Clever Geek Handbook

Strange IIS authorization issue for admin

I am using VSTS 2008 + C # + .Net 3.5 + IIS 6.0 + Windows Server 2003 Enterprise x64 SP2 + ASP.Net. I am using anynomous Authentication + Windows Authentication Mode on an IIS website and I am mapping the user id to mycorp \ george in any anonymous account and also using mycorp / george to start an IIS worker process. I also added mycorp \ george to the IIS web server admins group. "mycorp" is the domain name (Windows Active Directory) used by my department.

I always got an unauthorized error (401) when accessing the website from another computer using the mycorp \ george account (but no error when accessing the website from the local computer to access the website). The website is a shared website using the Share Point Service 3.0.

I also used the IIS Authentication and Authorization tool for diagnostics, here is the tool I use http://www.microsoft.com/downloads/details.aspx?familyid=63AAF167-2138-4231-B6ED-56298044BD3B&displaylang=en

This tool reports a similar authentication and authorization issue,

My account mycorp \ george does not have network privilege access to this computer Path: W3SVC / 1670937635 / ROOT AuthType: Anonymous Server response: HTTP / 1.1 401 Access Denied More about IIS status codes Path: W3SVC / 1670937635 / ROOT AuthType: Anonymous

Any ideas what is wrong? I think that for an admin account like mycorp \ george, the account shouldn't have any restrictions (authentication and authorization).

thanks in advance george

+2


source to share


3 answers


There are several potential problems:

1. How remote access to a local account is configured.

Is the system in a domain or workgroup? If in a workgroup, unless you change it, remote access to administrator accounts is disabled (they are treated as guests).

You can change this in your local security policy:

  • Start secpol.msc

    from the beginning | Run
  • Go to local policy | Security options
  • Select the "Network Access: Sharing and Security Model for Local Accounts" option
  • Make sure this option is set to "Classic: Local users authenticate as themselves".

(The Explanation tab has more details.)

While in secpol

also check that you are checking the accounts of the accounts.

2. ISS Authentication Options



What are the authentication options for a virtual directory? Is anonymous access enabled? Is Windows Authentication enabled?

If you are checking account login events, check the security event log to see the logins that should have occurred if the user was authenticated.

3. What are the permissions for the file system

Is the remote user (for Windows Authentication) or Workflow ID (for anonymous user) available to access filesystem objects?

Use Process Monitor to see if files are available (or attempts to make them available), this should help you see if IIS is generating an unauthorized error internally or is using file system access denied.

4. Go back to the error

HTTP / 1.1 401 Access Denied Check IIS Status Codes Path: W3SVC / 1670937635 / ROOT AuthType: Anonymous

This indicates that the client is not logged in as a Windows account. This seems to be the area to focus on. Do you get the same if the client browser runs in the server window as a different block, as a different browser? Is IE configured for the appropriate zone to allow Windows Authentication?

+2


source


  • Do you have duplicate SP (Service Principal Names) registers in AD?
  • Is your delegation included. The reason I thought it might be a problem is because you see it showing up as a 404, because once the ticket is approved by your DC (domain controller) if you haven't enabled delegation and the master the service tag is invalid, the ticket is therefore 404.

If you think it might be related to this, I can expand a little more on how to track this. If you have a secure environment, could this be a problem?



Best wishes Rihan Maige

+1


source


If you don't like reading the firewalls of a developer who was a network administrator and consider that security should be part of the solution, not after the thought goes to the end of the section.

There are a few quick things that I would check and I have found similar issues when working with Microsoft CRM. Both of these products are integrated authentication. I agree with you that 100% this is not a permission issue, but it might be an authentication issue.

I just want to get a couple of facts straight, if these assumptions are wrong, I am probably a way of judging.

  • Application pool launched under network service
  • You need active directory authentication for the site to work.
  • You get access to a resource located on a remote computer. (If you are accessing the web service on one machine, but running on a different application pool, this counts for the remote machine)
  • Have you tried using things like SQL Authentication but your application you are using is NOT happy with it and refuses to work?

The sequence is what I think is happening.

  • The client (browser) makes a request to IIS over the http stock standard using the default anonymouse credentials.
  • The server sends a 404 response and chalenge, in short, as I understand it, "go away until you can give me the correct authentication token, or I think this is the key"
  • Browser discards and transmits the "key" it received from the browser's LSASS service (some very tricky conversations and negotiations with some domain controllers to get to this)
  • The server receives a new request with a key, then passes that key to a domain controller and asks if it has the key and if it should do whatever it should do (ntfs allows all these good things)
  • Until that point turns peachy and works great, but then a trap appears.
  • To render the html for the page, the server needs some remote resources (database, webservice, what ever), but the remote resources are also configured to use Integrated Authentication and require a valid "key"
  • However, at this point, this process runs on the server under the network service credentials and provides the network services credentials on the "remote" machine, where the stuff is that you need to end the process will deny permission because when the account the network service travels over the wire, it becomes a machine account, so even if we gave the computer account access to the resource, this is still not what you want.
  • So what you can do is enable impersonation in web.config

Perhaps at this time I should stop, because I am basing this on a lot of assumptions.

Quick test

A quick way to test all this stuff I just typed is to change the credentials that your application pool is running with your domain username password that you know has access. This is just to test my hypothesis. If it works, I may be on the right track, but I'll take a look first, so I'm not wasting your time.

0


source






More articles:


All Articles