locked
authentication issue to backend data server through a web application RRS feed

  • Question

  • User464803903 posted

    I'm using iis7 for an web app.  We need users to access their home drive through this app.  I can get it to work with basic authentication, but I can not get it to work with windows authentication.  The app pool is running under network service.  I have asp impersonation enabled.  It seemed like a double hop issue, so I added an spn for the site, but that does not seem to be helping.  I also saw some issues with earlier versions of IE not liking cnames in dns.  I tried to use an a record instead, but this also did not help. 

    Tuesday, October 18, 2011 2:16 PM

All replies

  • User-1672167363 posted

    Hi,

    Have you looked at WebDav to allow the Users to access a Mapped Network Drive like Z:\Users\Fred\Shared\Files\Projects\

     http://learn.iis.net/page.aspx/360/what39s-new-for-webdav-and-iis-70/ ?

    So what is the Web "app" what does it do with the Users accesing thier Home Drive ?

    The "Application Pool" is running under the "Network Service" that is leagacy IIS 6.0 operations.

    I do not see a "backend" Data Server is it SQL Server Database ?

    The "backend" Data Server requires a full qualified User with Password to access the ?

    Is this a Windows Server product using AD with Windows Users and Logons ?

    How does DNS Networking  Browsers versions cause problems ?

    Have you checked the IIS Server logs for errors can you post them in the forum ?

     Look at the list of status codes http://support.microsoft.com/kb/943891 descriptions & Suggestions.

    Martin

    Sunday, October 23, 2011 11:13 PM
  • User-1672167363 posted

    Hi,

    Where is this "authentication" being done for "backend data" when no server is present ?

    Martin

     

    Tuesday, October 25, 2011 7:11 AM
  • User464803903 posted

    I will do some reading on webdav.  In the mean time, the web application allows users to fill out a form, and it saves the results as a pdf on the user's home drive.  They can then use the file through the file share, or come back to the web application and reuse or modify the form.  So in short, it is just standard read/writes.

    The backend server is a fail over cluster.  There is a sql server and a file share server put into the cluster, and it is the file share portion of the server this app is trying to hit.  I am suspecting that we may need to enable kerberos authentication for the virtual name clustered resource,  However, I am not certain of the implicatins of this change and have not tested it yet. 

    The file share does require a username\password to access.

    I may be misunderstanding what you are asking in regards to this being a windows server product, but we are using iis 7 and c# code that was written in house.

    DNS browsing and networking are fine.

    IIS logs have not revealed much more than that the autentication failed, however fiddler indicated it was specifically kerberous causing the issue.  I am faily confident now that this is a matter of me figuring out the SPN needed for the server and putting it in place with out introducing any new issues.  However I am not experienced with kerberos or SPN's and am therefore very hesitant to continue.  I've already inadvertantly broken our developer's test environmnet while experimenting with SPN's for this issue. 

    Tuesday, October 25, 2011 2:52 PM
  • User-1672167363 posted

    Hi,

    Thanks for the updated information "SQL Server as part of a Cluster".

    Sorry you had problems with the Developers Test System.

    Yes, Read the WebDav information. You should look at the "Application Pools" guide in the IIS library installation and security.

    "I may be misunderstanding what you are asking in regards to this being a windows server product'

    "But we are using IIS 7.0 and c# code that was written in house."

    Big differences: Windows Vista installs IIS 7.0 Server no AD. Windows 2008 Server Iinstalls IIS 7.0 Server and can install AD.

    If you having errors please post them to the Forum Status Code and Sub Status.

    If your getting the autentication failures these will be 401.XX for the details.

    You may be dealing with "Double Hop Issue" you can Search ( Google or Bing ) for the Keyword

    Example of Double Hop IIS Forums http://forums.iis.net/t/1156807.aspx thread and Lextm repiles.

    Martin

     

     

    Tuesday, October 25, 2011 3:09 PM
  • User464803903 posted

    I do beleive it is the double hop issue, and it is a matter of getting the correct spn in place to fix it.

    IIS is installed on a 2008 enterprise server.  We do use Active Directoy.

    here is the error from ie:

    Server Error in '/' Application.

    Access to the path '\\xxx\xxx\filename.txt' is denied.

    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

    Exception Details: System.UnauthorizedAccessException: Access to the path '\\\xxx\xxx\filename.txt' is denied.

    ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6 and IIS 7, and the configured application pool identity on IIS 7.5) that is used if the application is not impersonating. If the application is impersonating via <identity impersonate="true"/>, the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.

    To grant ASP.NET access to a file, right-click the file in Explorer, choose "Properties" and select the Security tab. Click "Add" to add the appropriate user or group. Highlight the ASP.NET account, and check the boxes for the desired access.

    Source Error:

    An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.


    Stack Trace:

    [UnauthorizedAccessException: Access to the path '\\xxx\xxx\filename.txt' is denied.]
       System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) +12892935
       System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath) +2481
       System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy) +229
       System.IO.FileStream..ctor(String path, FileMode mode) +106
       TLC.SENTRV.WebClient.Controllers.TestController.GetYFile() in c:\CheckoutDirectory\xxx\xxx.Solution\TLC.SENTRV.WebClient\Controllers\TestController.cs:67
       lambda_method(Closure , ControllerBase , Object[] ) +79
       System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary`2 parameters) +248
       System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary`2 parameters) +39
       System.Web.Mvc.<>c__DisplayClass15.<InvokeActionMethodWithFilters>b__12() +125
       System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodFilter(IActionFilter filter, ActionExecutingContext preContext, Func`1 continuation) +640
       System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodWithFilters(ControllerContext controllerContext, IList`1 filters, ActionDescriptor actionDescriptor, IDictionary`2 parameters) +312
       System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName) +691
       System.Web.Mvc.Controller.ExecuteCore() +162
       System.Web.Mvc.ControllerBase.Execute(RequestContext requestContext) +305
       System.Web.Mvc.<>c__DisplayClassb.<BeginProcessRequest>b__5() +62
       System.Web.Mvc.Async.<>c__DisplayClass1.<MakeVoidDelegate>b__0() +20
       System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +453
       System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +371
    


     

    and here is the iis log:

    #Software: Microsoft Internet Information Services 7.0<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p>#Version: 1.0<o:p></o:p>#Date: 2011-10-25 19:32:58<o:p></o:p>#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken<o:p></o:p>2011-10-25 19:32:58 (ip) GET /Test/GetYfile - 80 - (ip) Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+MS-RTC+EA+2) 401 2 5 672<o:p></o:p>2011-10-25 19:33:05 (ip) GET /Test/GetYfile - 80 domain\user (ip) Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+MS-RTC+EA+2) 401 0 0 6444<o:p></o:p>2011-10-25 19:33:09 (ip) GET /Test/GetYfile - 80 domain\user (ip) Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+MS-RTC+EA+2) 401 0 0 21<o:p></o:p>2011-10-25 19:33:11 (ip) GET /Test/GetYfile - 80 domain\user (ip) Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+MS-RTC+EA+2) 401 0 0 12<o:p></o:p>2011-10-25 19:33:11 (ip) GET /Test/GetYfile - 80 domain\user (ip) Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+MS-RTC+EA+2) 401 0 0 19<o:p></o:p>2011-10-25 19:33:19 (ip) GET /Test/GetYfile - 80 - (ip) Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+MS-RTC+EA+2) 401 2 5 3<o:p></o:p>2011-10-25 19:33:19 (ip) GET /Test/GetYfile - 80 domain\user (ip) Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+MS-RTC+EA+2) 401 0 0 20<o:p></o:p>2011-10-25 19:33:24 (ip) GET /Test/GetYfile - 80 domain\user (ip) Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+MS-RTC+EA+2) 401 0 0 11<o:p></o:p>2011-10-25 19:33:24 (ip) GET /Test/GetYfile - 80 domain\user (ip) Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+MS-RTC+EA+2) 401 0 0 16<o:p></o:p>

    2011-10-25 19:33:26 (ip) GET /Test/GetYfile - 80 domain\user (ip) Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+MS-RTC+EA+2) 401 0 0 15

    Tuesday, October 25, 2011 3:45 PM
  • User-1672167363 posted

    Hi,

    Ok getting closer to fixing the problems. Thanks for the information.

     It is the double hop issue. 

    We need to get correct spn in place to fix it.

     IIS is installed on a 2008 enterprise server. 

     We do use Active Directoy.

    I suggest you get and install System Internals Process Monitor

     http://www.iislogs.com/articles/processmonitorw3wp/ .

    You then can use Steve's guide to find which Accounts are having problems.

    Martin

     

    Wednesday, October 26, 2011 12:42 AM
  • User464803903 posted

    Thanks for all of the input.  If I can press my luck, I wonder if you can tell me how to add an spn for a virtual server name that exists in an NLB.  The virtual name does not exist in AD which I think is why I am getting the results I am:

     


    Y:\>setspn -a http/siteName virtualServerName
    FindDomainForAccount: DsGetDcNameWithAccountW failed!
    Unable to locate account virtualServerName

    Friday, October 28, 2011 11:59 AM
  • User-1672167363 posted

    Hi,

    Glad you getting closer D:. 

    It think it best for the SPN VS and NLB with AD questions

    to check the http://social.technet.microsoft.com/Forums/en/winserverClustering/threads Windows Forums

    posts or ask the users or Engineers for Expert help.

    Regards,

    Martin

     

     

    Sunday, October 30, 2011 12:41 PM
  • User-1672167363 posted

    Hi,

    Have you fixed the SPN problem and errors ?

    Martin

     

    Tuesday, November 15, 2011 8:44 AM
  • User-1672167363 posted

    Hi,

    This problems " I can get it to work with basic authentication"

    with "I can not get it to work with windows authentication" and the Web App Resolved ?

    Martin

     

    Saturday, November 26, 2011 1:51 PM