Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Constrained delegation question!

Reply
Thread Tools

Constrained delegation question!

 
 
Tony201
Guest
Posts: n/a
 
      06-22-2009

Can I use constrained delegation to alllow my web application to control
services on a remote server? At the moment, I have code that when run on my
local machine (XP - no double hop) is able to control services on remote
servers. However, when I move the web application to an IIS server, I get the
error llisted below. I am guessing that I need to setup an SPN but don't know
how to do it for the Service Control Manager. Any ideas?

[Win32Exception (0x80004005): Access is denied]

[InvalidOperationException: Cannot open Service Control Manager on computer
'serverxxxx'. This operation might require other privileges.]

System.ServiceProcess.ServiceController.GetDataBas eHandleWithAccess(String
machineName, Int32 serviceControlManaqerAccess) +35775

System.ServiceProcess.ServiceController.GetDataBas eHandleWithEnumerateAccess(String machineName) +9
System.ServiceProcess.ServiceController.GetService sOfType(String
machineName, Int32 serviceType) +143
System.ServiceProcess.ServiceController.GetService s(String machineName) +9
AutonomyAdmin.test.test2() +400
AutonomyAdmin.test.Page_Load(Object sender, EventArgs e) +137
System.Web.Util.CalliHelper.EventArgFunctionCaller (IntPtr fp, Object o,
Object t, EventArgs e) +14
System.Web.Util.CalliEventHandlerDelegateProxy.Cal lback(Object sender,
EventArgs e) +35
System.Web.UI.Control.OnLoad(EventArgs e) +99
System.Web.UI.Control.LoadRecursive() +50
System.Web.UI.Page.ProcessRequestMain(Boolean
includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +627

 
Reply With Quote
 
 
 
 
Joe Kaplan
Guest
Posts: n/a
 
      06-22-2009

It should work although I've never tested this scenario.

I'd suggest delegating the SPN for HOST/server to the IIS app pool identity
(or the computer account if you use network service or system) to see if
that works. If you are using the full DNS name to connect to the remote
machine, use that SPN instead. You can also delegate both.

If you are getting Kerberos authentication to the remote machine, then the
constrained delegation should work here. You can check the security event
logs on the remote machine to discover how you are authenticating. If you
get NTLM, then it will not work.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Tony201" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Can I use constrained delegation to alllow my web application to control
> services on a remote server? At the moment, I have code that when run on
> my
> local machine (XP - no double hop) is able to control services on remote
> servers. However, when I move the web application to an IIS server, I get
> the
> error llisted below. I am guessing that I need to setup an SPN but don't
> know
> how to do it for the Service Control Manager. Any ideas?
>
> [Win32Exception (0x80004005): Access is denied]
>
> [InvalidOperationException: Cannot open Service Control Manager on
> computer
> 'serverxxxx'. This operation might require other privileges.]
>
> System.ServiceProcess.ServiceController.GetDataBas eHandleWithAccess(String
> machineName, Int32 serviceControlManaqerAccess) +35775
>
> System.ServiceProcess.ServiceController.GetDataBas eHandleWithEnumerateAccess(String
> machineName) +9
> System.ServiceProcess.ServiceController.GetService sOfType(String
> machineName, Int32 serviceType) +143
> System.ServiceProcess.ServiceController.GetService s(String machineName)
> +9
> AutonomyAdmin.test.test2() +400
> AutonomyAdmin.test.Page_Load(Object sender, EventArgs e) +137
> System.Web.Util.CalliHelper.EventArgFunctionCaller (IntPtr fp, Object o,
> Object t, EventArgs e) +14
> System.Web.Util.CalliEventHandlerDelegateProxy.Cal lback(Object sender,
> EventArgs e) +35
> System.Web.UI.Control.OnLoad(EventArgs e) +99
> System.Web.UI.Control.LoadRecursive() +50
> System.Web.UI.Page.ProcessRequestMain(Boolean
> includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +627
>


 
Reply With Quote
 
 
 
 
Tony201
Guest
Posts: n/a
 
      06-22-2009

Hi Joe,

Thanks for the reply. For this application, I have already setup delegation
for SQL Server access so I have an SPN for my DNS/IIS App Pool Identity. In
Active Directory under the delegation tab (for IIS App Pool Identity), I have
allowed delegation to the SQL Server service, however, I don't know how to
allow delegation to the Service Control Manager eg, for SQL Server, under the
delegation tab, I click add and then type in the account that I created the
SQL Server SPN for. For allowing Service Control Manager, which user would I
need to type in and then what service should I add? Alternatively, how would
I setup an SPN to allow delegation to Window Services?

Cheers,
Tan

"Joe Kaplan" wrote:

> It should work although I've never tested this scenario.
>
> I'd suggest delegating the SPN for HOST/server to the IIS app pool identity
> (or the computer account if you use network service or system) to see if
> that works. If you are using the full DNS name to connect to the remote
> machine, use that SPN instead. You can also delegate both.
>
> If you are getting Kerberos authentication to the remote machine, then the
> constrained delegation should work here. You can check the security event
> logs on the remote machine to discover how you are authenticating. If you
> get NTLM, then it will not work.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"
> http://www.directoryprogramming.net
> "Tony201" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Can I use constrained delegation to alllow my web application to control
> > services on a remote server? At the moment, I have code that when run on
> > my
> > local machine (XP - no double hop) is able to control services on remote
> > servers. However, when I move the web application to an IIS server, I get
> > the
> > error llisted below. I am guessing that I need to setup an SPN but don't
> > know
> > how to do it for the Service Control Manager. Any ideas?
> >
> > [Win32Exception (0x80004005): Access is denied]
> >
> > [InvalidOperationException: Cannot open Service Control Manager on
> > computer
> > 'serverxxxx'. This operation might require other privileges.]
> >
> > System.ServiceProcess.ServiceController.GetDataBas eHandleWithAccess(String
> > machineName, Int32 serviceControlManaqerAccess) +35775
> >
> > System.ServiceProcess.ServiceController.GetDataBas eHandleWithEnumerateAccess(String
> > machineName) +9
> > System.ServiceProcess.ServiceController.GetService sOfType(String
> > machineName, Int32 serviceType) +143
> > System.ServiceProcess.ServiceController.GetService s(String machineName)
> > +9
> > AutonomyAdmin.test.test2() +400
> > AutonomyAdmin.test.Page_Load(Object sender, EventArgs e) +137
> > System.Web.Util.CalliHelper.EventArgFunctionCaller (IntPtr fp, Object o,
> > Object t, EventArgs e) +14
> > System.Web.Util.CalliEventHandlerDelegateProxy.Cal lback(Object sender,
> > EventArgs e) +35
> > System.Web.UI.Control.OnLoad(EventArgs e) +99
> > System.Web.UI.Control.LoadRecursive() +50
> > System.Web.UI.Page.ProcessRequestMain(Boolean
> > includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +627
> >

>
>

 
Reply With Quote
 
Joe Kaplan
Guest
Posts: n/a
 
      06-22-2009

The account to delegate to would be the domain computer account for the
machine running the services. I think you should be able to use the service
type "HOST" which is a wildcard for a bunch of stuff and typically covers
these built in RPC things like remote management.

I'm not sure what this would look like in the GUI exactly. I usually make
this type of change using a lower level tool but hopefully this gives you
the idea.

You should not need to create a new SPN though. You are just delegating to
an existing one. The HOST/xxx SPNs for the computer account are created
automatically when the machine is joined to the domain.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Tony201" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi Joe,
>
> Thanks for the reply. For this application, I have already setup
> delegation
> for SQL Server access so I have an SPN for my DNS/IIS App Pool Identity.
> In
> Active Directory under the delegation tab (for IIS App Pool Identity), I
> have
> allowed delegation to the SQL Server service, however, I don't know how to
> allow delegation to the Service Control Manager eg, for SQL Server, under
> the
> delegation tab, I click add and then type in the account that I created
> the
> SQL Server SPN for. For allowing Service Control Manager, which user would
> I
> need to type in and then what service should I add? Alternatively, how
> would
> I setup an SPN to allow delegation to Window Services?
>
> Cheers,
> Tan
>
> "Joe Kaplan" wrote:
>
>> It should work although I've never tested this scenario.
>>
>> I'd suggest delegating the SPN for HOST/server to the IIS app pool
>> identity
>> (or the computer account if you use network service or system) to see if
>> that works. If you are using the full DNS name to connect to the remote
>> machine, use that SPN instead. You can also delegate both.
>>
>> If you are getting Kerberos authentication to the remote machine, then
>> the
>> constrained delegation should work here. You can check the security
>> event
>> logs on the remote machine to discover how you are authenticating. If
>> you
>> get NTLM, then it will not work.
>>
>> --
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services
>> Programming"
>> http://www.directoryprogramming.net
>> "Tony201" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>> > Can I use constrained delegation to alllow my web application to
>> > control
>> > services on a remote server? At the moment, I have code that when run
>> > on
>> > my
>> > local machine (XP - no double hop) is able to control services on
>> > remote
>> > servers. However, when I move the web application to an IIS server, I
>> > get
>> > the
>> > error llisted below. I am guessing that I need to setup an SPN but
>> > don't
>> > know
>> > how to do it for the Service Control Manager. Any ideas?
>> >
>> > [Win32Exception (0x80004005): Access is denied]
>> >
>> > [InvalidOperationException: Cannot open Service Control Manager on
>> > computer
>> > 'serverxxxx'. This operation might require other privileges.]
>> >
>> > System.ServiceProcess.ServiceController.GetDataBas eHandleWithAccess(String
>> > machineName, Int32 serviceControlManaqerAccess) +35775
>> >
>> > System.ServiceProcess.ServiceController.GetDataBas eHandleWithEnumerateAccess(String
>> > machineName) +9
>> > System.ServiceProcess.ServiceController.GetService sOfType(String
>> > machineName, Int32 serviceType) +143
>> > System.ServiceProcess.ServiceController.GetService s(String
>> > machineName)
>> > +9
>> > AutonomyAdmin.test.test2() +400
>> > AutonomyAdmin.test.Page_Load(Object sender, EventArgs e) +137
>> > System.Web.Util.CalliHelper.EventArgFunctionCaller (IntPtr fp, Object
>> > o,
>> > Object t, EventArgs e) +14
>> > System.Web.Util.CalliEventHandlerDelegateProxy.Cal lback(Object
>> > sender,
>> > EventArgs e) +35
>> > System.Web.UI.Control.OnLoad(EventArgs e) +99
>> > System.Web.UI.Control.LoadRecursive() +50
>> > System.Web.UI.Page.ProcessRequestMain(Boolean
>> > includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
>> > +627
>> >

>>
>>


 
Reply With Quote
 
Tony201
Guest
Posts: n/a
 
      06-23-2009

Hi Joe,

You are right there is a service called HOST on the target server which I
have now delegated to the IIS AppPool account. However I am still getting
access denied. The one thing I forgot to mention in my earlier posts is that
when I browse to the application locally (i.e on the web server), it works,
however, when I browse to it from an XP box I get access denied.

The thing that perplexes me is that there are no faillure audit events on
any of the servers including the domain controllers. The only 2 events that
might be related i.e they are generated everytime I browse to the application
from my XP box and they mention the web server name. I have listed these
below.

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 23/06/2009
Time: 10:22:03
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: TARGET-SERVER
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x7D98711)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: WEB-SERVER
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 172.16.224.1
Source Port: 0
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 23/06/2009
Time: 10:22:06
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: TARGET-SERVER
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x7D98711)
Logon Type: 3
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


"Joe Kaplan" wrote:

> The account to delegate to would be the domain computer account for the
> machine running the services. I think you should be able to use the service
> type "HOST" which is a wildcard for a bunch of stuff and typically covers
> these built in RPC things like remote management.
>
> I'm not sure what this would look like in the GUI exactly. I usually make
> this type of change using a lower level tool but hopefully this gives you
> the idea.
>
> You should not need to create a new SPN though. You are just delegating to
> an existing one. The HOST/xxx SPNs for the computer account are created
> automatically when the machine is joined to the domain.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"
> http://www.directoryprogramming.net
> "Tony201" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Hi Joe,
> >
> > Thanks for the reply. For this application, I have already setup
> > delegation
> > for SQL Server access so I have an SPN for my DNS/IIS App Pool Identity.
> > In
> > Active Directory under the delegation tab (for IIS App Pool Identity), I
> > have
> > allowed delegation to the SQL Server service, however, I don't know how to
> > allow delegation to the Service Control Manager eg, for SQL Server, under
> > the
> > delegation tab, I click add and then type in the account that I created
> > the
> > SQL Server SPN for. For allowing Service Control Manager, which user would
> > I
> > need to type in and then what service should I add? Alternatively, how
> > would
> > I setup an SPN to allow delegation to Window Services?
> >
> > Cheers,
> > Tan
> >
> > "Joe Kaplan" wrote:
> >
> >> It should work although I've never tested this scenario.
> >>
> >> I'd suggest delegating the SPN for HOST/server to the IIS app pool
> >> identity
> >> (or the computer account if you use network service or system) to see if
> >> that works. If you are using the full DNS name to connect to the remote
> >> machine, use that SPN instead. You can also delegate both.
> >>
> >> If you are getting Kerberos authentication to the remote machine, then
> >> the
> >> constrained delegation should work here. You can check the security
> >> event
> >> logs on the remote machine to discover how you are authenticating. If
> >> you
> >> get NTLM, then it will not work.
> >>
> >> --
> >> Joe Kaplan-MS MVP Directory Services Programming
> >> Co-author of "The .NET Developer's Guide to Directory Services
> >> Programming"
> >> http://www.directoryprogramming.net
> >> "Tony201" <(E-Mail Removed)> wrote in message
> >> news:(E-Mail Removed)...
> >> > Can I use constrained delegation to alllow my web application to
> >> > control
> >> > services on a remote server? At the moment, I have code that when run
> >> > on
> >> > my
> >> > local machine (XP - no double hop) is able to control services on
> >> > remote
> >> > servers. However, when I move the web application to an IIS server, I
> >> > get
> >> > the
> >> > error llisted below. I am guessing that I need to setup an SPN but
> >> > don't
> >> > know
> >> > how to do it for the Service Control Manager. Any ideas?
> >> >
> >> > [Win32Exception (0x80004005): Access is denied]
> >> >
> >> > [InvalidOperationException: Cannot open Service Control Manager on
> >> > computer
> >> > 'serverxxxx'. This operation might require other privileges.]
> >> >
> >> > System.ServiceProcess.ServiceController.GetDataBas eHandleWithAccess(String
> >> > machineName, Int32 serviceControlManaqerAccess) +35775
> >> >
> >> > System.ServiceProcess.ServiceController.GetDataBas eHandleWithEnumerateAccess(String
> >> > machineName) +9
> >> > System.ServiceProcess.ServiceController.GetService sOfType(String
> >> > machineName, Int32 serviceType) +143
> >> > System.ServiceProcess.ServiceController.GetService s(String
> >> > machineName)
> >> > +9
> >> > AutonomyAdmin.test.test2() +400
> >> > AutonomyAdmin.test.Page_Load(Object sender, EventArgs e) +137
> >> > System.Web.Util.CalliHelper.EventArgFunctionCaller (IntPtr fp, Object
> >> > o,
> >> > Object t, EventArgs e) +14
> >> > System.Web.Util.CalliEventHandlerDelegateProxy.Cal lback(Object
> >> > sender,
> >> > EventArgs e) +35
> >> > System.Web.UI.Control.OnLoad(EventArgs e) +99
> >> > System.Web.UI.Control.LoadRecursive() +50
> >> > System.Web.UI.Page.ProcessRequestMain(Boolean
> >> > includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
> >> > +627
> >> >
> >>
> >>

>
>

 
Reply With Quote
 
Tony201
Guest
Posts: n/a
 
      06-23-2009

Hi Joe,

You are right there is a service called HOST on the target server which I
have now delegated to the IIS AppPool account. However I am still getting
access denied. The one thing I forgot to mention in my earlier posts is that
when I browse to the application locally (i.e on the web server), it works,
however, when I browse to it from an XP box I get access denied.

The thing that perplexes me is that there are no faillure audit events on
any of the servers including the domain controllers. The only 2 events that
might be related i.e they are generated everytime I browse to the application
from my XP box and they mention the web server name. I have listed these
below.

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 23/06/2009
Time: 10:22:03
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: TARGET-SERVER
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x7D98711)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: WEB-SERVER
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 172.16.224.1
Source Port: 0
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 23/06/2009
Time: 10:22:06
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: TARGET-SERVER
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x7D98711)
Logon Type: 3
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


"Joe Kaplan" wrote:

> The account to delegate to would be the domain computer account for the
> machine running the services. I think you should be able to use the service
> type "HOST" which is a wildcard for a bunch of stuff and typically covers
> these built in RPC things like remote management.
>
> I'm not sure what this would look like in the GUI exactly. I usually make
> this type of change using a lower level tool but hopefully this gives you
> the idea.
>
> You should not need to create a new SPN though. You are just delegating to
> an existing one. The HOST/xxx SPNs for the computer account are created
> automatically when the machine is joined to the domain.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"
> http://www.directoryprogramming.net
> "Tony201" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Hi Joe,
> >
> > Thanks for the reply. For this application, I have already setup
> > delegation
> > for SQL Server access so I have an SPN for my DNS/IIS App Pool Identity.
> > In
> > Active Directory under the delegation tab (for IIS App Pool Identity), I
> > have
> > allowed delegation to the SQL Server service, however, I don't know how to
> > allow delegation to the Service Control Manager eg, for SQL Server, under
> > the
> > delegation tab, I click add and then type in the account that I created
> > the
> > SQL Server SPN for. For allowing Service Control Manager, which user would
> > I
> > need to type in and then what service should I add? Alternatively, how
> > would
> > I setup an SPN to allow delegation to Window Services?
> >
> > Cheers,
> > Tan
> >
> > "Joe Kaplan" wrote:
> >
> >> It should work although I've never tested this scenario.
> >>
> >> I'd suggest delegating the SPN for HOST/server to the IIS app pool
> >> identity
> >> (or the computer account if you use network service or system) to see if
> >> that works. If you are using the full DNS name to connect to the remote
> >> machine, use that SPN instead. You can also delegate both.
> >>
> >> If you are getting Kerberos authentication to the remote machine, then
> >> the
> >> constrained delegation should work here. You can check the security
> >> event
> >> logs on the remote machine to discover how you are authenticating. If
> >> you
> >> get NTLM, then it will not work.
> >>
> >> --
> >> Joe Kaplan-MS MVP Directory Services Programming
> >> Co-author of "The .NET Developer's Guide to Directory Services
> >> Programming"
> >> http://www.directoryprogramming.net
> >> "Tony201" <(E-Mail Removed)> wrote in message
> >> news:(E-Mail Removed)...
> >> > Can I use constrained delegation to alllow my web application to
> >> > control
> >> > services on a remote server? At the moment, I have code that when run
> >> > on
> >> > my
> >> > local machine (XP - no double hop) is able to control services on
> >> > remote
> >> > servers. However, when I move the web application to an IIS server, I
> >> > get
> >> > the
> >> > error llisted below. I am guessing that I need to setup an SPN but
> >> > don't
> >> > know
> >> > how to do it for the Service Control Manager. Any ideas?
> >> >
> >> > [Win32Exception (0x80004005): Access is denied]
> >> >
> >> > [InvalidOperationException: Cannot open Service Control Manager on
> >> > computer
> >> > 'serverxxxx'. This operation might require other privileges.]
> >> >
> >> > System.ServiceProcess.ServiceController.GetDataBas eHandleWithAccess(String
> >> > machineName, Int32 serviceControlManaqerAccess) +35775
> >> >
> >> > System.ServiceProcess.ServiceController.GetDataBas eHandleWithEnumerateAccess(String
> >> > machineName) +9
> >> > System.ServiceProcess.ServiceController.GetService sOfType(String
> >> > machineName, Int32 serviceType) +143
> >> > System.ServiceProcess.ServiceController.GetService s(String
> >> > machineName)
> >> > +9
> >> > AutonomyAdmin.test.test2() +400
> >> > AutonomyAdmin.test.Page_Load(Object sender, EventArgs e) +137
> >> > System.Web.Util.CalliHelper.EventArgFunctionCaller (IntPtr fp, Object
> >> > o,
> >> > Object t, EventArgs e) +14
> >> > System.Web.Util.CalliEventHandlerDelegateProxy.Cal lback(Object
> >> > sender,
> >> > EventArgs e) +35
> >> > System.Web.UI.Control.OnLoad(EventArgs e) +99
> >> > System.Web.UI.Control.LoadRecursive() +50
> >> > System.Web.UI.Page.ProcessRequestMain(Boolean
> >> > includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
> >> > +627
> >> >
> >>
> >>

>
>

 
Reply With Quote
 
Joe Kaplan
Guest
Posts: n/a
 
      06-23-2009

Normally when you see an anonymous login being attempted with NTLM, it is
because the client did not attempt Kerberos authentication to access the
remote server.

When you connect to the remote machine in your code to manage the service
control manager, are you using an IP address or the host name? Kerb
requires the use of the host name.

You might start by using a simple console app on the web server to access
the remote SCM and seeing what type of authentication is recorded on the
remote machine in the security event log. What you are looking for is a
kerberos-based authentication to that machine. If you can only get NTLM
auth to the remote machine, you won't be able to get Kerb delegation to
work. Hopefully this helps flesh out your mental model.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Tony201" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi Joe,
>
> You are right there is a service called HOST on the target server which I
> have now delegated to the IIS AppPool account. However I am still getting
> access denied. The one thing I forgot to mention in my earlier posts is
> that
> when I browse to the application locally (i.e on the web server), it
> works,
> however, when I browse to it from an XP box I get access denied.
>
> The thing that perplexes me is that there are no faillure audit events on
> any of the servers including the domain controllers. The only 2 events
> that
> might be related i.e they are generated everytime I browse to the
> application
> from my XP box and they mention the web server name. I have listed these
> below.
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 540
> Date: 23/06/2009
> Time: 10:22:03
> User: NT AUTHORITY\ANONYMOUS LOGON
> Computer: TARGET-SERVER
> Description:
> Successful Network Logon:
> User Name:
> Domain:
> Logon ID: (0x0,0x7D98711)
> Logon Type: 3
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Workstation Name: WEB-SERVER
> Logon GUID: -
> Caller User Name: -
> Caller Domain: -
> Caller Logon ID: -
> Caller Process ID: -
> Transited Services: -
> Source Network Address: 172.16.224.1
> Source Port: 0
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 538
> Date: 23/06/2009
> Time: 10:22:06
> User: NT AUTHORITY\ANONYMOUS LOGON
> Computer: TARGET-SERVER
> Description:
> User Logoff:
> User Name: ANONYMOUS LOGON
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x7D98711)
> Logon Type: 3
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
> "Joe Kaplan" wrote:
>
>> The account to delegate to would be the domain computer account for the
>> machine running the services. I think you should be able to use the
>> service
>> type "HOST" which is a wildcard for a bunch of stuff and typically covers
>> these built in RPC things like remote management.
>>
>> I'm not sure what this would look like in the GUI exactly. I usually
>> make
>> this type of change using a lower level tool but hopefully this gives you
>> the idea.
>>
>> You should not need to create a new SPN though. You are just delegating
>> to
>> an existing one. The HOST/xxx SPNs for the computer account are created
>> automatically when the machine is joined to the domain.
>>
>> --
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services
>> Programming"
>> http://www.directoryprogramming.net
>> "Tony201" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>> > Hi Joe,
>> >
>> > Thanks for the reply. For this application, I have already setup
>> > delegation
>> > for SQL Server access so I have an SPN for my DNS/IIS App Pool
>> > Identity.
>> > In
>> > Active Directory under the delegation tab (for IIS App Pool Identity),
>> > I
>> > have
>> > allowed delegation to the SQL Server service, however, I don't know how
>> > to
>> > allow delegation to the Service Control Manager eg, for SQL Server,
>> > under
>> > the
>> > delegation tab, I click add and then type in the account that I created
>> > the
>> > SQL Server SPN for. For allowing Service Control Manager, which user
>> > would
>> > I
>> > need to type in and then what service should I add? Alternatively, how
>> > would
>> > I setup an SPN to allow delegation to Window Services?
>> >
>> > Cheers,
>> > Tan
>> >
>> > "Joe Kaplan" wrote:
>> >
>> >> It should work although I've never tested this scenario.
>> >>
>> >> I'd suggest delegating the SPN for HOST/server to the IIS app pool
>> >> identity
>> >> (or the computer account if you use network service or system) to see
>> >> if
>> >> that works. If you are using the full DNS name to connect to the
>> >> remote
>> >> machine, use that SPN instead. You can also delegate both.
>> >>
>> >> If you are getting Kerberos authentication to the remote machine, then
>> >> the
>> >> constrained delegation should work here. You can check the security
>> >> event
>> >> logs on the remote machine to discover how you are authenticating. If
>> >> you
>> >> get NTLM, then it will not work.
>> >>
>> >> --
>> >> Joe Kaplan-MS MVP Directory Services Programming
>> >> Co-author of "The .NET Developer's Guide to Directory Services
>> >> Programming"
>> >> http://www.directoryprogramming.net
>> >> "Tony201" <(E-Mail Removed)> wrote in message
>> >> news:(E-Mail Removed)...
>> >> > Can I use constrained delegation to alllow my web application to
>> >> > control
>> >> > services on a remote server? At the moment, I have code that when
>> >> > run
>> >> > on
>> >> > my
>> >> > local machine (XP - no double hop) is able to control services on
>> >> > remote
>> >> > servers. However, when I move the web application to an IIS server,
>> >> > I
>> >> > get
>> >> > the
>> >> > error llisted below. I am guessing that I need to setup an SPN but
>> >> > don't
>> >> > know
>> >> > how to do it for the Service Control Manager. Any ideas?
>> >> >
>> >> > [Win32Exception (0x80004005): Access is denied]
>> >> >
>> >> > [InvalidOperationException: Cannot open Service Control Manager on
>> >> > computer
>> >> > 'serverxxxx'. This operation might require other privileges.]
>> >> >
>> >> > System.ServiceProcess.ServiceController.GetDataBas eHandleWithAccess(String
>> >> > machineName, Int32 serviceControlManaqerAccess) +35775
>> >> >
>> >> > System.ServiceProcess.ServiceController.GetDataBas eHandleWithEnumerateAccess(String
>> >> > machineName) +9
>> >> > System.ServiceProcess.ServiceController.GetService sOfType(String
>> >> > machineName, Int32 serviceType) +143
>> >> > System.ServiceProcess.ServiceController.GetService s(String
>> >> > machineName)
>> >> > +9
>> >> > AutonomyAdmin.test.test2() +400
>> >> > AutonomyAdmin.test.Page_Load(Object sender, EventArgs e) +137
>> >> > System.Web.Util.CalliHelper.EventArgFunctionCaller (IntPtr fp,
>> >> > Object
>> >> > o,
>> >> > Object t, EventArgs e) +14
>> >> > System.Web.Util.CalliEventHandlerDelegateProxy.Cal lback(Object
>> >> > sender,
>> >> > EventArgs e) +35
>> >> > System.Web.UI.Control.OnLoad(EventArgs e) +99
>> >> > System.Web.UI.Control.LoadRecursive() +50
>> >> > System.Web.UI.Page.ProcessRequestMain(Boolean
>> >> > includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
>> >> > +627
>> >> >
>> >>
>> >>

>>
>>


 
Reply With Quote
 
Tony201
Guest
Posts: n/a
 
      06-24-2009

Joe,

I am using the hostname in my code

dGrid.DataSource = ServiceController.GetServices("serverxxxx");

On the web server, I tried browsing to the application using the IP address.
This works and I get a events logged that indicate that Kerb authentication
has taken place (see below). However, when I use the DNS name to browse to
the application, it gives me an access denied error and I get the NT
AUTHORITY\ANONYMOUS LOGON event. I am not sure why this is so.

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 24/06/2009
Time: 11:35:07
User: Domain\Username
Computer: TargetServer
Description:
User Logoff:
User Name: Username
Domain: WEB
Logon ID: (0x0,0x98B42A2)
Logon Type: 3
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 24/06/2009
Time: 11:34:36
User: Domain\Username
Computer: TargetServer
Description:
Successful Network Logon:
User Name: Username
Domain: Domain
Logon ID: (0x0,0x98B42A2)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {2c253827-89be-8166-d10a-865d2075808e}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 172.16.224.1
Source Port: 0
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 576
Date: 24/06/2009
Time: 11:34:36
User: Domain\Username
Computer: TargetServer
Description:
Special privileges assigned to new logon:
User Name: Username
Domain: Domain
Logon ID: (0x0,0x98B42A2)
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.




"Joe Kaplan" wrote:

> Normally when you see an anonymous login being attempted with NTLM, it is
> because the client did not attempt Kerberos authentication to access the
> remote server.
>
> When you connect to the remote machine in your code to manage the service
> control manager, are you using an IP address or the host name? Kerb
> requires the use of the host name.
>
> You might start by using a simple console app on the web server to access
> the remote SCM and seeing what type of authentication is recorded on the
> remote machine in the security event log. What you are looking for is a
> kerberos-based authentication to that machine. If you can only get NTLM
> auth to the remote machine, you won't be able to get Kerb delegation to
> work. Hopefully this helps flesh out your mental model.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"
> http://www.directoryprogramming.net
> "Tony201" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Hi Joe,
> >
> > You are right there is a service called HOST on the target server which I
> > have now delegated to the IIS AppPool account. However I am still getting
> > access denied. The one thing I forgot to mention in my earlier posts is
> > that
> > when I browse to the application locally (i.e on the web server), it
> > works,
> > however, when I browse to it from an XP box I get access denied.
> >
> > The thing that perplexes me is that there are no faillure audit events on
> > any of the servers including the domain controllers. The only 2 events
> > that
> > might be related i.e they are generated everytime I browse to the
> > application
> > from my XP box and they mention the web server name. I have listed these
> > below.
> >
> > Event Type: Success Audit
> > Event Source: Security
> > Event Category: Logon/Logoff
> > Event ID: 540
> > Date: 23/06/2009
> > Time: 10:22:03
> > User: NT AUTHORITY\ANONYMOUS LOGON
> > Computer: TARGET-SERVER
> > Description:
> > Successful Network Logon:
> > User Name:
> > Domain:
> > Logon ID: (0x0,0x7D98711)
> > Logon Type: 3
> > Logon Process: NtLmSsp
> > Authentication Package: NTLM
> > Workstation Name: WEB-SERVER
> > Logon GUID: -
> > Caller User Name: -
> > Caller Domain: -
> > Caller Logon ID: -
> > Caller Process ID: -
> > Transited Services: -
> > Source Network Address: 172.16.224.1
> > Source Port: 0
> > For more information, see Help and Support Center at
> > http://go.microsoft.com/fwlink/events.asp.
> >
> > Event Type: Success Audit
> > Event Source: Security
> > Event Category: Logon/Logoff
> > Event ID: 538
> > Date: 23/06/2009
> > Time: 10:22:06
> > User: NT AUTHORITY\ANONYMOUS LOGON
> > Computer: TARGET-SERVER
> > Description:
> > User Logoff:
> > User Name: ANONYMOUS LOGON
> > Domain: NT AUTHORITY
> > Logon ID: (0x0,0x7D98711)
> > Logon Type: 3
> > For more information, see Help and Support Center at
> > http://go.microsoft.com/fwlink/events.asp.
> >
> >
> > "Joe Kaplan" wrote:
> >
> >> The account to delegate to would be the domain computer account for the
> >> machine running the services. I think you should be able to use the
> >> service
> >> type "HOST" which is a wildcard for a bunch of stuff and typically covers
> >> these built in RPC things like remote management.
> >>
> >> I'm not sure what this would look like in the GUI exactly. I usually
> >> make
> >> this type of change using a lower level tool but hopefully this gives you
> >> the idea.
> >>
> >> You should not need to create a new SPN though. You are just delegating
> >> to
> >> an existing one. The HOST/xxx SPNs for the computer account are created
> >> automatically when the machine is joined to the domain.
> >>
> >> --
> >> Joe Kaplan-MS MVP Directory Services Programming
> >> Co-author of "The .NET Developer's Guide to Directory Services
> >> Programming"
> >> http://www.directoryprogramming.net
> >> "Tony201" <(E-Mail Removed)> wrote in message
> >> news:(E-Mail Removed)...
> >> > Hi Joe,
> >> >
> >> > Thanks for the reply. For this application, I have already setup
> >> > delegation
> >> > for SQL Server access so I have an SPN for my DNS/IIS App Pool
> >> > Identity.
> >> > In
> >> > Active Directory under the delegation tab (for IIS App Pool Identity),
> >> > I
> >> > have
> >> > allowed delegation to the SQL Server service, however, I don't know how
> >> > to
> >> > allow delegation to the Service Control Manager eg, for SQL Server,
> >> > under
> >> > the
> >> > delegation tab, I click add and then type in the account that I created
> >> > the
> >> > SQL Server SPN for. For allowing Service Control Manager, which user
> >> > would
> >> > I
> >> > need to type in and then what service should I add? Alternatively, how
> >> > would
> >> > I setup an SPN to allow delegation to Window Services?
> >> >
> >> > Cheers,
> >> > Tan
> >> >
> >> > "Joe Kaplan" wrote:
> >> >
> >> >> It should work although I've never tested this scenario.
> >> >>
> >> >> I'd suggest delegating the SPN for HOST/server to the IIS app pool
> >> >> identity
> >> >> (or the computer account if you use network service or system) to see
> >> >> if
> >> >> that works. If you are using the full DNS name to connect to the
> >> >> remote
> >> >> machine, use that SPN instead. You can also delegate both.
> >> >>
> >> >> If you are getting Kerberos authentication to the remote machine, then
> >> >> the
> >> >> constrained delegation should work here. You can check the security
> >> >> event
> >> >> logs on the remote machine to discover how you are authenticating. If
> >> >> you
> >> >> get NTLM, then it will not work.
> >> >>
> >> >> --
> >> >> Joe Kaplan-MS MVP Directory Services Programming
> >> >> Co-author of "The .NET Developer's Guide to Directory Services
> >> >> Programming"
> >> >> http://www.directoryprogramming.net
> >> >> "Tony201" <(E-Mail Removed)> wrote in message
> >> >> news:(E-Mail Removed)...
> >> >> > Can I use constrained delegation to alllow my web application to
> >> >> > control
> >> >> > services on a remote server? At the moment, I have code that when
> >> >> > run
> >> >> > on
> >> >> > my
> >> >> > local machine (XP - no double hop) is able to control services on
> >> >> > remote
> >> >> > servers. However, when I move the web application to an IIS server,
> >> >> > I
> >> >> > get
> >> >> > the
> >> >> > error llisted below. I am guessing that I need to setup an SPN but
> >> >> > don't
> >> >> > know
> >> >> > how to do it for the Service Control Manager. Any ideas?
> >> >> >
> >> >> > [Win32Exception (0x80004005): Access is denied]
> >> >> >
> >> >> > [InvalidOperationException: Cannot open Service Control Manager on
> >> >> > computer
> >> >> > 'serverxxxx'. This operation might require other privileges.]
> >> >> >
> >> >> > System.ServiceProcess.ServiceController.GetDataBas eHandleWithAccess(String
> >> >> > machineName, Int32 serviceControlManaqerAccess) +35775
> >> >> >
> >> >> > System.ServiceProcess.ServiceController.GetDataBas eHandleWithEnumerateAccess(String
> >> >> > machineName) +9
> >> >> > System.ServiceProcess.ServiceController.GetService sOfType(String
> >> >> > machineName, Int32 serviceType) +143
> >> >> > System.ServiceProcess.ServiceController.GetService s(String
> >> >> > machineName)
> >> >> > +9
> >> >> > AutonomyAdmin.test.test2() +400
> >> >> > AutonomyAdmin.test.Page_Load(Object sender, EventArgs e) +137
> >> >> > System.Web.Util.CalliHelper.EventArgFunctionCaller (IntPtr fp,
> >> >> > Object
> >> >> > o,
> >> >> > Object t, EventArgs e) +14
> >> >> > System.Web.Util.CalliEventHandlerDelegateProxy.Cal lback(Object
> >> >> > sender,
> >> >> > EventArgs e) +35
> >> >> > System.Web.UI.Control.OnLoad(EventArgs e) +99
> >> >> > System.Web.UI.Control.LoadRecursive() +50
> >> >> > System.Web.UI.Page.ProcessRequestMain(Boolean
> >> >> > includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
> >> >> > +627
> >> >> >
> >> >>
> >> >>
> >>
> >>

>
>

 
Reply With Quote
 
Joe Kaplan
Guest
Posts: n/a
 
      06-25-2009

The event logs we need to know about are the ones on the server running the
services you are controlling remotely.

Can you show what happens when you have a console app that accesses the
remote server running the services in terms of the security audits on the
remote server?

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Tony201" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Joe,
>
> I am using the hostname in my code
>
> dGrid.DataSource = ServiceController.GetServices("serverxxxx");
>
> On the web server, I tried browsing to the application using the IP
> address.
> This works and I get a events logged that indicate that Kerb
> authentication
> has taken place (see below). However, when I use the DNS name to browse to
> the application, it gives me an access denied error and I get the NT
> AUTHORITY\ANONYMOUS LOGON event. I am not sure why this is so.
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 538
> Date: 24/06/2009
> Time: 11:35:07
> User: Domain\Username
> Computer: TargetServer
> Description:
> User Logoff:
> User Name: Username
> Domain: WEB
> Logon ID: (0x0,0x98B42A2)
> Logon Type: 3
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 540
> Date: 24/06/2009
> Time: 11:34:36
> User: Domain\Username
> Computer: TargetServer
> Description:
> Successful Network Logon:
> User Name: Username
> Domain: Domain
> Logon ID: (0x0,0x98B42A2)
> Logon Type: 3
> Logon Process: Kerberos
> Authentication Package: Kerberos
> Workstation Name:
> Logon GUID: {2c253827-89be-8166-d10a-865d2075808e}
> Caller User Name: -
> Caller Domain: -
> Caller Logon ID: -
> Caller Process ID: -
> Transited Services: -
> Source Network Address: 172.16.224.1
> Source Port: 0
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 576
> Date: 24/06/2009
> Time: 11:34:36
> User: Domain\Username
> Computer: TargetServer
> Description:
> Special privileges assigned to new logon:
> User Name: Username
> Domain: Domain
> Logon ID: (0x0,0x98B42A2)
> Privileges: SeSecurityPrivilege
> SeBackupPrivilege
> SeRestorePrivilege
> SeTakeOwnershipPrivilege
> SeDebugPrivilege
> SeSystemEnvironmentPrivilege
> SeLoadDriverPrivilege
> SeImpersonatePrivilege
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
>
>
> "Joe Kaplan" wrote:
>
>> Normally when you see an anonymous login being attempted with NTLM, it is
>> because the client did not attempt Kerberos authentication to access the
>> remote server.
>>
>> When you connect to the remote machine in your code to manage the service
>> control manager, are you using an IP address or the host name? Kerb
>> requires the use of the host name.
>>
>> You might start by using a simple console app on the web server to access
>> the remote SCM and seeing what type of authentication is recorded on the
>> remote machine in the security event log. What you are looking for is a
>> kerberos-based authentication to that machine. If you can only get NTLM
>> auth to the remote machine, you won't be able to get Kerb delegation to
>> work. Hopefully this helps flesh out your mental model.
>>
>> --
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services
>> Programming"
>> http://www.directoryprogramming.net
>> "Tony201" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>> > Hi Joe,
>> >
>> > You are right there is a service called HOST on the target server which
>> > I
>> > have now delegated to the IIS AppPool account. However I am still
>> > getting
>> > access denied. The one thing I forgot to mention in my earlier posts is
>> > that
>> > when I browse to the application locally (i.e on the web server), it
>> > works,
>> > however, when I browse to it from an XP box I get access denied.
>> >
>> > The thing that perplexes me is that there are no faillure audit events
>> > on
>> > any of the servers including the domain controllers. The only 2 events
>> > that
>> > might be related i.e they are generated everytime I browse to the
>> > application
>> > from my XP box and they mention the web server name. I have listed
>> > these
>> > below.
>> >
>> > Event Type: Success Audit
>> > Event Source: Security
>> > Event Category: Logon/Logoff
>> > Event ID: 540
>> > Date: 23/06/2009
>> > Time: 10:22:03
>> > User: NT AUTHORITY\ANONYMOUS LOGON
>> > Computer: TARGET-SERVER
>> > Description:
>> > Successful Network Logon:
>> > User Name:
>> > Domain:
>> > Logon ID: (0x0,0x7D98711)
>> > Logon Type: 3
>> > Logon Process: NtLmSsp
>> > Authentication Package: NTLM
>> > Workstation Name: WEB-SERVER
>> > Logon GUID: -
>> > Caller User Name: -
>> > Caller Domain: -
>> > Caller Logon ID: -
>> > Caller Process ID: -
>> > Transited Services: -
>> > Source Network Address: 172.16.224.1
>> > Source Port: 0
>> > For more information, see Help and Support Center at
>> > http://go.microsoft.com/fwlink/events.asp.
>> >
>> > Event Type: Success Audit
>> > Event Source: Security
>> > Event Category: Logon/Logoff
>> > Event ID: 538
>> > Date: 23/06/2009
>> > Time: 10:22:06
>> > User: NT AUTHORITY\ANONYMOUS LOGON
>> > Computer: TARGET-SERVER
>> > Description:
>> > User Logoff:
>> > User Name: ANONYMOUS LOGON
>> > Domain: NT AUTHORITY
>> > Logon ID: (0x0,0x7D98711)
>> > Logon Type: 3
>> > For more information, see Help and Support Center at
>> > http://go.microsoft.com/fwlink/events.asp.
>> >
>> >
>> > "Joe Kaplan" wrote:
>> >
>> >> The account to delegate to would be the domain computer account for
>> >> the
>> >> machine running the services. I think you should be able to use the
>> >> service
>> >> type "HOST" which is a wildcard for a bunch of stuff and typically
>> >> covers
>> >> these built in RPC things like remote management.
>> >>
>> >> I'm not sure what this would look like in the GUI exactly. I usually
>> >> make
>> >> this type of change using a lower level tool but hopefully this gives
>> >> you
>> >> the idea.
>> >>
>> >> You should not need to create a new SPN though. You are just
>> >> delegating
>> >> to
>> >> an existing one. The HOST/xxx SPNs for the computer account are
>> >> created
>> >> automatically when the machine is joined to the domain.
>> >>
>> >> --
>> >> Joe Kaplan-MS MVP Directory Services Programming
>> >> Co-author of "The .NET Developer's Guide to Directory Services
>> >> Programming"
>> >> http://www.directoryprogramming.net
>> >> "Tony201" <(E-Mail Removed)> wrote in message
>> >> news:(E-Mail Removed)...
>> >> > Hi Joe,
>> >> >
>> >> > Thanks for the reply. For this application, I have already setup
>> >> > delegation
>> >> > for SQL Server access so I have an SPN for my DNS/IIS App Pool
>> >> > Identity.
>> >> > In
>> >> > Active Directory under the delegation tab (for IIS App Pool
>> >> > Identity),
>> >> > I
>> >> > have
>> >> > allowed delegation to the SQL Server service, however, I don't know
>> >> > how
>> >> > to
>> >> > allow delegation to the Service Control Manager eg, for SQL Server,
>> >> > under
>> >> > the
>> >> > delegation tab, I click add and then type in the account that I
>> >> > created
>> >> > the
>> >> > SQL Server SPN for. For allowing Service Control Manager, which user
>> >> > would
>> >> > I
>> >> > need to type in and then what service should I add? Alternatively,
>> >> > how
>> >> > would
>> >> > I setup an SPN to allow delegation to Window Services?
>> >> >
>> >> > Cheers,
>> >> > Tan
>> >> >
>> >> > "Joe Kaplan" wrote:
>> >> >
>> >> >> It should work although I've never tested this scenario.
>> >> >>
>> >> >> I'd suggest delegating the SPN for HOST/server to the IIS app pool
>> >> >> identity
>> >> >> (or the computer account if you use network service or system) to
>> >> >> see
>> >> >> if
>> >> >> that works. If you are using the full DNS name to connect to the
>> >> >> remote
>> >> >> machine, use that SPN instead. You can also delegate both.
>> >> >>
>> >> >> If you are getting Kerberos authentication to the remote machine,
>> >> >> then
>> >> >> the
>> >> >> constrained delegation should work here. You can check the
>> >> >> security
>> >> >> event
>> >> >> logs on the remote machine to discover how you are authenticating.
>> >> >> If
>> >> >> you
>> >> >> get NTLM, then it will not work.
>> >> >>
>> >> >> --
>> >> >> Joe Kaplan-MS MVP Directory Services Programming
>> >> >> Co-author of "The .NET Developer's Guide to Directory Services
>> >> >> Programming"
>> >> >> http://www.directoryprogramming.net
>> >> >> "Tony201" <(E-Mail Removed)> wrote in message
>> >> >> news:(E-Mail Removed)...
>> >> >> > Can I use constrained delegation to alllow my web application to
>> >> >> > control
>> >> >> > services on a remote server? At the moment, I have code that when
>> >> >> > run
>> >> >> > on
>> >> >> > my
>> >> >> > local machine (XP - no double hop) is able to control services on
>> >> >> > remote
>> >> >> > servers. However, when I move the web application to an IIS
>> >> >> > server,
>> >> >> > I
>> >> >> > get
>> >> >> > the
>> >> >> > error llisted below. I am guessing that I need to setup an SPN
>> >> >> > but
>> >> >> > don't
>> >> >> > know
>> >> >> > how to do it for the Service Control Manager. Any ideas?
>> >> >> >
>> >> >> > [Win32Exception (0x80004005): Access is denied]
>> >> >> >
>> >> >> > [InvalidOperationException: Cannot open Service Control Manager
>> >> >> > on
>> >> >> > computer
>> >> >> > 'serverxxxx'. This operation might require other privileges.]
>> >> >> >
>> >> >> > System.ServiceProcess.ServiceController.GetDataBas eHandleWithAccess(String
>> >> >> > machineName, Int32 serviceControlManaqerAccess) +35775
>> >> >> >
>> >> >> > System.ServiceProcess.ServiceController.GetDataBas eHandleWithEnumerateAccess(String
>> >> >> > machineName) +9
>> >> >> >
>> >> >> > System.ServiceProcess.ServiceController.GetService sOfType(String
>> >> >> > machineName, Int32 serviceType) +143
>> >> >> > System.ServiceProcess.ServiceController.GetService s(String
>> >> >> > machineName)
>> >> >> > +9
>> >> >> > AutonomyAdmin.test.test2() +400
>> >> >> > AutonomyAdmin.test.Page_Load(Object sender, EventArgs e) +137
>> >> >> > System.Web.Util.CalliHelper.EventArgFunctionCaller (IntPtr fp,
>> >> >> > Object
>> >> >> > o,
>> >> >> > Object t, EventArgs e) +14
>> >> >> > System.Web.Util.CalliEventHandlerDelegateProxy.Cal lback(Object
>> >> >> > sender,
>> >> >> > EventArgs e) +35
>> >> >> > System.Web.UI.Control.OnLoad(EventArgs e) +99
>> >> >> > System.Web.UI.Control.LoadRecursive() +50
>> >> >> > System.Web.UI.Page.ProcessRequestMain(Boolean
>> >> >> > includeStagesBeforeAsyncPoint, Boolean
>> >> >> > includeStagesAfterAsyncPoint)
>> >> >> > +627
>> >> >> >
>> >> >>
>> >> >>
>> >>
>> >>

>>
>>


 
Reply With Quote
 
Tony201
Guest
Posts: n/a
 
      06-29-2009

Hi Joe,

I have finally solved it. I needed to delegate to the cifs service. I will
run further tests and let you know how I go.

Cheers,
Tan

"Joe Kaplan" wrote:

> The event logs we need to know about are the ones on the server running the
> services you are controlling remotely.
>
> Can you show what happens when you have a console app that accesses the
> remote server running the services in terms of the security audits on the
> remote server?
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"
> http://www.directoryprogramming.net
> "Tony201" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Joe,
> >
> > I am using the hostname in my code
> >
> > dGrid.DataSource = ServiceController.GetServices("serverxxxx");
> >
> > On the web server, I tried browsing to the application using the IP
> > address.
> > This works and I get a events logged that indicate that Kerb
> > authentication
> > has taken place (see below). However, when I use the DNS name to browse to
> > the application, it gives me an access denied error and I get the NT
> > AUTHORITY\ANONYMOUS LOGON event. I am not sure why this is so.
> >
> > Event Type: Success Audit
> > Event Source: Security
> > Event Category: Logon/Logoff
> > Event ID: 538
> > Date: 24/06/2009
> > Time: 11:35:07
> > User: Domain\Username
> > Computer: TargetServer
> > Description:
> > User Logoff:
> > User Name: Username
> > Domain: WEB
> > Logon ID: (0x0,0x98B42A2)
> > Logon Type: 3
> > For more information, see Help and Support Center at
> > http://go.microsoft.com/fwlink/events.asp.
> >
> >
> > Event Type: Success Audit
> > Event Source: Security
> > Event Category: Logon/Logoff
> > Event ID: 540
> > Date: 24/06/2009
> > Time: 11:34:36
> > User: Domain\Username
> > Computer: TargetServer
> > Description:
> > Successful Network Logon:
> > User Name: Username
> > Domain: Domain
> > Logon ID: (0x0,0x98B42A2)
> > Logon Type: 3
> > Logon Process: Kerberos
> > Authentication Package: Kerberos
> > Workstation Name:
> > Logon GUID: {2c253827-89be-8166-d10a-865d2075808e}
> > Caller User Name: -
> > Caller Domain: -
> > Caller Logon ID: -
> > Caller Process ID: -
> > Transited Services: -
> > Source Network Address: 172.16.224.1
> > Source Port: 0
> > For more information, see Help and Support Center at
> > http://go.microsoft.com/fwlink/events.asp.
> >
> > Event Type: Success Audit
> > Event Source: Security
> > Event Category: Logon/Logoff
> > Event ID: 576
> > Date: 24/06/2009
> > Time: 11:34:36
> > User: Domain\Username
> > Computer: TargetServer
> > Description:
> > Special privileges assigned to new logon:
> > User Name: Username
> > Domain: Domain
> > Logon ID: (0x0,0x98B42A2)
> > Privileges: SeSecurityPrivilege
> > SeBackupPrivilege
> > SeRestorePrivilege
> > SeTakeOwnershipPrivilege
> > SeDebugPrivilege
> > SeSystemEnvironmentPrivilege
> > SeLoadDriverPrivilege
> > SeImpersonatePrivilege
> > For more information, see Help and Support Center at
> > http://go.microsoft.com/fwlink/events.asp.
> >
> >
> >
> >
> > "Joe Kaplan" wrote:
> >
> >> Normally when you see an anonymous login being attempted with NTLM, it is
> >> because the client did not attempt Kerberos authentication to access the
> >> remote server.
> >>
> >> When you connect to the remote machine in your code to manage the service
> >> control manager, are you using an IP address or the host name? Kerb
> >> requires the use of the host name.
> >>
> >> You might start by using a simple console app on the web server to access
> >> the remote SCM and seeing what type of authentication is recorded on the
> >> remote machine in the security event log. What you are looking for is a
> >> kerberos-based authentication to that machine. If you can only get NTLM
> >> auth to the remote machine, you won't be able to get Kerb delegation to
> >> work. Hopefully this helps flesh out your mental model.
> >>
> >> --
> >> Joe Kaplan-MS MVP Directory Services Programming
> >> Co-author of "The .NET Developer's Guide to Directory Services
> >> Programming"
> >> http://www.directoryprogramming.net
> >> "Tony201" <(E-Mail Removed)> wrote in message
> >> news:(E-Mail Removed)...
> >> > Hi Joe,
> >> >
> >> > You are right there is a service called HOST on the target server which
> >> > I
> >> > have now delegated to the IIS AppPool account. However I am still
> >> > getting
> >> > access denied. The one thing I forgot to mention in my earlier posts is
> >> > that
> >> > when I browse to the application locally (i.e on the web server), it
> >> > works,
> >> > however, when I browse to it from an XP box I get access denied.
> >> >
> >> > The thing that perplexes me is that there are no faillure audit events
> >> > on
> >> > any of the servers including the domain controllers. The only 2 events
> >> > that
> >> > might be related i.e they are generated everytime I browse to the
> >> > application
> >> > from my XP box and they mention the web server name. I have listed
> >> > these
> >> > below.
> >> >
> >> > Event Type: Success Audit
> >> > Event Source: Security
> >> > Event Category: Logon/Logoff
> >> > Event ID: 540
> >> > Date: 23/06/2009
> >> > Time: 10:22:03
> >> > User: NT AUTHORITY\ANONYMOUS LOGON
> >> > Computer: TARGET-SERVER
> >> > Description:
> >> > Successful Network Logon:
> >> > User Name:
> >> > Domain:
> >> > Logon ID: (0x0,0x7D98711)
> >> > Logon Type: 3
> >> > Logon Process: NtLmSsp
> >> > Authentication Package: NTLM
> >> > Workstation Name: WEB-SERVER
> >> > Logon GUID: -
> >> > Caller User Name: -
> >> > Caller Domain: -
> >> > Caller Logon ID: -
> >> > Caller Process ID: -
> >> > Transited Services: -
> >> > Source Network Address: 172.16.224.1
> >> > Source Port: 0
> >> > For more information, see Help and Support Center at
> >> > http://go.microsoft.com/fwlink/events.asp.
> >> >
> >> > Event Type: Success Audit
> >> > Event Source: Security
> >> > Event Category: Logon/Logoff
> >> > Event ID: 538
> >> > Date: 23/06/2009
> >> > Time: 10:22:06
> >> > User: NT AUTHORITY\ANONYMOUS LOGON
> >> > Computer: TARGET-SERVER
> >> > Description:
> >> > User Logoff:
> >> > User Name: ANONYMOUS LOGON
> >> > Domain: NT AUTHORITY
> >> > Logon ID: (0x0,0x7D98711)
> >> > Logon Type: 3
> >> > For more information, see Help and Support Center at
> >> > http://go.microsoft.com/fwlink/events.asp.
> >> >
> >> >
> >> > "Joe Kaplan" wrote:
> >> >
> >> >> The account to delegate to would be the domain computer account for
> >> >> the
> >> >> machine running the services. I think you should be able to use the
> >> >> service
> >> >> type "HOST" which is a wildcard for a bunch of stuff and typically
> >> >> covers
> >> >> these built in RPC things like remote management.
> >> >>
> >> >> I'm not sure what this would look like in the GUI exactly. I usually
> >> >> make
> >> >> this type of change using a lower level tool but hopefully this gives
> >> >> you
> >> >> the idea.
> >> >>
> >> >> You should not need to create a new SPN though. You are just
> >> >> delegating
> >> >> to
> >> >> an existing one. The HOST/xxx SPNs for the computer account are
> >> >> created
> >> >> automatically when the machine is joined to the domain.
> >> >>
> >> >> --
> >> >> Joe Kaplan-MS MVP Directory Services Programming
> >> >> Co-author of "The .NET Developer's Guide to Directory Services
> >> >> Programming"
> >> >> http://www.directoryprogramming.net
> >> >> "Tony201" <(E-Mail Removed)> wrote in message
> >> >> news:(E-Mail Removed)...
> >> >> > Hi Joe,
> >> >> >
> >> >> > Thanks for the reply. For this application, I have already setup
> >> >> > delegation
> >> >> > for SQL Server access so I have an SPN for my DNS/IIS App Pool
> >> >> > Identity.
> >> >> > In
> >> >> > Active Directory under the delegation tab (for IIS App Pool
> >> >> > Identity),
> >> >> > I
> >> >> > have
> >> >> > allowed delegation to the SQL Server service, however, I don't know
> >> >> > how
> >> >> > to
> >> >> > allow delegation to the Service Control Manager eg, for SQL Server,
> >> >> > under
> >> >> > the
> >> >> > delegation tab, I click add and then type in the account that I
> >> >> > created
> >> >> > the
> >> >> > SQL Server SPN for. For allowing Service Control Manager, which user
> >> >> > would
> >> >> > I
> >> >> > need to type in and then what service should I add? Alternatively,
> >> >> > how
> >> >> > would
> >> >> > I setup an SPN to allow delegation to Window Services?
> >> >> >
> >> >> > Cheers,
> >> >> > Tan
> >> >> >
> >> >> > "Joe Kaplan" wrote:
> >> >> >
> >> >> >> It should work although I've never tested this scenario.
> >> >> >>
> >> >> >> I'd suggest delegating the SPN for HOST/server to the IIS app pool
> >> >> >> identity
> >> >> >> (or the computer account if you use network service or system) to
> >> >> >> see
> >> >> >> if
> >> >> >> that works. If you are using the full DNS name to connect to the
> >> >> >> remote
> >> >> >> machine, use that SPN instead. You can also delegate both.
> >> >> >>
> >> >> >> If you are getting Kerberos authentication to the remote machine,
> >> >> >> then
> >> >> >> the
> >> >> >> constrained delegation should work here. You can check the
> >> >> >> security
> >> >> >> event
> >> >> >> logs on the remote machine to discover how you are authenticating.
> >> >> >> If
> >> >> >> you
> >> >> >> get NTLM, then it will not work.
> >> >> >>
> >> >> >> --
> >> >> >> Joe Kaplan-MS MVP Directory Services Programming
> >> >> >> Co-author of "The .NET Developer's Guide to Directory Services
> >> >> >> Programming"
> >> >> >> http://www.directoryprogramming.net
> >> >> >> "Tony201" <(E-Mail Removed)> wrote in message
> >> >> >> news:(E-Mail Removed)...
> >> >> >> > Can I use constrained delegation to alllow my web application to
> >> >> >> > control
> >> >> >> > services on a remote server? At the moment, I have code that when
> >> >> >> > run
> >> >> >> > on
> >> >> >> > my
> >> >> >> > local machine (XP - no double hop) is able to control services on
> >> >> >> > remote
> >> >> >> > servers. However, when I move the web application to an IIS
> >> >> >> > server,
> >> >> >> > I
> >> >> >> > get
> >> >> >> > the
> >> >> >> > error llisted below. I am guessing that I need to setup an SPN
> >> >> >> > but
> >> >> >> > don't

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
delegation question, where I want prototype style delegation Sam Roberts Ruby 4 05-07-2008 05:48 AM
Using Protocol Transition and Constrained Delegation to access a domain controler via LDAP Olivier Matrot ASP .Net Security 2 03-15-2007 02:12 PM
kerberos constrained delegation for file server access scomik@gmail.com ASP .Net 0 10-20-2006 05:15 PM
Kerberos Constrained Delegation For Access To Single Application P Seen The Bean ASP .Net Security 2 04-24-2006 02:28 PM
Authentication using Constrained Delegation w/Protocol Transition Paul ASP .Net Security 0 06-29-2005 12:21 PM



Advertisments