Kernel-mode Authentication: 401 errors when accessing site from remote machines

Question

I have several Classic ASP sites that use Integrated Windows Authentication and Kerberos delegation.

They work OK on the live servers (recently moved to a Server 2008/IIS7 servers), but do not work fully on my development PC or my development server. The IIS on both machines were configured through an IIS web deployment tool package which was exported from an old machine; the deployment didn't work perfectly, and I had to tinker a bit to get the sites working.

When accessing the apps locally on either machine, they work fine; when accessing from another machine, the user is prompted by a username/password dialog, and regardless of what you enter, ultimately it results in a 401 (Unauthorised) error.

I've tried comparing the configuration of these machines against similar live servers (that all work fine), and they seem generally comparable (given that none of the live servers are yet on IIS7.5 (Windows 7/Server 2008 R2).

These applications run in a common application pool which uses a special domain user as it's identity - this user has similar permissions on the live and development machines. On IIS6 platforms, to enable kerberos delegation, I needed to set up some SPNs for this user, and they are still in place (even though I don't believe they are needed any longer for IIS7+ due to kernel-mode authentication),

Furthermore, this account is enabled for Kerberos delegation in Active Directory, as is each machine I am dealing with.

I'm considering the possibility that the deployment might have made changes/failed to make changes to the IIS configuration thus causing this problem. Perhaps a complete rebuild (minus another web deployment attempt) would solve the problem, but I'd rather fix (thus understand) the current problem.

Any ideas so far?

I've just had another attempt at fixing this issue, and I've made some progress, but I don't have a complete fix...yet.

I've discovered that if I access the sites via IP address (than via NetBIOS name), I get the same dialog, except that it accepts my credentials and thus the application works - not quite a fix, but a useful step.

More interestingly, I discovered that if I disable Kernel-mode authentication (in IIS Manager > Website > Authentication > Advanced Settings), the applications work perfectly. My foggy understanding is that this is effectively working in the pre-IIS7 way. A reasonable short-term solution, but consider the following explicit advice from IIS on this issue:

By default, IIS enables kernel-mode authentication, which may improve authentication performance and prevent authentication problems with application pools configured to use a custom identity. As a best practice, do not disable this setting if Kerberos authentication is used in your environment and the application pool is configured to use a custom identity.

Clearly, this is not the way my applications should be working. So what is the issue?

Answer 1

Try with another browser, for example Chrome if you're using IE now. It's possible that this is from the domain name being in the Intranet or trusted zone. That can cause it to attempt to save credentials which may not work remotely, depending on if you're coming from outside the domain or not.

Answer 2

I've struggled with this problem for several years now. Periodically, I manage to get it working, but then a year later there is a server move and I have to battle again to get it working on the new server.

Such a time has come again... After struggling to debug these kerberos issues, I went back to basics: other people must routinely have done what I have tried to - what did they use?

Although there are people using my technique, they clearly didn't have the problems, I do. But there are a dozen ways to solve most problems, so I combined techniques found across 2 or 3 examples on the web and game up with a different approach, which seems to be more reliable and no more complicated than my previous one, and crucially doesn't involved the infamous kerberos 'double-hop':

Sub Authuser()

'Swap out values enclosed in []

If Session("UID") = "" or 1 then
    Dim rsUser, aUserID, aGroups, i
    Dim connAD, sBase, sFilter, sAttributes, sScope, sFullCommand, rsADUserInfo, oADSysInfo

    aUserID = Split(Request.servervariables("AUTH_USER"),"\")

    Set connAD = Server.CreateObject("ADODB.Connection")
    connAD.Provider = "ADsDSOObject"
    connAD.Properties("User ID") = "[MyDomain]\[MyDomainUser]" ' ### remember to make sure this user has rights to access AD
    connAD.Properties("Password") = "[password]"
    connAD.Properties("Encrypt Password") = true
    connAD.Open

    sBase = "<LDAP://DC=[MyDomain], DC=[MyDomainExt]>"
    sFilter = "(sAMAccountName=" & aUserID(1) & ")"
    sAttributes = "cn, mail, company, givenName, sn, ADsPath, name, sAMAccountName, telephoneNumber, memberof"
    sScope = "subtree"  
    sFullCommand = sBase & ";" & sFilter & ";" & sAttributes & ";" & sScope

    set rsUser = Server.CreateObject("ADODB.Recordset")
    set rsUser = connAD.Execute(sFullCommand)

    If not rsUser.EOF then
        Session("UID") = aUserID(1)
        Session("Name") = rsUser("cn")
        Session("Email") = rsUser("mail")
        If IsArray(rsUser.Fields(9)) Then
            aGroups = rsUser.Fields(9)
            For i = LBound(aGroups) To UBound(aGroups)
                If InStr(1, aGroups(i), "[MyUsersGroup]", 1) Then
                    Session("Auth") = 1
                End If
                If InStr(1, aGroups(i), "[MyAdminGroup]", 1) Then
                    Session("Admin") = 1
                End If
            Next
        Else
            Response.Write "No groups<BR>"
            Session("Auth") = 1
            Session("Admin") = 1
       End If
    Else 
        Response.Write "User not recognised in AD<br>"
    End if

    connAD.Close
    set rsUser = Nothing
    Set connAD = Nothing
End If

End Sub