on the
: Win2K directory.
:
: When I attempt to open the web folder in the browser, I
: get challenged, after providing my credentials 3 times, I
: get turned away with a 401.1 error page.
:
: I did some poking around and found an article that talks
: about what I *think* is the problem.
:
: http://www.microsoft.com/technet/prodtechnol/windowsserver2
: 003/technologies/webapp/iis/remstorg.mspx#XSLTsection124121
: 120120
:
: (See: Protocol Transition and NTLM in the article)
:
: Is NTLM and Kerberos the problem? I think the 2K server
: wants to use NTLM and the 2K3 server wants to use
: Kerberos, but the tickets aren't being passed properly.
: (I don't know why the 2K server would be using NTLM
: though, both servers are in AD and should default to
: Kerberos, correct?). There is a setting I can make in AD
: on the 2K3 server object that would allow the tranlstion
: to take place (at least that's how I understand it)---
: "Trust computer for delegation", but this seems to
: indicate that there are security concerns--are there?
:
: Am I headed in the right direction? Why am I challenged
: to authenticate in the first place if pass-through is
: enabled? Is there a way around this?
:
: ____
:
: Is this IIS6 server in a domain.
: Are you using Custom AppPool Identity.
:
: --
: //David
:
: ___
:
:
: The IIS6 server and the Win2K server are both in the same
: OU.
:
: Since I don't know what Custom AppPool Identity is, I
: would think the answer is no.
:
: Thanks for your response.
:
:

 >> Stay informed about: REPOST - IIS6 /WebDAV/NTLM/Kerberos and Remote Storage 
Back to top
Login to vote
anonymous1614

External


Since: Apr 07, 2004
Posts: 4



(Msg. 3) Posted: Wed Apr 21, 2004 8:55 am
Post subject: Re: REPOST - IIS6 /WebDAV/NTLM/Kerberos and Remote Storage [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Ken,

Not sure if you are still listening, but I just wanted to
thank you for your response. You've given me much to
digest.

Ariel

 >-----Original Message-----
 >A few points:
 >
 >a) You are probably running into a double-hop issue,
because of using IWA.
 >
 >b) You need to verify what authentication mechanism that
IIS and the browser
 >are using to authentication.
 > 1) check the IIS metabase to ensure
the "negotiate,NTLM" is set as the
 >authentication provider, not just "NTLM". Negotiate
indicates to use
 >Kerberos
 > 2) Your browser must support Kerberos - i.e. IE v5+
running on Windows
 >2000, XP or 2003 Server. Additionally the checkbox "Use
Integrated Windows
 >Authentication (requires a restart)" must be checked in
IE.
 > 3) Use a packet sniffer to verify that "negotiate" is
the authentication
 >mechanism, or if NTLM is the authentication mechanism,
that you are using
 >Protocol Transition.
 >
 >c) For the credentials to be passed back to the remote
storage
 > - You need to enable both the computer and user
accounts for delegation
 >in Active Directory
 > - If you are using a Windows 2003 Domain, you can use
Protocol
 >Transition but only if you use "Constrained Delegation",
then choose "Use
 >any authentication Protocol" - this means that the the
initial
 >authentication can be non-Kerberos, but a Kerberos ticket
will be issued to
 >the webserver to contact the remote service.
 > - Ensure an appropriate SPN (Service Principal Name)
is registered in
 >the directory (AD). Kerberos tickets target a service
principal name. If the
 >SPN isn't registered in the directory, then an encrypted
session key can not
 >be generated by the KDC. You can use the Windows 2000 Res
Kit setSPN.exe
 >tool if you need to register additional SPNs
 >
 >NOTE: Protocol Transition is *not* available in a Windows
2000 domain, nor
 >is constrained delegation. If you are using a Windows
2000 domain (even if
 >the remote storage is Windows 2003 Server), you *must*
use Kerberos to
 >authenticate to IIS from the client browser. For Kerberos
to work, the
 >client browser must be able to contact the KDC (DCs in
the Active Directory
 >world), so Kerberos is not suitable for an application
where the browser is
 >on the non-secure site of a firewall. In this case,
you're best off using
 >Basic Authentication secured with SSL.
 >
 >HTH
 >
 >Cheers
 >Ken
 >
 >
 >
 >
 >
 >
 >"Ariel" <anonymous.RemoveThis@discussions.microsoft.com> wrote in
message
 >news:1887e01c42307$0a35d5a0$a001280a@phx.gbl...
 >: Hello,
 >:
 >: The following is a repost in an attempt to re-engage
David
 >: Wang (or others) as I was away for a while and was not
 >: able to continue the thread. It has since gone dormant.
 >: Any comments would be greatly appreciated.
 >:
 >: ______
 >: I'm trying to setup an II6 server to serve up a
directory
 >: structure on a Win2K server. I enable the WebDAV
Service
 >: Extention, I create a virtual dir in IIS6, I give the VD
 >: r+w+index+directory browsing. I setup the Connect As
 >: dialog to use pass though authentication. Directory
 >: security has anonymous turned off and Integrated Windows
 >: auth turned on. I setup the Share and NTFS perms on the
 >: Win2K directory.
 >:
 >: When I attempt to open the web folder in the browser, I
 >: get challenged, after providing my credentials 3 times,
I
 >: get turned away with a 401.1 error page.
 >:
 >: I did some poking around and found an article that talks
 >: about what I *think* is the problem.
 >:
 >:
<a style='text-decoration: underline;' href="http://www.microsoft.com/technet/prodtechnol/windowsserver2" target="_blank">http://www.microsoft.com/technet/prodtechnol/windowsserver2</a>
 >:
003/technologies/webapp/iis/remstorg.mspx#XSLTsection124121
 >: 120120
 >:
 >: (See: Protocol Transition and NTLM in the article)
 >:
 >: Is NTLM and Kerberos the problem? I think the 2K server
 >: wants to use NTLM and the 2K3 server wants to use
 >: Kerberos, but the tickets aren't being passed properly.
 >: (I don't know why the 2K server would be using NTLM
 >: though, both servers are in AD and should default to
 >: Kerberos, correct?). There is a setting I can make in
AD
 >: on the 2K3 server object that would allow the tranlstion
 >: to take place (at least that's how I understand it)---
 >: "Trust computer for delegation", but this seems to
 >: indicate that there are security concerns--are there?
 >:
 >: Am I headed in the right direction? Why am I challenged
 >: to authenticate in the first place if pass-through is
 >: enabled? Is there a way around this?
 >:
 >: ____
 >:
 >: Is this IIS6 server in a domain.
 >: Are you using Custom AppPool Identity.
 >:
 >: --
 >: //David
 >:
 >: ___
 >:
 >:
 >: The IIS6 server and the Win2K server are both in the
same
 >: OU.
 >:
 >: Since I don't know what Custom AppPool Identity is, I
 >: would think the answer is no.
 >:
 >: Thanks for your response.
 >:
 >:
 >
 >
 >.
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: REPOST - IIS6 /WebDAV/NTLM/Kerberos and Remote Storage 
Back to top
Login to vote
Display posts from previous:   
   Web Hosting Problem Solving Community! (Home) -> IIS All times are: Pacific Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



[ Contact us | Terms of Service/Privacy Policy ]