Cant access Virtual Share on another server with Windows Authentication

I have a win2003 web server WEBSERVER and a windows 2000 file server FILESERVER, i created a test folder on the file server and Everyone has access to it, it can be accessed by the path \\fileserver\e\test.  All users can access this folder ok.

On the webserver I created a virtual directory that points to that share.  IF I check Enable Anonymous Access under directory securty, anyone can go to http://webserver/test and access the folder ok.  But... if I uncheck that and have only Windows Integrated Authentication checked then no one can access that folder on the website.  They get the 403.1 "Access is denied due to an ACL set on the requested resource" message.

with windows authentication turned on.. I ran filemon on the webserver and it shows the user attempting to access the file and getting 'Access Denied'

i ran filemon on the fileserver and it never shows the user trying to open the file.

Is there a setting I missed?  Seems like it should be a fairly easy setup, I want users to authenticate to the shares so i can limit some users from accessing the files.
LVL 1
FubarOptikAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

FubarOptikAuthor Commented:
forgot to mention.. I also tried checking only "digest authentication for windows domain servers'.

Also if I check enable anonymous access and change the default anonymous account to one of the users i previously tried they get in fine so i know there isnt anything wrong with the users/passwords.
Dave_DietzCommented:
Did you trust the server for delegation in Active Directory?

Using Integrated auth would involve Kerberos to delegate the users' credentials to the fileserver - won't work if the web server isn't trusted for delegation.  

NTLM won't work inthis situation at all and neither will Digest since neither can be used for delegation.

Basic would work just fine.

Not sure why Anonymous works unless you have changed your Anonymous account to a domain account.

Dave Dietz

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FubarOptikAuthor Commented:
Both are set to trust for delegation

I did some investigating and found some kerberos errors in the system event log on webserver. All of them look like the following:

A Kerberos Error Message was received:
         on logon session
 Client Time:
 Server Time: 18:12:40.0000 7/7/2005 Z
 Error Code: 0xd KDC_ERR_BADOPTION
 Extended Error: 0xc00000bb KLIN(0)
 Client Realm:
 Client Name:
 Server Realm: COMPANY.LOCAL
 Server Name: host/webserver.company.local
 Target Name: host/webserver.company.local@COMPANY.LOCAL
 Error Text:
 File: 9
 Line: ab8
 Error Data is in record data.

In the security log 99% of the logon events are authenticating successfully by kerberos but a few are by ntlm
I ran klist tickets and all looked ok except for these two, the renew time is from 2 days ago, all the rest of the tickets have a renew time of 7/12/05

   Server: cifs/filrserver@COMPANY.LOCAL
      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
      End Time: 7/1/2005 18:11:23
      Renew Time: 7/5/2005 11:19:48

   Server: host/webserver.company.local@COMPANY.LOCAL
      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
      End Time: 6/28/2005 21:19:48
      Renew Time: 7/5/2005 11:19:48

from what I've read I'm guessing that some of the tickets are not renewing??? and since it cannot renew by kerberos its failing???

I also turned on full kerberos debugging and the lsass.log had the following from when I tried to access the website with 3 failed attempts

548.4624> Kerb-Trace: KerbCreateTokenFromTicket for COMPANY\WEBSERVER$, (null)
548.4624> Kerb-LSess: KerbCreateLogonSessionFromTicket NOT creating ASC logon session for 0:0xb630819, accepting 0:0x3e7
548.5704> Kerb-Trace: SpAcceptLsaModeContext called KerbMapContext ContextAttributes 0x5, 0
548.740> Kerb-S4u: KerbCreateDummyLogonSession created logon session for 0x0:0xb638313 - 0564D9D8
548.740> Kerb-Cred: Acquiring cred, S4U required
548.740> Kerb-S4u: Trying S4UProxy for ls 0564D9D8
548.740> Kerb-Bnd: KerbInsertBinding binding cache disabled
548.740> Kerb-S4u: KerbGetS4UProxyEvidence created non-delegatable logon session via s4u logon
548.4368> Kerb-Bnd: KerbInsertBinding binding cache disabled
548.740> Kerb-Error: Failed to get S4UProxy Evidence ticket 8009030e
548.4368> Kerb-Warn: KerbGetTgsTicket failed to unpack KDC reply: 0x3c
548.4368> KSupp-Warning: KerbUnpackData failed to unpack typed data, trying error method data
548.4368> KSupp-Error: KerbUnpackErrorData received failure from kdc 0xd KLIN(0) NTSTATUS(0xc00000bb)
548.4368> Kerb-Warn: Failed S4Uproxy request c00000bb(4)
548.740> Kerb-S4u: KerbCreateDummyLogonSession created logon session for 0x0:0xb63836b - 0564D9D8
548.740> Kerb-Cred: Cant go off box w/ non-fwdble logon session & no supp creds
548.740> Kerb-Cred: Cant go off box w/ non-fwdble logon session & no supp creds
548.740> Kerb-S4u: KerbCreateDummyLogonSession created logon session for 0x0:0xb63844d - 0564D9D8
548.740> Kerb-Cred: Cant go off box w/ non-fwdble logon session & no supp creds
548.740> Kerb-Cred: Cant go off box w/ non-fwdble logon session & no supp creds
548.740> Kerb-S4u: KerbCreateDummyLogonSession created logon session for 0x0:0xb638475 - 0564D9D8
548.740> Kerb-Cred: Cant go off box w/ non-fwdble logon session & no supp creds
548.740> Kerb-Cred: Cant go off box w/ non-fwdble logon session & no supp creds

Any additional help is appreciated.
FubarOptikAuthor Commented:
Before closing this can you move this to the Security > Windows Security Topic?  At this point that seems more like the correct location for this question.

Thanks
humeniukCommented:
FubarOptik,

At this point, the question would be far down the list in the Windows Security topic area if it were moved there.  I would recommend that you post a new question in WinSec so that you will be at the top of the list and the Experts will see the question.

Humeniuk
EE Cleanup Volunteer
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Storage Software

From novice to tech pro — start learning today.