I have an intranet ASP.NET web app that uses windows authentication. It's installed at dozens of different companies and normally the authentication works fine: users navigate to the site e.g. http://appserver/MyApp, the app recognizes who they're logged in as and displays pages accordingly. I just installed it at a new client and encountered a problem:
1) When connecting from the web server, e.g. http://localhost/MyApp I was prompted for windows credentials. After entering credentials I was authenticated and pages displayed as per normal, which includes showing who I'm logged in as and retrieving info from a database (db connection uses Identity of the App Pool to connect to the database, not identity of the user). However, it shouldn't prompt for credentials at all. IE was running with enhanced security configuration so I thought it might be that, but the site was recognized as in the Local Intranet zone (as shown in the status bar) and checking IE security settings for the Intranet zone 'Automatic logon only in Intranet zone' was selected: I'd have thought this would allow authentication without prompting.
2) The bigger problem is when connecting from a workstation, e.g. to http://appserver/MyApp, I'm also prompted for windows credentials but after entering them I'm repeatedly prompted. After several re-entering credentials I'm shown a 401 error page saying"401 - Unauthorized: Access is denied due to invalid credentials.". So not only is it not passing through my identity but even when entering the username & password it's still denying access.
Here's all the relevant information I can think of:
- The install process is a manual copy of files, creation of IIS App Pools & web apps, updating connection strings, etc.
- I checked the IE security settings from the workstation too. It was also recognizing the server as in the Intranet zone and had the option 'Automatic logon only in Intranet zone' selected. Also on Advanced Settings the 'Enable Integrated Windows Authentication' option was checked.
- The web server is running Windows Server 2008 R2. It didn't have IIS on it until I installed it today. I installed the default features as well as Windows Authentication, ASP.NET, and possibly a couple of other items. A separate WCF app I installed that uses IIS, anonymous authentication & .net 2.0 is working fine on that web server.
- After installing IIS I ran "aspnet_regiis -i" for .net 2.0 and "aspnet_regiis -iru" for .net 4.0.
- Anonymous authentication is disabled for my app and Windows Authentication enabled.
- The app is running on ASP.NET v4 but there's another app I installed experiencing the same issue running ASP.NET v2.
- The app is running with Identity = Network Service and in 32-bit mode.
- Network Service has Full Control file permissions to the app folder.
- In IIS > Authentication > Windows Authentication > Providers the list was Negotiate first then NTLM. Now I write this I realise I usually set NTLM above Negotiate having found it solved a problem at one client in the past... although I don't understand why.
- After encountering the problem I reopened the Providers window and noticed that Negotiate:Kerberos was also available. I added this and put it at the top of the list. When saving IIS told me I had to disable kernel-mode authentication for Negotiate:Kerberos to work so I did that too. After recycling the app pool this didn't solve the problem so I later removed the Negotiate:Kerberos.
- In the Windows Security Event Log there were a series of Microsoft Windows security auditing events: Logon and Logoff. They indicated that the Logon was successful - this is when I'm connecting from another workstation and receive a 401 Unauthorized after several attempts. The Logon event log information was as shown below. I see that it mentions Kerberos.
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
New Logon:
Security ID: DBG\nymktdata3-g
Account Name: nymktdata3-g
Account Domain: DBG
Logon ID: 0x74cdc0
Logon GUID: {2235e786-30fd-8023-932b-95e053a9be0e}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name:
Source Network Address: 10.152.28.45
Source Port: 51785
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
- The Logon event saying it was successful seems odd, as if IIS is authenticating the user successfully but not telling my app!?
- The web server is on the same domain "DBG" as the workstation and the users although the server is in the UK and the workstations are in the USA. The fully-qualified domain names for the machines include ".uk.[top-domain].com" and ".us.[top-domain].com" ... I don't know enough about Active Directory to know any implications of this. The IT guys tell me the machines are on the same domain.
- Relevant sections of my web.config are as follows:
<authentication mode="Windows" /><authorization><deny users="?" /></authorization>
So far, from writing this post, the only thing I can think of to try is reordering the Authentication Providers to have NTLM at the top. Or I need to do something special to make Kerberos work. Any other suggestions?
many thanks,
Rory