Integrated security problem
Hi
I have two virtual webs on my win2K3 server. WebApp and WebServ, the latter is hosting a remoted object and the former is calling it.
With anonymouse access turned on everything is fine. However I want Integrated Security instead with no anon access, but with this option I get the error:
The underlying connection was closed: The request was canceled.
I've followed what I believe are the neccessary steps outlined in the following Kb article, specifically the items needed in each web.config
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch11.asp
Am I missing something else?
Thanks for any help
WebServ config
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<authentication mode="Windows" />
<identity impersonate="true" />
</system.web>
<system.runtime.remoting>
<application>
<service>
<wellknown
mode="SingleCall"
type="TalentDesk.RemoteServices.UserService,
TalentDesk.RemoteServices"
objectUri="UserService.rem" />
</service>
<channels>
<channel
name="TheChannel"
priority="100"
ref="http" />
</channels>
</application>
</system.runtime.remoting>
</configuration>
WebApp config<configuration>
<system.runtime.remoting>
<application>
<client url="http://localhost/TestRemotingWebServ">
<wellknown
type="TalentDesk.Domain.ServiceInterfaces.IRemoteUserService,
TalentDesk.Domain"
url="http://localhost//TestRemotingWebServ/UserService.rem" />
</client>
<channel ref="http"
useDefaultCredentials="true" />
</application>
</system.runtime.remoting>
<system.web>
<compilation defaultLanguage="c#" debug="true" />
<authentication mode="Windows" />
<identity impersonate="true" />
<authorization>
<allow users="*" /> <!-- Allow all users -->
<!-- <allow users="[comma separated list of users]"
roles="[comma separated list of roles]"/>
<deny users="[comma separated list of users]"
roles="[comma separated list of roles]"/>
-->
</authorization>
</system.web>
</configuration>
I managed to get past this part - the msdn article is slightly confusing in that it suggests you can either set credentials using the config files OR programatically using
IDictionary channelProperties;
channelProperties = ChannelServices.GetChannelSinkProperties(proxy);
channelProperties ["credentials"] = CredentialCache.DefaultCredentials;
In fact you need both.
So that's fine, works OK, we have two distinct servers communicating. Thats fine with a virtual server, however when we've setup a new web app on the server using a host header name, the default credentials are no longer passed, instead this is showing up in our test app, not the logged in user
WindowsIdentity: IsAuthenticated=True, AuthenticationType=NTLM, Name=NT AUTHORITY\NETWORK SERVICE
or on another box
WindowsIdentity: IsAuthenticated=True, AuthenticationType=NTLM, Name=DOMAIN\SERVERNAME$
There's an article describing this behaviour below, we've added the SPN name for both HOST and HTTP and still no joy
http://support.microsoft.com/default.aspx?scid=kb;en-us;326985&sd=tech
Also just for good measure, in Active Directory, full delegation is set for both machines
Any ideas?
1. The NETWORKSERVICE is a special account
It acts like a low privileged used on the computer [MACHINE\NETWORKSERVICE] and a COMPUTER on the network [DOMAIN\COMPUTERNAME]. This is exactly
what is happening as I understood.
2. Logged in user is different. This can be the intereactive user.
4. When an ASP Page runs it runs as
NETWORKSERVICE in Windows 2003 when you are not impersonating
The actual user who is requesting
IUSE_MACHINENAME [When anonymous access is allowed]
OR the person who is using the ASPX [when anonymous access is not allowed] - after the authentication is successful
If you use default credentials, that is what will be given to your
remoting app.
5. So now you have an authentication issue. Your remoting app does not
have access for the local NETWORKSERVICE account.
In fact we traced it down to the browser to web app authentication by turning on Kerberos event logging, and it was obvious, when using a host header, NTLM was being used, when a virtual server, Kerberos was being used. Kereberos delegation wont work with NTLM
We had a further investigation on clean boxes, and it was in the end SPN setup.
Our remoting app did have access for the NETWORKSERVICE account, it just couldnt do anything with it, such as logon to SQL Server.
On the same box there is no delegation.
This scenario is client IE > IIS Web Server > IIS Web Server (Remoting Host) > SQL Server
With delegation needed between the two IIS servers and the remoting server and SQL Server. Kerberos is needed for sure here.
At the expense of connection pooling, we want full user auditing in SQL Server hence the need for inetgrated security.
