locked
windows authentication (double hop problem?!) RRS feed

  • Question

  • hello together,

    i've searched for similar topics but i've found nothing with the same problem.

    we have an online platform with a webserver (called a, windows 2003, iis 6.0, up to date) and a database server (called b, winows 2003 x64, sql server 2008sp1, up to date). the clients were authenticated via client certificates and they're mapped to a windows account. they are impersonated to the server b and all is fine, also reporting services.

    but if we access the reporting services from client c (inside lan, not extranet) over a to b (double hop), the authentication is sometimes lost. but this phenomenon is just related to reporting services (often when data is generated) - windows popup. its look like a 401, but nothing is logged. only in iislog there is a 401.

    what we have done:
    - reade manuals/tips/... over and over :-/
    - a: check kerberos -> work (its only from inside the lan)
    - b: disable loopbackcheck
    - b: spn's all set (delegation)
    - b: reporting services, authentication types (ntlm, negotiate without this 401 error)
    - b: reporting services under network service account
    - a,b: checked timeouts (reportviewer control, reporting services, iis)
    - clients: integrated windows authentication

    thanks in advance for your help.

    best regards
    andreas
    Monday, July 13, 2009 11:48 AM

Answers

  • Hello again,

    we've successfully found the problem. it was our proxy software (squid), which let us run in a ssl timeout...so the windows authentication popup was requested.

    thanks for your investigation.

    best regards.
    • Marked as answer by Andreas Kirsch Wednesday, October 14, 2009 9:39 AM
    Wednesday, October 14, 2009 9:39 AM

All replies

  • Hi Andreas,

     

    You are right. That should be a double-hop issue.

     

    The possible issue should be the Report Server service runs under built-in account, and we have not mapped Built-in accounts HTTP SPN to the Host SPN.

    If Kerberos have been enabled, we have to register SPN for the Report Server service account.

    1.       If the Report Server service runs under a domain user account, please register an SPN for the account.

    2.       If the Report Server service runs under a built-in account such as Network Service, please map Built-in accounts HTTP SPN to the Host SPN, which is defined when we join a computer to our network.

     

    Please use any of the following solutions to solve the issue:

    1.       Change the Report Server service to run under a domain user account, and register a SPN for the account.

    2.       Map Built-in accounts HTTP SPN to a Host SPN.

     

    For more information, please see:

    How to: Configure Windows Authentication in Reporting Services: http://msdn.microsoft.com/en-us/library/cc281253.aspx#proxyfirewallRSWindowsNegotiate

    How to: Register a Service Principal Name (SPN) for a Report Server: http://msdn.microsoft.com/en-us/library/cc281382.aspx

     

    Please feel free to ask, if you have any more questions.

     

    Thanks,

    Jin Chen


    Jin Chen - MSFT
    Wednesday, July 15, 2009 8:23 AM
  • Hello Jin,

    thanks for your answer.

    to clarify configuration on report server:

    1. setspn -L server1 gives:
        http/server1:80
        http/server1.domain:8
        http/server1.domain
        http/server1
        HOST/server1
        HOST/server1.DOMAIN
    1.1 i think the built-in account is mapped so the host spn, right?

    2. cscript adsutil.vbs get w3svc/NTAuthenticationProviders gives:
        Microsoft (R) Windows Script Host, Version 5.6
        Copyright (C) Microsoft Corporation 1996-2001. Alle Rechte v

        NTAuthenticationProviders       : (STRING) "Negotiate,NTLM"
    2.1 if i configure nothing it works and negotiate/ntlm only works also.

    3. report server is running under local system, but in rsreportserver.config stands:
        <URLReservations>
            <Application>
                <Name>ReportServerWebService</Name>
                <VirtualDirectory>GfSReporting</VirtualDirectory>
                <URLs>
                    <URL>
                        <UrlString>http://+:80</UrlString>
                        <AccountSid>S-1-5-20</AccountSid>
                        <AccountName>NT Authority\NetworkService</AccountName>
                    </URL>
                </URLs>
            </Application>
            <Application>
                <Name>ReportManager</Name>
                <VirtualDirectory>ReportManager</VirtualDirectory>
                <URLs>
                    <URL>
                        <UrlString>http://+:80</UrlString>
                        <AccountSid>S-1-5-20</AccountSid>
                        <AccountName>NT Authority\NetworkService</AccountName>
                    </URL>
                </URLs>
            </Application>
        </URLReservations>
    3.1 it runs under local system, why is here an entry for NT Authority\NetworkService?

    4. rsreportserver.config:
        <Authentication>
            <AuthenticationTypes>
                <RSWindowsNegotiate/>
                <RSWindowsNTLM/>
            </AuthenticationTypes>
            <EnableAuthPersistence>true</EnableAuthPersistence>
        </Authentication>
    4.1 if i configure only ntlm, it works from extranet (internet) but not from intranet (401 unauthorized from report viewer control)
    4.2 if i configure both it works from extranet/intranet but from intranet with windows popup after a time (double hop issue)
    4.3 if i configure only negotiate, see 4.2

    do you have any more ideas what i can do? :-/

    thanks in advance,

    Andreas
    Friday, July 17, 2009 6:06 AM
  • Sounds like it could be similar to the following:

    http://blogs.msdn.com/lukaszp/archive/2008/07/18/reporting-services-http-401-unauthorized-host-headers-require-your-attention.aspx


    I know the above talks about NTLM, that BackConnectionHostNames still needs to be set with the name of a if users are accessing http://a/reportserver.

    Hope that helps,
    -Lukasz
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, July 17, 2009 4:19 PM
  • Hello Lukasz,

    thanks for your answer. But i don't know if it exactly our problem. Because the clients call Reporting Services only via ReportViewer Control. The parameters load fine, but if you click to render the report we get a 401 with a windows popup. The ReportViewer Control web.config shows:
        <appSettings>
            <add key="ReportingWebService" value="http://computername.fqdn/GfSReporting"/>
        </appSettings>

    Neither without FQDN nor with IP address it works. :-(

    Regards,

    Andreas
    Monday, July 20, 2009 6:52 AM
  • Hello again,

    we've successfully found the problem. it was our proxy software (squid), which let us run in a ssl timeout...so the windows authentication popup was requested.

    thanks for your investigation.

    best regards.
    • Marked as answer by Andreas Kirsch Wednesday, October 14, 2009 9:39 AM
    Wednesday, October 14, 2009 9:39 AM