I have an intranet ASP.NET web app that uses windows authentication. It's installed at dozens of different companies and normally the authentication works fine: users navigate to the site e.g. http://appserver/MyApp, the app recognizes who they're logged
in as and displays pages accordingly. I just installed it at a new client and encountered a problem:
1) When connecting from the web server, e.g. http://localhost/MyApp I was prompted for windows credentials. After entering credentials I was authenticated and pages displayed as per normal, which includes showing who I'm logged in as and retrieving info
from a database (db connection uses Identity of the App Pool to connect to the database, not identity of the user). However, it shouldn't prompt for credentials at all. IE was running with enhanced security configuration so I thought it might be that, but
the site was recognized as in the Local Intranet zone (as shown in the status bar) and checking IE security settings for the Intranet zone 'Automatic logon only in Intranet zone' was selected: I'd have thought this would allow authentication without prompting.
2) The bigger problem is when connecting from a workstation, e.g. to http://appserver/MyApp, I'm also prompted for windows credentials but after entering them I'm repeatedly prompted. After several re-entering credentials I'm shown a 401 error page saying
"401 - Unauthorized: Access is denied due to invalid credentials.". So not only is it not passing through my identity but even when entering the username & password it's still denying access.
Here's all the relevant information I can think of:
The install process is a manual copy of files, creation of IIS App Pools & web apps, updating connection strings, etc.
I checked the IE security settings from the workstation too. It was also recognizing the server as in the Intranet zone and had the option 'Automatic logon only in Intranet zone' selected. Also on Advanced Settings the 'Enable Integrated Windows Authentication'
option was checked.
The web server is running Windows Server 2008 R2. It didn't have IIS on it until I installed it today. I installed the default features as well as Windows Authentication, ASP.NET, and possibly a couple of other items. A separate WCF app I installed that
uses IIS, anonymous authentication & .net 2.0 is working fine on that web server.
After installing IIS I ran "aspnet_regiis -i" for .net 2.0 and "aspnet_regiis -iru" for .net 4.0.
Anonymous authentication is disabled for my app and Windows Authentication enabled.
The app is running on ASP.NET v4 but there's another app I installed experiencing the same issue running ASP.NET v2.
The app is running with Identity = Network Service and in 32-bit mode.
Network Service has Full Control file permissions to the app folder.
In IIS > Authentication > Windows Authentication > Providers the list was Negotiate first then NTLM. Now I write this I realise I usually set NTLM above Negotiate having found it solved a problem at one client in the past... although I don't understand
why.
After encountering the problem I reopened the Providers window and noticed that Negotiate:Kerberos was also available. I added this and put it at the top of the list. When saving IIS told me I had to disable kernel-mode authentication for Negotiate:Kerberos
to work so I did that too. After recycling the app pool this didn't solve the problem so I later removed the Negotiate:Kerberos.
In the Windows Security Event Log there were a series of Microsoft Windows security auditing events: Logon and Logoff. They indicated that the Logon was successful - this is when I'm connecting from another workstation and receive a 401 Unauthorized after
several attempts. The Logon event log information was as shown below. I see that it mentions Kerberos.
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
The Logon event saying it was successful seems odd, as if IIS is authenticating the user successfully but not telling my app!?
The web server is on the same domain "DBG" as the workstation and the users although the server is in the UK and the workstations are in the USA. The fully-qualified domain names for the machines include ".uk.[top-domain].com" and ".us.[top-domain].com"
... I don't know enough about Active Directory to know any implications of this. The IT guys tell me the machines are on the same domain.
Relevant sections of my web.config are as follows:
So far, from writing this post, the only thing I can think of to try is reordering the Authentication Providers to have NTLM at the top. Or I need to do something special to make Kerberos work. Any other suggestions?
Great thanks, I'll try that out. Excellent articles in that series! The fact the Logon audit event was returning Success makes me think it's not one of those cases ... but I'll follow the different diagnosis steps and report back.
I tried swapping order of NTLM and Negotiate providers and also
enabled Kerberos event logging, but soon realised that wasn't the problem. When NTLM was top the Security Event Log audit messages said authentication was successful with NTLM and when Negotiate was top the success was with Kerberos.
Then I noticed in the Application Event Log there were Information events with message "File authorization failed for the request" along with Thread account name: NT AUTHORITY\NETWORK SERVICE and User: <the correct workstation users's domain account> (full
message below). This suggests that the file access is being performed with the User's identity, not the AppPool identity of Network Service. Sure enough if I grant the end user Read & Execute permission (I didn't try Read only) to the application's directory
then everything works correctly: when the user browses to the site they're authenticated automatically, not prompted, and the web site correctly recognizes their identity! Therefore my workaround solution is to give Read & Execute permission to Everybody on
the application directory...but this is not an ideal solution.
This seems very strange. I've never needed to do this before, so far as I recall. Is this a new IIS7.5 thing? The documentation says that Impersonation is turned off by default. I added a <identity impersonate="false"/> element to the web.config to be sure,
removed file permissions other than Network Service, but the problem remained.
I see another person has had this problem
reported here but with no solution.
Any thoughts? Is it normal for Windows Authenticated sites on IIS 7.5 for end users to need file permissions on the web server files?
many thanks,
Rory
Full event log message was:
Event code: 4008
Event message: File authorization failed for the request.
Event time: 21/12/2012 13:13:26
Event time (UTC): 21/12/2012 13:13:26
Event ID: c7f01ad01b5449218727bd62ae878a24
Event sequence: 13
Event occurrence: 6
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/1/ROOT/RMWeb-5-130005691092693608
Trust level: Full
Application Virtual Path: /RMWeb
Application Path: D:\apps\MyAppDirectory\RM_V6.11.4_RMWeb\
Machine name: LONINASU0020
Process information:
Process ID: 3076
Process name: w3wp.exe
Account name: NT AUTHORITY\NETWORK SERVICE
Request information:
Request URL: http://loninasu0020.uk.<real domain name here>.com/RMWeb
Request path: /RMWeb
User host address: 10.152.28.45
User: DBG\nymktdata3-g
Is authenticated: True
Authentication Type: Negotiate
Thread account name: NT AUTHORITY\NETWORK SERVICE
Custom event details:
Network Service already has Full Control of the folder and all the files. I double-checked by looking at several of the individual files and subfolders, and tried adding 'Network Service' in a variety of different ways to the ACL in case it was a different
'Network Service' in my list.
Ok, I think you may need to make a posting at the IIS Forums since you are at the limit of what the asp.net forums can support. I think it is an IIS configuration issue and perhaps they've seen this before.
http://forums.iis.net
I later determined that the behaviour was different when connecting to http://localhost/MyApp from the server (ie prompted for credentials but let through after login) because I was connecting as an admin user. It wasn't passing my identity through automatically
because http://localhost had been added to the Trusted Sites on that machine so it was recognised as in the Trusted Sites zone instead of the Local Intranet Zone. Removing http://localhost from the Trusted Sites meant I was automatically logged in and the
application worked fine.
Note that this didn't solve the root problem. It only works fine when connecting from the server because I was logged in as a server admin. The main problem that the end user needs access to the files is still the issue. Changing the Trusted Sites list only
fixed the minor problem that the current user's credentials/identity weren't passed through automatically.
Rory PS
Member
2 Points
7 Posts
Intranet web app prompts for windows credentials and denies access unless connecting from the web...
Dec 20, 2012 06:53 AM|LINK
I have an intranet ASP.NET web app that uses windows authentication. It's installed at dozens of different companies and normally the authentication works fine: users navigate to the site e.g. http://appserver/MyApp, the app recognizes who they're logged in as and displays pages accordingly. I just installed it at a new client and encountered a problem:
1) When connecting from the web server, e.g. http://localhost/MyApp I was prompted for windows credentials. After entering credentials I was authenticated and pages displayed as per normal, which includes showing who I'm logged in as and retrieving info from a database (db connection uses Identity of the App Pool to connect to the database, not identity of the user). However, it shouldn't prompt for credentials at all. IE was running with enhanced security configuration so I thought it might be that, but the site was recognized as in the Local Intranet zone (as shown in the status bar) and checking IE security settings for the Intranet zone 'Automatic logon only in Intranet zone' was selected: I'd have thought this would allow authentication without prompting.
2) The bigger problem is when connecting from a workstation, e.g. to http://appserver/MyApp, I'm also prompted for windows credentials but after entering them I'm repeatedly prompted. After several re-entering credentials I'm shown a 401 error page saying "401 - Unauthorized: Access is denied due to invalid credentials.". So not only is it not passing through my identity but even when entering the username & password it's still denying access.
Here's all the relevant information I can think of:
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
New Logon:
Security ID: DBG\nymktdata3-g
Account Name: nymktdata3-g
Account Domain: DBG
Logon ID: 0x74cdc0
Logon GUID: {2235e786-30fd-8023-932b-95e053a9be0e}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name:
Source Network Address: 10.152.28.45
Source Port: 51785
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
<authentication mode="Windows" /> <authorization> <deny users="?" /> </authorization>So far, from writing this post, the only thing I can think of to try is reordering the Authentication Providers to have NTLM at the top. Or I need to do something special to make Kerberos work. Any other suggestions?
many thanks,
Rory
bbcompent1
All-Star
33072 Points
8523 Posts
Moderator
Re: Intranet web app prompts for windows credentials and denies access unless connecting from the...
Dec 20, 2012 10:57 AM|LINK
I would think possibly your server doesnt' have a Service Principle Name in AD. Try this from MSDN: http://technet.microsoft.com/en-us/library/ms191153.aspx
Also, try searching google for service principal name active directory kerberos
Rory PS
Member
2 Points
7 Posts
Re: Intranet web app prompts for windows credentials and denies access unless connecting from the...
Dec 20, 2012 06:59 PM|LINK
Great thanks, I'll try that out. Excellent articles in that series! The fact the Logon audit event was returning Success makes me think it's not one of those cases ... but I'll follow the different diagnosis steps and report back.
Rory PS
Member
2 Points
7 Posts
Re: Intranet web app prompts for windows credentials and denies access unless connecting from the...
Dec 21, 2012 01:33 PM|LINK
I've made some progress:
I tried swapping order of NTLM and Negotiate providers and also enabled Kerberos event logging, but soon realised that wasn't the problem. When NTLM was top the Security Event Log audit messages said authentication was successful with NTLM and when Negotiate was top the success was with Kerberos.
Then I noticed in the Application Event Log there were Information events with message "File authorization failed for the request" along with Thread account name: NT AUTHORITY\NETWORK SERVICE and User: <the correct workstation users's domain account> (full message below). This suggests that the file access is being performed with the User's identity, not the AppPool identity of Network Service. Sure enough if I grant the end user Read & Execute permission (I didn't try Read only) to the application's directory then everything works correctly: when the user browses to the site they're authenticated automatically, not prompted, and the web site correctly recognizes their identity! Therefore my workaround solution is to give Read & Execute permission to Everybody on the application directory...but this is not an ideal solution.
This seems very strange. I've never needed to do this before, so far as I recall. Is this a new IIS7.5 thing? The documentation says that Impersonation is turned off by default. I added a <identity impersonate="false"/> element to the web.config to be sure, removed file permissions other than Network Service, but the problem remained.
I see another person has had this problem reported here but with no solution.
Any thoughts? Is it normal for Windows Authenticated sites on IIS 7.5 for end users to need file permissions on the web server files?
many thanks,
Rory
Full event log message was:
Event code: 4008 Event message: File authorization failed for the request. Event time: 21/12/2012 13:13:26 Event time (UTC): 21/12/2012 13:13:26 Event ID: c7f01ad01b5449218727bd62ae878a24 Event sequence: 13 Event occurrence: 6 Event detail code: 0 Application information: Application domain: /LM/W3SVC/1/ROOT/RMWeb-5-130005691092693608 Trust level: Full Application Virtual Path: /RMWeb Application Path: D:\apps\MyAppDirectory\RM_V6.11.4_RMWeb\ Machine name: LONINASU0020 Process information: Process ID: 3076 Process name: w3wp.exe Account name: NT AUTHORITY\NETWORK SERVICE Request information: Request URL: http://loninasu0020.uk.<real domain name here>.com/RMWeb Request path: /RMWeb User host address: 10.152.28.45 User: DBG\nymktdata3-g Is authenticated: True Authentication Type: Negotiate Thread account name: NT AUTHORITY\NETWORK SERVICE Custom event details:bbcompent1
All-Star
33072 Points
8523 Posts
Moderator
Re: Intranet web app prompts for windows credentials and denies access unless connecting from the...
Dec 21, 2012 01:39 PM|LINK
Ok, actually try giving read/list/execute to network service and then you aren't giving permissions to everyone.
Rory PS
Member
2 Points
7 Posts
Re: Intranet web app prompts for windows credentials and denies access unless connecting from the...
Dec 21, 2012 01:41 PM|LINK
Network Service already has Full Control of the folder and all the files. I double-checked by looking at several of the individual files and subfolders, and tried adding 'Network Service' in a variety of different ways to the ACL in case it was a different 'Network Service' in my list.
bbcompent1
All-Star
33072 Points
8523 Posts
Moderator
Re: Intranet web app prompts for windows credentials and denies access unless connecting from the...
Dec 21, 2012 01:44 PM|LINK
Ok, I think you may need to make a posting at the IIS Forums since you are at the limit of what the asp.net forums can support. I think it is an IIS configuration issue and perhaps they've seen this before. http://forums.iis.net
Rory PS
Member
2 Points
7 Posts
Re: Intranet web app prompts for windows credentials and denies access unless connecting from the...
Dec 21, 2012 01:45 PM|LINK
good point, thanks. Posted here and here.
Rory PS
Member
2 Points
7 Posts
Re: Intranet web app prompts for windows credentials and denies access unless connecting from the...
Dec 21, 2012 02:28 PM|LINK
Just in case anyone finds this useful:
I later determined that the behaviour was different when connecting to http://localhost/MyApp from the server (ie prompted for credentials but let through after login) because I was connecting as an admin user. It wasn't passing my identity through automatically because http://localhost had been added to the Trusted Sites on that machine so it was recognised as in the Trusted Sites zone instead of the Local Intranet Zone. Removing http://localhost from the Trusted Sites meant I was automatically logged in and the application worked fine.
Note that this didn't solve the root problem. It only works fine when connecting from the server because I was logged in as a server admin. The main problem that the end user needs access to the files is still the issue. Changing the Trusted Sites list only fixed the minor problem that the current user's credentials/identity weren't passed through automatically.