r_i_x
asked on
Windows Authentication not being passed to link target=_blank
I have a web app written with .NET 2.0 using Windows Auth and links to another web app that is .NET 1.0 (Reporting Services 2000) and using Windows Auth.
The first (2.0) has a link to the second (1.0) and I would have thought would pass along the credentials but when the link (target=_blank) is pressed, it asks for authentication.
If the app (1.0) is brought up individually, it works fine with the Windows Auth passed through and no logon required.
One thing of interest is that they are in separate application pools. They exist on the same server but require separate app pools to support 1.0 and 2.0.
The first (2.0) has a link to the second (1.0) and I would have thought would pass along the credentials but when the link (target=_blank) is pressed, it asks for authentication.
If the app (1.0) is brought up individually, it works fine with the Windows Auth passed through and no logon required.
One thing of interest is that they are in separate application pools. They exist on the same server but require separate app pools to support 1.0 and 2.0.
ASKER
Ok, I have both application pools running as Network Service. So, what I have to do is setup another account and use the setspm to register that account?
I haven't been able to get the setspm.exe file even through the download or tools. Any thoughts on where else to look?
I haven't been able to get the setspm.exe file even through the download or tools. Any thoughts on where else to look?
That's setspn.exe, not setspm. And it (and other 32-bit support tools for Windows 2003 Server) can be downloaded at:
http://www.microsoft.com/downloads/details.aspx?familyid=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D&displaylang=en
setspn.exe for Windows 2000 can be found at:
http://www.microsoft.com/downloads/details.aspx?FamilyID=5fd831fd-ab77-46a3-9cfe-ff01d29e5c46&displaylang=en
http://www.microsoft.com/downloads/details.aspx?familyid=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D&displaylang=en
setspn.exe for Windows 2000 can be found at:
http://www.microsoft.com/downloads/details.aspx?FamilyID=5fd831fd-ab77-46a3-9cfe-ff01d29e5c46&displaylang=en
ASKER
Got the setspn.exe. Thanks.
Now, am I correct that I need to create a new account (domain or local to that machine) and then use the setspn tool?
Now, am I correct that I need to create a new account (domain or local to that machine) and then use the setspn tool?
I just connected that you are using NetworkService as your account on the application pools. Instead of setspn.exe, you need to set the metabase value
NtAuthenticationProviders to Negotiate,NTLM. This article describes how to do this:
http://support.microsoft.com/kb/215383
This allows Kerberos to be bypassed, which is the behavior recommended in this case where NetworkService is used on all application pools. Try it, and see if it helps.
NtAuthenticationProviders to Negotiate,NTLM. This article describes how to do this:
http://support.microsoft.com/kb/215383
This allows Kerberos to be bypassed, which is the behavior recommended in this case where NetworkService is used on all application pools. Try it, and see if it helps.
ASKER
No go. I set and checked it, restarted IIS but still requiring authentication.
Let's go back to square one:
Two web apps in different application pools on the same web site (Default Web Site). One web app is .net 1.1 and the other is .net 2.0. Default Web Site is .net 1.1.
Let's go back to square one:
Two web apps in different application pools on the same web site (Default Web Site). One web app is .net 1.1 and the other is .net 2.0. Default Web Site is .net 1.1.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Posted in another place as recommended and I fixed it anyway... here's the explanation:
My post:
I have fixed it but don't understand why. Previously, the links were using the IP (eg http://10.10.50.10/reports) and now I've changed it to use the server name. All my trouble are now gone.
Explanation?
Dave_Dietz:If you use an address with 'dots' in it IE will assume the resource is an *Internet* resource and will not send credentials automatically. If the URL doesn't contain any dots, such as NetBIOS machine name, IE will automatically send credentials.
My post:
I have fixed it but don't understand why. Previously, the links were using the IP (eg http://10.10.50.10/reports) and now I've changed it to use the server name. All my trouble are now gone.
Explanation?
Dave_Dietz:If you use an address with 'dots' in it IE will assume the resource is an *Internet* resource and will not send credentials automatically. If the URL doesn't contain any dots, such as NetBIOS machine name, IE will automatically send credentials.
Yikes! That's an interesting sort of problem. Yes, that's exactly the sort of thing I expected would pop out from the IIS guys. Glad I was able to finally direct you the right way (we certainly tried everything else :) ).
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/523ae943-5e6a-4200-9103-9808baa00157.mspx?mfr=true
I copied this:
By default, Active Directory allows the Network Service and Local System accounts to use Kerberos. If NtAuthenticationProviders is set to Negotiate,NTLM for an application pool, Kerberos works correctly with Network Service as the worker process identity, because this is the default worker process identity for IIS 6.0 in worker process isolation mode. However, suppose you isolate applications on a Web site by configuring each application to run in a separate application pool under a separate process identity that is a domain account. If you attempt to use Integrated Windows authentication with the isolated applications, because you want to use Kerberos authentication, Kerberos fails.
Unless Kerberos authentication is configured correctly, it fails with a 401.3 error in the following situations:
• The Fully Qualified Domain Name (FQDN) is different from the NetBIOS name. For example, the IIS server might host a Web site called www.sitea.com on a server named web01.
• The process—for example, Dllhost.exe or W3wp.exe—that is performing the underlying authentication runs under an identity other than System, and no SPN is registered for that identity.
• Applications are hosted across multiple servers that use the same computer name. Only one user can be registered per computer name.
• If all servers in a Web farm use one computer name, but load balancing distributes requests to multiple servers, and no server in the Web farm has a unique SPN.
For Kerberos authentication to work correctly, you must configure isolation at the site level, not at the application pool level. All application pools in your Web site that use Kerberos must run with the same application pool process identity. You must then register that process identity as an SPN with Kerberos by using the Setspn.exe command-line tool. The Setspn.exe tool is included in Resource Kit Tools for Windows Server 2003 Deployment Kit companion CD, or on the Web at http://www.microsoft.com/reskit. You must be a domain administrator to set an SPN. For more information about registering a service principal name by using Setspn.exe, see Configuring Constrained Delegation for Kerberos.
For more information about this limitation and using Setspn.exe, see Security-Related Changes in Authentication.