0

I have a Java program (running on a Windows 7 virtual machine) that uses JAAS and GSSAPI to get a resource (like, index.html etc.) from IIS (running on a Windows 2012 R2 virtual machine)

It authenticates (using Kerberos) with an Active Directory domain controller (on a second Windows 2012 R2 virtual machine).

All the virtual machines are on the same domain and use the domain controller for their DNS.

There are three active directory users:

  1. Administrator (the default admin, obviously)
  2. testuser (a domain user)
  3. testuser2 (another domain user)

As far as I can tell, testuser and testuser2 are the same (although there may be something I haven't noticed that's different).

Using the program, I'm able to log in as all three of the above users (i.e. there are authentication requests/responses w/ it seeming like it's logged in correctly - wrong passwords cause it to fail etc.). When I try to get the resource, though, only Administrator and testuser2 are able to get it. testuser, however, receives this response:

HTTP/1.1 401 Unauthorized
Content-Type: text/html
Server: Microsoft-IIS/8.5
WWW-Authenticate: Negotiate
Date: Tue, 03 Jan 2017 06:14:15 GMT
Content-Length: 58
You do not have permission to view this directory or page.

As I said, there seems to be no difference between the two test users.

Additionally, when I navigate to the IIS's location in Google Chrome, I'm able to log in as all three users and view the resource (and it uses kerberos to authenticate, as far as I can tell from the network traces).

I'm really lost. Thanks in advance :)

dram
  • 1

1 Answers1

0

This isn't really an explanation of what was wrong or anything, but when we deleted testuser and re-made it as before it worked. I can only assume that it mustn't have had some permissions that testuser2 had (testuser was older and had been there from fairly early on, so maybe we changed something).

dram
  • 1