IIS 6.0 SSO not working

[roboh07]

We have a box that had some misfortunes recently, in that its image got overwritten by a misdirected push. It was the admin's fault, and it was restored, but since then the SSO has not worked.

Basically, the problem is if Windows Authentication is enabled, you get prompted for your login/password. If you enable anonymous access, then the site displays fine, except you have to manually logon.

I feel confident I've eliminated the application as the problem, it seems more likely that something's not authenticating correctly from inside IIS. So does anyone have any ideas on how I can debug IIS?

I've already run accesschk against the directories, and IUSR has access to the site and is on all subfolders.

 

[ITPangaeaArchitect]

Is the site SSL encrypted?
Any client/user certificates involved in the configuration?

- Brandon Wilson
MCSE:Security00/03; MCSA:Security03
MCSA:Messaging00; MCP; A+
IT Pangaea (

http://it-pangaea.com)

 

[roboh07]

No, SSL is not enabled. For some reason "Accept client certificates" was checked, so I set it to "Ignore client certificates".

 

[ITPangaeaArchitect]

there ya go...did that help you?

- Brandon Wilson
MCSE:Security00/03; MCSA:Security03
MCSA:Messaging00; MCP; A+
IT Pangaea (

http://it-pangaea.com)

 

[roboh07]

Sorry, still getting the same error message. But it was a good guess. I didn't even think to check SSL.

 

[ITPangaeaArchitect]

Ok so a real basic thing here that can cause this...

Is your website added to the trusted sites or intranet sites zone in your internet explorer properties? assuming it is, are the security properties for that zone set to always logon using the current username and password?

if those options are set in IE from the box you are testing from, are you logged onto the system with an account that has access to the website (aka, a domain account vs. a user local account on the local machine)?

- Brandon Wilson
MCSE:Security00/03; MCSA:Security03
MCSA:Messaging00; MCP; A+
IT Pangaea (

http://it-pangaea.com)

 

[roboh07]

I see where you're going with this, but I don't think it's an IE problem. The box in question is our DEV box. We have UA and Prod boxes that are set up the same way and the SSO works fine. Also, I can connect from my computer to those boxes without any problems.

It seems that there is some issue with the DEV box authenticating with ActiveDirectory, but I'm not all that experienced with AD or how to debug problems with it.

 

[ITPangaeaArchitect]

When windows integrated authentication is enabled, basically, it is passing the credntials of the user that is logged in on to the domain controller to authenticate the user exists. This functionality is not single sign on technically, its delegated authentication basically.

Check the delegation settings on the computer objects for the production servers and see if there is anything set. Maybe the application requires the server to be trusted for delegation.

- Brandon Wilson
MCSE:Security00/03; MCSA:Security03
MCSA:Messaging00; MCP; A+
IT Pangaea (

http://it-pangaea.com)

 

[roboh07]

I started down that path, but then decided to take the application out of the equation completely. I created a simple webpage called test.html (it displays 'Test Successful'). I stuck that in it's own Virtual Directory and turned WinAuth on. I did that both in DEV and UA. The UA version works, the DEV version prompts me to logon.

 

[ITPangaeaArchitect]

ok when you access the dev vs. the prod web pages, is the domain name different or the same? if they are different, that leads back to checking IE settings before anything...

Can you generate the problem manually one more time, then send the contents of the latest W3SVC log file?

- Brandon Wilson
MCSE:Security00/03; MCSA:Security03
MCSA:Messaging00; MCP; A+
IT Pangaea (

http://it-pangaea.com)

 

[roboh07]

same domain.

Here's a snippet from the log file (I forced a refresh, so it's clean before this point).

2009-05-12 12:04:14 W3SVC1 xxx.28.1.67 HEAD /iisstart.htm - 443 - xxx.26.72.50 - 302 0 0
2009-05-12 12:06:49 W3SVC1 xxx.28.1.67 GET /test/test.html - 80 - xxx.24.12.246 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648;+InfoPath.1) 401 2 2148074254
2009-05-12 12:08:58 W3SVC1 xxx.28.1.67 HEAD /iisstart.htm - 443 - xxx.28.7.26 - 302 0 0
2009-05-12 12:09:08 W3SVC1 xxx.28.1.67 GET /test/test.html - 80 - xxx.24.12.246 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648;+InfoPath.1) 401 2 2148074254
2009-05-12 12:09:08 W3SVC1 xxx.28.1.67 GET /test/test.html - 80 - xxx.24.12.246 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648;+InfoPath.1) 401 1 0
2009-05-12 12:09:08 W3SVC1 xxx.28.1.67 GET /test/test.html - 80 - xxx.24.12.246 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648;+InfoPath.1) 401 1 0
2009-05-12 12:09:13 W3SVC1 xxx.28.1.67 GET /test/test.html - 80 - xxx.24.12.246 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648;+InfoPath.1) 401 1 0
2009-05-12 12:09:13 W3SVC1 xxx.28.1.67 GET /test/test.html - 80 - xxx.24.12.246 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648;+InfoPath.1) 401 1 2148074252
2009-05-12 12:09:13 W3SVC1 xxx.28.1.67 GET /test/test.html - 80 - xxx.24.12.246 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648;+InfoPath.1) 401 1 0
2009-05-12 12:09:13 W3SVC1 xxx.28.1.67 GET /test/test.html - 80 - xxx.24.12.246 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648;+InfoPath.1) 401 1 2148074252
2009-05-12 12:09:14 W3SVC1 xxx.28.1.67 GET /test/test.html - 80 - xxx.24.12.246 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648;+InfoPath.1) 401 1 0
2009-05-12 12:09:14 W3SVC1 xxx.28.1.67 GET /test/test.html - 80 - xxx.24.12.246 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648;+InfoPath.1) 401 1 2148074252
2009-05-12 12:09:14 W3SVC1 xxx.28.1.67 HEAD /iisstart.htm - 443 - xxx.26.72.50 - 302 0 0

 

[ITPangaeaArchitect]

I thought you said it wasnt using SSL. I see multiple SSL connection attempts there:

2009-05-12 12:09:14 W3SVC1 xxx.28.1.67 HEAD /iisstart.htm - 443 - xxx.26.72.50 - 302 0 0

- Brandon Wilson
MCSE:Security00/03; MCSA:Security03
MCSA:Messaging00; MCP; A+
IT Pangaea (

http://it-pangaea.com)

 

[roboh07]

Not sure why the SSL port is getting pinged in the log. The SSL port is defined on the server, but SSL is not enabled in the directory security tab. Is defining the SSL port causing a problem?

Besides, all log entries against the test page use port 80.

 

[ITPangaeaArchitect]

yea the timeframe is far enough from each other that it doesnt seem to be the call into the page causing the call to 443. I just saw 443 and didnt read beyond that.

To answer your question, I somewhat doubt the port being defined will mess with you, but if you arent using SSL, it shouldnt need to be listed....

I see the 401.1 error (login failed)...the trailing 2148074252 means SEC_E_LOGON_DENIED...this somewhat tells me that invalid credentials may be being passed...

- Brandon Wilson
MCSE:Security00/03; MCSA:Security03
MCSA:Messaging00; MCP; A+
IT Pangaea (

http://it-pangaea.com)