-1

We have several IIS hosted sites using windows authentication. Some of our users can logon in one of the sites, but getting never-ending authentication challenge in another (the second one is used in an iframe of first). We found out that users that can't logon are using Kerberos authentication (others NTLM). All of the sites are using the same authorization settings (useAppPoolCredentials set to true). Thus users can access one site but can't access the second one with the same settings. App pool identity user is in the administrator group and IIS_IUSRS group. I also tried to use the domain user account to logon to site from VM and got same never-ending authentication prompt because of Kerberos. I've read Chiranth Ramaswamy's article about IIS authentication but unfortunately couldn't find solution to problem. Is there any way to solve the problem?

EDIT: We also have 2nd server with the same sites and settings.

EDIT2: I found out that I can logon if I'm using same domain user account if I don't write domain in login. Thus "UserName" works and "DomainName\UserName" doesn't

eleven_zwolf
  • 1
  • 1
  • 3

2 Answers2

0

Fair bit to troubleshoot there, and more detail would be helpful, including how you set Kerb up, what other sites are there, and URLs in use.

In short: I think Kerb's broken. And that to make it work, you could potentially use an IP address instead of the name. (Kerb only works if you use a name, not an IP address).

I suspect you're not decoding the tickets in the context of the App Pool Account (which, by the way, should almost never be an Administrator).

This could be because of a duplicate SPN, or some other aspect of Kerb being broken.

It's also possible it's a client-side browser setting like "Enable Integrated Windows Authentication" vs a PAC script and/or zone settings.

So! Shopping list:

  • Check the zone(s) the site is loading into if using IE.

  • Check the Enable Integrated Windows setting if using IE.

  • Reboot a broken client (or at the very least klist purge) and then get a netmon or wireshark trace of a failed connection, from the client side. This might identify some KDC response issues, i.e. Kerberos errors being returned which provide a clue as to what might be breaking Kerb

  • If you're using useAppPoolCredentials, odds are you've used SetSPN. Check for duplicates of all SPNs involving the site name(s).

  • Finally, if you're not using delegation, consider removing useAppPoolCredentials anyway, as by default, the System account will decode the tickets for all App Pools if there's no SPN override in place.

TristanK
  • 8,953
  • 2
  • 27
  • 39
  • I forgot to say that we have an identical server in the same domain and I've never met the same problem using the second one. Settings are identical. – eleven_zwolf Jul 24 '19 at 09:10
  • While I'm sure they look that way, if all the settings were identical they'd be behaving the same way. – TristanK Jul 24 '19 at 09:22
  • As an example - just say you've reused a name which turns out to exist elsewhere in the forest and has a different SPN associated with it... All things being equal, all things *are* equal :) – TristanK Jul 24 '19 at 09:23
  • where can I find Kerb settings? I can only check if my IIS site is fit for Kerberos authentication and I have not access to the domain controller. The other 2 sites is MS CRM on-premise (we're getting access to problem site as IFrame of the CRM) and another one ASP.NET MVC application and it works correctly – eleven_zwolf Jul 24 '19 at 09:23
0

After rebooting server, I found out that useApplicationCredentials returned back to false. I changed it to true and restarted IIS. After that problem doesn't occur. But I'm not sure if it's not a coincidence. We've got the same problem on the other server. 4 machines with the same IIS settings. 2 doesn't work correctly via Kerberos, two does. SPN wasn't configured for any of them. Also, the two that works have false in useApplicationCredentials.

I'll try the same method reboot-set useApplicationCredentials to true if it's not and then iisreset. But I'm pretty sure that this isn't a problem. I can't understand why Kerberos is working if SPN isn't set

eleven_zwolf
  • 1
  • 1
  • 3