none
User Authentication Issue: HTTP 401.1 Unauthorized

    Question

  • Hi,

     

    We have recently migrated an asp.net / ssrs system where it was deployed on a single server (database and web) to an environment with a new domain and two servers (one database and one web).

     

    WebServer01

    - Window Server 2003 R2 SP2

    - IIS 6.0

    - ASP.NET 2.0

    - Custom ASP.NET Application which makes web service calls to ssrs.

    - Application Pool running as NT Authority\Network Service

    - Integrated Security Only

    - NTAuthenticationProviders set to "NTLM"

    - "Trust this computer for delegation to any service (Kerberos only)" is on

    - Host Header Value set for web site containing custom web application

     

    DatabaseServer01

    - Window Server 2003 R2 SP2

    - SQL Server 2005 Standard Edition SP2

    - SQL Server Reporting Services

    - SSRS Application Pool running as custom identity (domain\sql)

    - Reporting Services Databases

    - Custom Databases

    - NTAuthenticationProviders set to "NTLM"

    - "Trust this computer for delegation to any service (Kerberos only)" is on

     

    When I am logged on to WebServer01 all aspects of the custom web site and reporting service web service calls function. That is, navigating that custom web application and the ssrs report manager work without problem.

     

    However, when i am on a client machine (in my case the citrix server but also confirmed issue on client machines - Windows XP) the custom web application is accessible via the host header but the page which calls the ssrs web service throw the below error. It should be noted that accessing the report manager site from the client directly also works.

     

    Error:

    The request failed with HTTP status 401: Unauthorized

     

    Stack: 

    at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
       at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
       at .ReportService.ReportingService.ListChildren(String Item, Boolean Recursive)
       at ..Page_Load(Object sender, EventArgs e)
       at System.Web.UI.Control.OnLoad(EventArgs e)
       at System.Web.UI.Control.LoadRecursive()
       at System.Web.UI.Control.LoadRecursive()
       at System.Web.UI.Control.LoadRecursive()
       at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

     

    Web Site (W3SVC1) Log:

    #Software: Microsoft Internet Information Services 6.0
    #Version: 1.0
    #Date: 2008-07-15 00:40:35
    #Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
    2008-07-15 00:40:35 W3SVC1 POST /ReportServer/ReportService.asmx - 80 -  Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.1433) 401 2 2148074254
    2008-07-15 00:40:35 W3SVC1 POST /ReportServer/ReportService.asmx - 80 - Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.1433) 401 1 0
    2008-07-15 00:40:35 W3SVC1 POST /ReportServer/ReportService.asmx - 80 - Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.1433) 401 1

     

    So the issue appears to be with the passing of the credentials from client, to WebServer01 then onto the DatabaseServer01. Is it a "simple" case of having to have the Application Pool running as a domain account instead of "NT Authority\Network Service" on WebServer01?

     

    Related/Similar resources:

    Code Snippet

    Dim rService As ReportingService2005 = New ReportingService2005

    rService.UseDefaultCredentials = True

    Dim catalogItems As CatalogItem()

    catalogItems = rService.ListChildren("/", True)

     

     

     

    Any thoughts or suggestions?

     

    Thanks for taking the time to assist.

     

    Cheers

    Tim

    Tuesday, July 15, 2008 12:53 AM

Answers

  • Wow, what an interesting past 2 weeks. The response to my post has been overwhelming!!!   I have learnt a significant amount and been quite frustrated at times. To say that everything is now fine would not be accurate however this is a good point to post my findings. Double-hop Kerberos authentication is the primary issue.


    To get this working in our test environment the following occurred (in no specific order):

    • Removed the NTAuthenticationProviders value of "NTLM" which then meant that the default value of "Negotiate,NTLM" is used.
    • Created a domain user account to run the services as
      • ran aspnet_regiis.exe -ga domain\account to grant ASP.NET permissions to the new account
      • updated the application pool to use the new domain account
      • create Service Principal Names (SPNs) for domain account
      • enabled the user account to be trusted for delegation
    • Restart Servers

    It should be noted that the order of events is specific in some instances. that is, you must specify the SPNs for the domain account before you can enable the account to be trusted for delegation. The tab doesn't appear until you have.

     

    SPNs

    SPN's were required for the web server, host header and SQL. The NetBIOS and Fully Qualified Domain Name (FQDN) of each were added. eg:

    • setspn.exe -A http/WebServer01 domain\account (NetBIOS)
    • setspn.exe -A http/WebServer01.domain domain\account (FQDN)
    • setspn.exe -A http/hostheader domain\account (NetBIOS)
    • setspn.exe -A http/hostheader.domain domain\account (FQDN)
    • setspn.exe -A http/DatabaseServer01 domain\sql (NetBIOS)
    • setspn.exe -A http/DatabaseServer01.domain domain\sql (FQDN)

    setspn.exe is not automatically installed when you install Windows Server 2003. To install the Windows Support Tools on a computer that is running Windows Server 2003, run the Suptools.msi program that is in the Support\Tools folder on the Windows Server 2003 SP1 CD.

     

    Web Site (W3SVC1) Log:

    How the site log (on DatabaseServer01 - SSRS) looks when everything is working:

     

    #Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status

    2008-07-17 07:51:26 W3SVC1 <ip> POST /ReportServer/ReportService.asmx - 80 - <ip> Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.1433) 401 2 2148074254

    2008-07-17 07:51:59 W3SVC1 <ip> POST /ReportServer/ReportService.asmx - 80 <domain\impersonated user> <ip> Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.1433) 200 0 0


    References:

    NTAuthenticationProviders Metabase Property (IIS 6.0)
    http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/ea7cd846-33da-49c9-927f-d4e76d6309ac.mspx
     
    How To: Create a Service Account for an ASP.NET 2.0 Application
    http://msdn.microsoft.com/en-us/library/ms998297.aspx

     

    Setspn Overview

    http://technet2.microsoft.com/windowsserver/en/library/b3a029a1-7ff0-4f6f-87d2-f2e70294a5761033.mspx?mfr=true

     

    How it Works: SQL Server Reporting Services and Dynamics CRM

    http://blogs.msdn.com/crm/archive/2008/07/18/how-it-works-sql-server-reporting-services-and-dynamics-crm.aspx

     

    Microsoft CRM 3.0: Additional Setup Tasks Required if Reporting Services Is Installed on Different Server

    http://www.microsoft.com/downloads/details.aspx?FamilyID=51bf9f20-bd00-4759-8378-b38eefda7b99&displaylang=en

     

    How to understand, implement, and troubleshoot Kerberos double-hop authentication

    http://support.microsoft.com/servicedesks/webcasts/seminar/shared/asp/view.asp?url=/servicedesks/webcasts/en/WC102704/manifest.xml

     

    There are still some issues on the live environment so I will post again when they are resolved.

    Thursday, July 24, 2008 11:53 PM

All replies