I am moving some old web applications from an old Server to a Server 2016. We are using a domain account for the application identity and we need to use windows authentication. I am getting a 401.3 error when I try a test.html page on the server. I am only getting this for static content though as I tried a home.aspx page and that page worked.
Things I have tried/checked
Static Content is installed under the Common HTTP Features
The domain account used for the app pool has full access to the directory containing test.html
Tried NTLM first as provider instead of Negotiate on IIS Windows Authentication Providers
Tried "Enable Kernel-mode authentication" checked and unchecked
Tried all settings of "Extended Protection" under Advanced settings for windows authentication.
Tried ProcMon. All I get when I filter for test.html is 2 QueryOpen operations with result SUCCESS
The solution for this was that we need to have the account that was running the application pool set up in the "Impersonate a client after authentication." Our local group policy had this locked down. I am guessing the default install may have IIS_USRS group in this policy but our server did not.
Related
I've got a new server build running Windows Server 2012 R2, IIS 8.5 (inc. ClassicASP feature) and SQL Server 2014 Express. I want to use Application Pool Identity to connect to the database. The database is set to "Windows Authentication Mode".
My Application Pool Identity is called activbase.net. I've set up a Security Login in SQL Server called IIS AppPool\activbase.net and user mapped it my database with db_datareader and db_datawriter access.
However when I try to access the database from the website, I get:
Cannot open database "ActivbaseLive" requested by the login. The login failed.
I thought this was enough to get the connection working.
The Application Log (Event Viewer) shows:
Login failed for user 'NT AUTHORITY\IUSR'. Reason: Failed to open the explicitly specified database 'ActivbaseLive'. [CLIENT: ]
So I have added NT AUTHORITY\IUSR likewise to the SQL Server>Security>Logins and Databases>[ActivbaseLive]>Security>Users and this fixes the problem.
My questions are as follows:
Should I be needing to add NT AUTHORITY\IUSR login/user in addition to IIS AppPool\activbase.net login/user to my SQL Server Instance and database?
Is there a security issue with doing this? (NOTE: this will be a production environment)
Thanks,
Chris
No. You don't need to add an SQL Server login for the NT AUTHORITY\IUSR identity in addition to the IIS AppPool\activbase.net identity. A login for the IIS AppPool\activbase.net application pool identity alone is adequate for connecting to SQL Server using Windows Authentication.
NT AUTHORITY\IUSR is a built-in Windows account that is the default identity used when Anonymous Authentication is enabled for your application. This page describes the rationale for the account.
To connect to your database with the IIS AppPool\activbase.net identity, you need to change the account set up for anonymous users from NT AUTHORITY\IUSR to your IIS AppPool\activbase.net application pool identity. Proceed as follows to make this change:
Open Internet Information Services (IIS) Manager.
In the Connections panel, locate and click to select the website hosting your application e.g. Default Web Site. (If you want to configure a specific application under your website, you can select the application.)
In the Features View in the center panel, double-click Authentication.
Anonymous Authentication will most likely be enabled in your setup. Right-click Anonymous Authentication, and select Edit.
In the Edit Anonymous Authentication Credentials dialog box, click the Application pool identity option, and then click OK.
The question in the link below (and its answer) addresses the same issue:
Login failed for user NT AUTHORITY\IUSR
With regard to your second question, "Is there a security issue with doing this?", the answer is, "Yes". You preferably don't want the NT AUTHORITY\IUSR built-in account having access to your SQL Server database since it is used as the default anonymous account on any other websites (and their applications) hosted on your IIS web server. This means those other websites and applications would be able to connect to your database. If they are compromised in an attack, they could potentially be used to access your data. So it's best not to have an SQL Server login for NT AUTHORITY\IUSR. Instead, limit database access to your website's (or application's) application pool identity.
I have deployed an MVC 3 website on IIS of my Windows Server 2003 edition. I have set the authentication to Basic, Integrated, and Windows in order to enable site to use Windows authentication, and automatically log in into website if the user has launched the site from the same domain. If user access the site from another domain, it should prompt the Windows credentials and should allow user to log in.
However the problem is that, user is presented with Windows login prompt every time (irrespective to same or different domain), and also when user provides valid credentials it doesn't allow user to access the site.
What could be the problem here? Or, can anyone provide me proper guide to configure IIS to use Windows Authentication while deployed on Windows Server 2003?
What is the version of IIS you are using ? Could you try to force NTLM authentication and see whether it will change anything ? Followin technet article will tell you how to change to NTML http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/7258232a-5e16-4a83-b76e-11e07c3f2615.mspx?mfr=true. Please backup the server/iis configs before attempting any modifications to the metabase
I have setup a secure(Kerberos) Oozie environment in CentOS 6.3 using CDH 4.1.2. I am able to view the Oozie web console from CentOS machine which is hosted in server. But is there a way to view the webconsole from my local Windows machine.
I have tried creating a HTTP principal with my windows machine as hostname. I am able to get a valid ticket for HTTP principal. But when I open the Oozie Web Console, I get the following error
org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
Am I missing something. Help me guys.
Thanks,
Vishnu Ganth
This error occurs because your browser sends request for NTLM authentication instead of kerberos.
In internet explorer follow below steps,
go to Internet Options
In security tab, select Local intranet.
Click Custom Level in the below, Make sure Automatic logon only in intranet zone under the User Authentication section.
In the Internet Options, select Advanced tab and make sure enable Integrated Windows Authentication selected under security section.
Once the above steps done, it will work on both internet explorer and google chrome.
If you are accesing it from the Cross realm, your widows-based clients should know the KDC location to create proper SPNEGO token. You need either create a separate policy in your AD for that type of users or you can manually from command line add mappings in client machine's registeries so that they would know about your Hadoop realm KDC:
ksetup /addkdc HADOOP.DOMAIN.COM hadoop.nodewithkdc.com
ksetup /addhosttorealmmap hadoop.nodewithkdc.com HADOOP.DOMAIN.COM
I recently upgraded my Intranet web server to Server 2008 x64 running IIS 7.5. The staff website that I maintain uses NTLM to tell which user is viewing the page and display appropriate content based on that. Since the upgrade or MAC clients can no longer connect through Safari and Firefox is no longer accepting the about:config setting of network.automatic-ntlm-auth.trusted-uris. I had to remove the FQDN from that entry for them to not get the 401 page only.
My development server is still a Server 2003 box with IIS6 and the MACs can authenticate to that both through Safari and firefox with no problems.
I checked on the new IIS7 server for the registry key LmCompatibilityLevel located in HKLM\SYSTEM\CurrentControlSet\Control\Lsa but this key is not there. So my understanding is that it will result in level 0 by default allowing LM, NTLM and NTLM v2 auth requests.
Any suggestions on how to get authentication back?
Had a similar problem with Safari forcing users to login innumerable times and this fixed it for me:
In IIS Manager (IIS 7), navigate to the website and right-click on Authentication to "Open feature".
Right-click on "Windows Authentication" and select "Providers" which should display Negotiate & NTLM
Remove "Negotiate" and restart the website and it should work with a single login prompt.
I have just installed Windows Server 2003 Standard Edition and therefore IIS6 (comes as standard). I have also install the windows component that enable the administration of IIS from the browser (https://server:8098/). The problem I have is that I have to log-in to this tool but the Server Administrator u/name and p/word does not let me in.
The Windows documentation on this tool (http://support.microsoft.com/kb/324282) says "You are prompted for a user name and password that exist on the Web Server" but none of the standard user acounts on the server let me in.
Thanks,
Here are a couple ideas:
Take a look at the security log on the server for clues.
Look at the "Directory Security" tab on the properties of the admin site and ensure "Enable anonymous access" is unchecked. You will need to use "Integrated Windows authentication" or "Basic authentication". If you use Basic auth then the password is sent across then network base64 encoded - you will want to use SSL to encrypt it.
Is there a specific requirement to use the web tools? You can download Internet Information Services (IIS) 6.0 Manager for Windows XP from Microsoft and run it from a client.
I'm not so sure now, haven't set up a Win 2003 box in a while but as far as I remember you have to activate remote desktop first and then you can use a RDP client to access the server. I recommend that over the ActiveX RDP client.
Is the server part of a domain? It may be defaulting to a domain username/password combo rather than a local username/password.
Try "server.domain.local\administrator" or "administrator#server.domain.local".
I would check the permissions on that site in IIS - make sure you are using an account that is a member of a group specifically assigned permissions. I understand that the builtin admin account is not working but its possible the site permissions have changed removing that account or group. - hope that makes some sort of sense
This might be unlikely, but are you trying to use a username that has a blank password? Windows restricts remote access when using those accounts.
If that's the case, you can check the Group Policy (gpedit.msc for local computer, or the one for domains if it's in a domain.):
Computer Configuration
Windows Settings
Security Settings
Local Policies
Accounts: Limit local account use of blank passwords to console logon only