Sunday, January 10, 2016

Microsoft Application Request Routing with Windows Authentication



I'm running into a problem trying to get Windows Authentication working in an environment that uses Microsoft Application Request Routing and was hoping someone might be able to help.




The problem I'm running into is that only some requests are authenticated, while others fail with 401 errors. I have followed the Special Case of Running IIS 7.0 in a Web Farm instructions found at http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx to no avail.



My current server setup looks like the following:



ARR




  • Two servers set up with IIS shared configuration using IIS 7.5 on Windows 2008 R2

  • Anonymous authentication turned on for the Default Web Site




Web Farm




  • Two servers running IIS 7.5 on Windows 2008 R2

  • Three web sites set up using port binding to differentiate between virtual hosts. Ports being used are 8000, 8001, and 8002

  • Application pools for Windows Authentication all use a common domain account

  • SPN added to domain account for http/: and http/.:




The IIS logs show the following when authentication is working/failing. If I understand correctly, all requests should show DOMAIN\User_Name:



2012-11-19 15:03:17 CLUSTER-IP-ADDRESS GET /home/stylesheets/techweb.landing.css - 8002 DOMAIN\User_Name ARR-HOST-1-IP-ADDRESS 200 0 0 62
2012-11-19 15:03:17 CLUSTER-IP-ADDRESS GET /home/images/user-background-right.gif - 8002 - ARR-HOST-1-IP-ADDRESS 401 2 5 0
2012-11-19 15:03:17 CLUSTER-IP-ADDRESS GET /home/images/user-background-left.gif - 8002 DOMAIN\User_Name ARR-HOST-IP-ADDRESS 200 0 0 31
2012-11-19 15:03:17 CLUSTER-IP-ADDRESS GET /home/images/user-icon.png - 8002 - ARR-HOST-1-IP-ADDRESS 401 2 5 0
2012-11-19 15:03:17 CLUSTER-IP-ADDRESS GET /home/images/user-icon.png - 8002 - ARR-HOST-1-IP-ADDRESS 401 1 2148074248 0
2012-11-19 15:03:17 CLUSTER-IP-ADDRESS GET /home/images/application-icon.png - 8002 - ARR-HOST-1-IP-ADDRESS 401 1 2148074248 0
2012-11-19 15:03:17 CLUSTER-IP-ADDRESS GET /home/images/user-background-right.gif - 8002 - ARR-HOST-1-IP-ADDRESS 401 1 3221225581 15

2012-11-19 15:03:17 CLUSTER-IP-ADDRESS GET /home/images/building.gif - 8002 DOMAIN\User_Name ARR-HOST-2-IP-ADDRESS 200 0 0 218


Does anyone know what might cause this problem and how I can resolve it?



EDIT



I do see the Negotiate headers being sent to the servers whenever I perform a network capture.



First request /home:




Request



Nothing



Response



Proxy-Support: Session-Based-Authentication
WWW-Authenticate: NTLM
WWW-Authenticate: Negotiate



Second request /home:



Request



Authorization: Negotiate YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAY....


Response




Proxy-Support: Session-Based-Authentication
WWW-Authenticate: Negotiate oRUwE6ADCgEDoQwGCisGAQ....


Third (and final) request /home:



Request



Authorization: Negotiate oTMwMaADCgEBoioEKE5UTE1TU1AAAQAAAJe....



Response



Proxy-Support: Session-Based-Authentication
WWW-Authenticate: NTLM
WWW-Authenticate: Negotiate


After the third request, I get the 401 page from IIS.



Answer



Get a network packet capture of the failed requests and check the Http request header for the kerberos authentication token. If you are expecting a kerberos token and it isn't present, the issue probably isn't your servers.



I'm assuming you are expecting kerberos because of the SPN checklist.



Refer to the following for more information:



https://serverfault.com/a/440050/20701


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...