strange IIS authorization issue for administrator

Question

Hello everyone,

I am using VSTS 2008 + C# + .Net 3.5 + IIS 6.0 + Windows Server 2003 Enterprise x64 SP2 + ASP.Net. I am using anynomous authentication + Windows authentication mode in IIS web site, and I map the user identity to mycorp\george in anynomous account and also use mycorp/george to run IIS worker process. I have also added mycorp\george to administrator group of the IIS web server machine. "mycorp" is the (Windows Active Directory) domain name my department is using.

I always got unauthorized error (401) when accessing the web site from another computer using account mycorp\george (but no error when accessing web site from local computer to access web site.) The web site is a share point web site using Share Point Service 3.0.

I have also used IIS authentication and authorization tool to do diagnoistics, here is the tool I am using http://www.microsoft.com/downloads/details.aspx?familyid=63AAF167-2138-4231-B6ED-56298044BD3B&displaylang=en

This tool reports similar authentication and authorization issue,

mycorp\george account does not have Access this computer from the network privilege Path:W3SVC/1670937635/ROOT AuthType:Anonymous Server's response: HTTP/1.1 401 Access denied Learn about IIS status codes Path:W3SVC/1670937635/ROOT AuthType:Anonymous

Any ideas what is wrong? I think for administrator account like mycorp\george, the account should have no privilege (authentication and authorization) limitation issues.

thanks in advance, George

Answer 1

There are multiple possible issues:

1. How Is the Remote Access to a Local Account Configured.

Is the system in a domain or workgroup? If in a workgroup, unless you change it, all remote access by administrator accounts is disabled (they are treated as guests).

You can change this in local security policy:

• Run secpol.msc from Start | Run
• Go to Local Policies | Security Options
• Select setting "Network access: Sharing and security model for local accounts"
• Ensure this is set to "Classic: Local users authenticate as themselves."

(The explanation tab gives more details.)

While in secpol also check that you are auditting account logins.

2. ISS Authentication Settings

What are the authentication settings for the virtual directory? Is anonymous access enabled? Is Windows Authentication enabled?

If you are auditting account login events, check the security event log to see the logins that should have happened if the user was authenticated.

3. What are the permissions on the file system

Does the remote user (for Windows Authentication) or the Worker Process identity (for anonymous) have read access to the file system objects?

Use Process Monitor to see if the files are being accessed (or attempts made to access them), this should help see if it is IIS generating the unauthorized error internally or use to an access denied from the file system.

4. Go back to the error

HTTP/1.1 401 Access denied Learn about IIS status codes Path:W3SVC/1670937635/ROOT AuthType:Anonymous

This seems to be saying that the client is not being authorised as their Windows account. This seems to be the area to focus on. Do you get the same if the client browser is running on the server box, how about a different box, how about a different browser? Is IE configured for the applicable zone to allow Windows authentication?

Answer 2

• Do you have duplicate SP's (service principal names) registers in AD?
• Do you have delegation turned on. The reason I was thinking this could be a issue, is that you see it manifest as 404, because the moment the ticket gets okayed at your DC (domain controller) if you dont have delegation turned on, and a service principal registers it invalidates the ticket, hence the 404.

If you think it could be related to this, I can expand a bit more on how to track this down. If you have a secure environment, this might be the issue?

Best Regards Rihan Meij

Answer 3

If you don't feel like reading the ramblings of a developer that was a network administrator and feel that security should be part of the solution, and not a after thought skip to the end section.

There is a couple of quick things I would check, and I found similiar issues while working with Microsoft CRM. What both these products share is integrated authentication. I agree with you 100% it is not a permission problem, but perhaps it is a authentication problem.

I just want to get a couple of facts straight, if these assumptions is incorrect, I am probably way of the mark.

1. You application pool is running under network service
2. You need active directory authentication to make the website work
3. You are accessing a resource that is on a remote machine. (If you are accessing a web service on the same machine but running under a different application pool, this counts for a remote machine)
4. You have tried using things like the SQL authentication, but your application that you are using is NOT happy about this, and refuses to work?

In sequence what I think is happening.

1. Client (Browser) makes a request to IIS over stock standard http, using the default anonymouse credentials.
2. The server sends back a 404 and chalenge response, in short the way I understand it, "go away until you can give me a proper authentication token, or I think of it as a key"
3. The browser gives up, and passes the "key" that it got from the browsers LSASS service (some very complex talking and negotioating with some domain controler to get to this)
4. The server receives the new request with a key, it then passes this key to a domain controller and asks, if they key is valid, and should be able to do all the things it must do (ntfs permissions all those good things)
5. Up until this point everthing is peachy and works great, but then the snag comes in.
6. In order to render the html for the page, the server needs some remote resouces (database, webservice what ever) but the remote resouces is also setup to use integrated authentication and demand a valid "key"
7. However at this point this process is running on the server under the credentials of the network service, and providing the network service credentials to the "remote" machine where the stuff is that you need to complete the process will result in permission denied, because when the network service credential goes over the wire, it becomes the machine account, so even if we did give the machine account access to the resouce it is still not what you want.
8. So what you can do is turn impersonation on in the web.config

Perhaps at this time I should stop, because I am basing this on way to much assumption.

Quick test

A quick way to test all of this stuff I just typed is, change the credentials your app pool is running to your domain user name password, that you know have access. This is just in order to test my hypothesis. If this works, I might be on the right track, but lets first see, so I don't waste your time.