Integrated security problem

Integrated security problem

• glenragoonanan

  This is likely an issue with the underlying WebRequest.
  
  I am going to move this post to the networking forum.
  

• Nuwc

  In fact we traced it down to the browser to web app authentication by turning on Kerberos event logging, and it was obvious, when using a host header, NTLM was being used, when a virtual server, Kerberos was being used. Kereberos delegation wont work with NTLM
  
  We had a further investigation on clean boxes, and it was in the end SPN setup.
  
  Our remoting app did have access for the NETWORKSERVICE account, it just couldnt do anything with it, such as logon to SQL Server.
  

• Pascal Geuze

  On the same box, I thought NTLM did work for delegation.
  Are you saying that this is not the case
  
  Is there a way for me to recreate the issue Do you have some
  some simple repro code>
  
  

• Steentje

  I managed to get past this part - the msdn article is slightly confusing in that it suggests you can either set credentials using the config files OR programatically using
  
  IDictionary channelProperties;
  channelProperties = ChannelServices.GetChannelSinkProperties(proxy);
  channelProperties ["credentials"] = CredentialCache.DefaultCredentials;
  
  In fact you need both.
  
  So that's fine, works OK, we have two distinct servers communicating. Thats fine with a virtual server, however when we've setup a new web app on the server using a host header name, the default credentials are no longer passed, instead this is showing up in our test app, not the logged in user
  
  WindowsIdentity: IsAuthenticated=True, AuthenticationType=NTLM, Name=NT AUTHORITY\NETWORK SERVICE
  
  or on another box
  
  WindowsIdentity: IsAuthenticated=True, AuthenticationType=NTLM, Name=DOMAIN\SERVERNAME$
  
  There's an article describing this behaviour below, we've added the SPN name for both HOST and HTTP and still no joy
  
   http://support.microsoft.com/default.aspx scid=kb;en-us;326985&sd=tech
  
  Also just for good measure, in Active Directory, full delegation is set for both machines
  
  Any ideas
  
  

• glenna

  Yes it is, in the end it was to do with the SPN setup - when we did this on clean boxes it worked.
  
  
  

• dklayman

  SO is this issue resolved now
  
  

• HockeyNut

  On the same box there is no delegation.
  
  This scenario is client IE > IIS Web Server > IIS Web Server (Remoting Host) > SQL Server
  
  With delegation needed between the two IIS servers and the remoting server and SQL Server. Kerberos is needed for sure here.
  
  At the expense of connection pooling, we want full user auditing in SQL Server hence the need for inetgrated security.
  
  
  

• friendfrog

  Could you send me a small repro
  

• rhj4

  1. The NETWORKSERVICE is a special account
  It acts like a low privileged used on the computer [MACHINE\NETWORKSERVICE] and a COMPUTER on the network [DOMAIN\COMPUTERNAME]. This is exactly
  what is happening as I understood.
  2. Logged in user is different. This can be the intereactive user.
  4. When an ASP Page runs it runs as 
     NETWORKSERVICE in Windows 2003 when you are not impersonating
     The actual user who is requesting 
        IUSE_MACHINENAME [When anonymous access is allowed]
        OR the person who is using the ASPX  [when anonymous access is not allowed] - after the authentication is successful
  
     If you use default credentials, that is what will be given to your 
     remoting app.
     
  5. So now you have an authentication issue. Your remoting app does not
  have access for the local NETWORKSERVICE account.
  
  

  
  
  
• Integrated security problem