User Authentication Issue: HTTP 401.1 Unauthorized
-
Tuesday, July 15, 2008 12:53 AM
Hi,
We have recently migrated an asp.net / ssrs system where it was deployed on a single server (database and web) to an environment with a new domain and two servers (one database and one web).
WebServer01
- Window Server 2003 R2 SP2
- IIS 6.0
- ASP.NET 2.0
- Custom ASP.NET Application which makes web service calls to ssrs.
- Application Pool running as NT Authority\Network Service
- Integrated Security Only
- NTAuthenticationProviders set to "NTLM"
- "Trust this computer for delegation to any service (Kerberos only)" is on
- Host Header Value set for web site containing custom web application
DatabaseServer01
- Window Server 2003 R2 SP2
- SQL Server 2005 Standard Edition SP2
- SQL Server Reporting Services
- SSRS Application Pool running as custom identity (domain\sql)
- Reporting Services Databases
- Custom Databases
- NTAuthenticationProviders set to "NTLM"
- "Trust this computer for delegation to any service (Kerberos only)" is on
When I am logged on to WebServer01 all aspects of the custom web site and reporting service web service calls function. That is, navigating that custom web application and the ssrs report manager work without problem.
However, when i am on a client machine (in my case the citrix server but also confirmed issue on client machines - Windows XP) the custom web application is accessible via the host header but the page which calls the ssrs web service throw the below error. It should be noted that accessing the report manager site from the client directly also works.
Error:
The request failed with HTTP status 401: Unauthorized
Stack:
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at .ReportService.ReportingService.ListChildren(String Item, Boolean Recursive)
at ..Page_Load(Object sender, EventArgs e)
at System.Web.UI.Control.OnLoad(EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)Web Site (W3SVC1) Log:
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2008-07-15 00:40:35
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2008-07-15 00:40:35 W3SVC1 POST /ReportServer/ReportService.asmx - 80 - Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.1433) 401 2 2148074254
2008-07-15 00:40:35 W3SVC1 POST /ReportServer/ReportService.asmx - 80 - Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.1433) 401 1 0
2008-07-15 00:40:35 W3SVC1 POST /ReportServer/ReportService.asmx - 80 - Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.1433) 401 1So the issue appears to be with the passing of the credentials from client, to WebServer01 then onto the DatabaseServer01. Is it a "simple" case of having to have the Application Pool running as a domain account instead of "NT Authority\Network Service" on WebServer01?
Related/Similar resources:
Code SnippetDim
rService As ReportingService2005 = New ReportingService2005rService.UseDefaultCredentials =
True Dim catalogItems As CatalogItem()catalogItems = rService.ListChildren("/",
True)Any thoughts or suggestions?
Thanks for taking the time to assist.
Cheers
Tim
All Replies
-
Thursday, July 24, 2008 11:53 PM
Wow, what an interesting past 2 weeks. The response to my post has been overwhelming!!!
I have learnt a significant amount and been quite frustrated at times. To say that everything is now fine would not be accurate however this is a good point to post my findings. Double-hop Kerberos authentication is the primary issue.
To get this working in our test environment the following occurred (in no specific order):-
Removed the NTAuthenticationProviders value of "NTLM" which then meant that the default value of "Negotiate,NTLM" is used.
-
Created a domain user account to run the services as
-
ran aspnet_regiis.exe -ga domain\account to grant ASP.NET permissions to the new account
-
updated the application pool to use the new domain account
-
create Service Principal Names (SPNs) for domain account
-
enabled the user account to be trusted for delegation
-
-
Restart Servers
It should be noted that the order of events is specific in some instances. that is, you must specify the SPNs for the domain account before you can enable the account to be trusted for delegation. The tab doesn't appear until you have.
SPNs
SPN's were required for the web server, host header and SQL. The NetBIOS and Fully Qualified Domain Name (FQDN) of each were added. eg:
- setspn.exe -A http/WebServer01 domain\account (NetBIOS)
- setspn.exe -A http/WebServer01.domain domain\account (FQDN)
- setspn.exe -A http/hostheader domain\account (NetBIOS)
- setspn.exe -A http/hostheader.domain domain\account (FQDN)
- setspn.exe -A http/DatabaseServer01 domain\sql (NetBIOS)
- setspn.exe -A http/DatabaseServer01.domain domain\sql (FQDN)
setspn.exe is not automatically installed when you install Windows Server 2003. To install the Windows Support Tools on a computer that is running Windows Server 2003, run the Suptools.msi program that is in the Support\Tools folder on the Windows Server 2003 SP1 CD.
Web Site (W3SVC1) Log:
How the site log (on DatabaseServer01 - SSRS) looks when everything is working:
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2008-07-17 07:51:26 W3SVC1 <ip> POST /ReportServer/ReportService.asmx - 80 - <ip> Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.1433) 401 2 2148074254
2008-07-17 07:51:59 W3SVC1 <ip> POST /ReportServer/ReportService.asmx - 80 <domain\impersonated user> <ip> Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.1433) 200 0 0
References:NTAuthenticationProviders Metabase Property (IIS 6.0)
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/ea7cd846-33da-49c9-927f-d4e76d6309ac.mspx
How To: Create a Service Account for an ASP.NET 2.0 Application
http://msdn.microsoft.com/en-us/library/ms998297.aspxSetspn Overview
How it Works: SQL Server Reporting Services and Dynamics CRM
Microsoft CRM 3.0: Additional Setup Tasks Required if Reporting Services Is Installed on Different Server
How to understand, implement, and troubleshoot Kerberos double-hop authentication
There are still some issues on the live environment so I will post again when they are resolved.
-
-
Friday, July 25, 2008 3:35 AM
The production environment is now working. The issue with production was that a duplicate SPN existed for the database server. I also set the "act as part of the operating system" property on the local policy (WebServer01) to include the domain\user account.
I highly recommend:
How to understand, implement, and troubleshoot Kerberos double-hop authentication
Troubleshooting Kerberos Delegationhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerbdel.mspx
-
Tuesday, April 19, 2011 5:47 PM
The information may be from a few years ago. But this article helped me solve the same problem. Thanks,
S
