Kerberos not being used, only NTLM - Login failed for user "(null)"

We have a Win2K3 Server running an ASP .NET application that connects
to a Win2K3 server running SQL 2000 on the backend.

Whenever a user opens the application page in their client browser
they get the error message:
"The following error occurred whilst loading the page: Login failed
for user '(null)'. Reason: Not associated with a trusted SQL Server
connection."

We have been through all the newsgroups, the Microsoft
"Troubleshooting Kerberos Delegation" whitepaper, the Microsoft
"Troubleshooting Kerberos Errors" whitepaper and it appears as though
Kerberos has been turned off for IIS on this middle tier server. When
a client connects it doesn't even attempt Kerberos authentication but
immediately authenticates with NTLM, which explains the login failure
for user '(null)' error. What we can't work out is why Kerberos isn't
even attempted.

Thanks in advance,
Doug.

Re: Kerberos not being used, only NTLM - Login failed for user "(null)"

Well, for starters:

a) Is the IIS server sending back a WWW-Authenticate: Negotiate header?
(Check using WFetch, or Ethereal, or check in the metabase to see what Auth
providers are set)

b) Is the server being accessed by FQDN or IP Address by the client? In
which case IE will not even attempt Kerberos Auth unless you add the site to
the local Intranet security zone. THis is because Kerberose Auth requires
access to the KDC (DCs in Windows world), and that usually isn't possible
when accessing sites "on the wider internet".

Cheers
Ken

"DougM" wrote in message
news:68ac046a.0409212311.599fa5db@posting.google.com...
> We have a Win2K3 Server running an ASP .NET application that connects
> to a Win2K3 server running SQL 2000 on the backend.
>
> Whenever a user opens the application page in their client browser
> they get the error message:
> "The following error occurred whilst loading the page: Login failed
> for user '(null)'. Reason: Not associated with a trusted SQL Server
> connection."
>
> We have been through all the newsgroups, the Microsoft
> "Troubleshooting Kerberos Delegation" whitepaper, the Microsoft
> "Troubleshooting Kerberos Errors" whitepaper and it appears as though
> Kerberos has been turned off for IIS on this middle tier server. When
> a client connects it doesn't even attempt Kerberos authentication but
> immediately authenticates with NTLM, which explains the login failure
> for user '(null)' error. What we can't work out is why Kerberos isn't
> even attempted.
>
> Thanks in advance,
> Doug.

Re: Kerberos not being used, only NTLM - Login failed for user "(null)"

DougM wrote:
> We have a Win2K3 Server running an ASP .NET application that connects
> to a Win2K3 server running SQL 2000 on the backend.

1. ASP.NET application should have

in its web.config file

2. there are many situations when Kerberos is not negotiated between IIS
and IE. One of more obscure is when Kerberos is explicitly disabled in
IE (option named "Enable Integrated Windows Authentication (requires
restart)" in Advanced tab).

3. SQL Server 2000 running on Windows Server 2003 requires named pipes
connection; integrated authentication might not work over plain TCP
connection. It's documented in http://support.microsoft.com/?kbid=840219


B.

Re: Kerberos not being used, only NTLM - Login failed for user "(null)"

Ken,

thanks for the reply.

The other server that was broken turned out be as simple a matter as
ticking the "Trust computer for delegation" check box in AD. There was
an assumption that this had been done...

On the broken server:

a) WFetch shows WWW-Authenticate:NTLM

b) The site is accessed using the server NetBIOS name in the URL, not
the FQDN or IP address. The site shows up as being in the Local
Intranet zone.

Looking at Metabase.xml shows numerous entries relating to Sharepoint
Services (so it was installed on this server at some point) and
further research on Google reveals that Sharepoint services disables
Kerberos authentication for IIS. Microsoft Knowledge Base Article -
832769 shows how to use the adsutil.vbs script to edit the
authenticatio method in the Metabase to configure it to be
"Negotiate,NTLM" again. The command line

cscript adsutil.vbs set w3svc/1/NTAuthenticationProviders
"Negotiate,NTLM"

has been applied to the IIS server.

However... doing this results in an "Enter Network Password" dialogue
box every time a user hits the site and while WFetch shows a
WWW-Authenticate:Negotiate header, it also returns an error "Unable to
InitializeSecurityContext" at the end of the headers section.

So now I'm guessing that Sharepoint Services has broken kerberos for
IIS and I need to work out how to fix it. None of the rest of the
above KB article is applicable as the application pool runs under the
"Network Services" account.

Thanks in advance,
Doug.

"Ken Schaefer" wrote in message news:...
> Well, for starters:
>
> a) Is the IIS server sending back a WWW-Authenticate: Negotiate header?
> (Check using WFetch, or Ethereal, or check in the metabase to see what Auth
> providers are set)
>
> b) Is the server being accessed by FQDN or IP Address by the client? In
> which case IE will not even attempt Kerberos Auth unless you add the site to
> the local Intranet security zone. THis is because Kerberose Auth requires
> access to the KDC (DCs in Windows world), and that usually isn't possible
> when accessing sites "on the wider internet".
>
> Cheers
> Ken
>
> "DougM" wrote in message
> > We have a Win2K3 Server running an ASP .NET application that connects
> > to a Win2K3 server running SQL 2000 on the backend.
> >
> > Whenever a user opens the application page in their client browser
> > they get the error message:
> > "The following error occurred whilst loading the page: Login failed
> > for user '(null)'. Reason: Not associated with a trusted SQL Server
> > connection."
>

Re: Kerberos not being used, only NTLM - Login failed for user "(null)"

Bronek,

thanks for the reply.

1. this is configured correctly in the application
2. we were caught out by this at one stage of testing but I can
confirm that the setting has been applied now.
3. I don't beleive that we having problems at the SQL end as the
application now works on 4 other servers without issue.

Further investigation reveals that SharePoint Services was installed
on the IIS server at some point and that it may have disabled kerberos
for IIS. Now I just need to work out how to get kerberos working
again.

Regards,
Doug.

"Bronek Kozicki" wrote in message news:...
> DougM wrote:
> > We have a Win2K3 Server running an ASP .NET application that connects
> > to a Win2K3 server running SQL 2000 on the backend.
>
> 1. ASP.NET application should have
>
> in its web.config file
>
> 2. there are many situations when Kerberos is not negotiated between IIS
> and IE. One of more obscure is when Kerberos is explicitly disabled in
> IE (option named "Enable Integrated Windows Authentication (requires
> restart)" in Advanced tab).
>
> 3. SQL Server 2000 running on Windows Server 2003 requires named pipes
> connection; integrated authentication might not work over plain TCP
> connection. It's documented in http://support.microsoft.com/?kbid=840219
>
>
> B.

Re: Kerberos not being used, only NTLM - Login failed for user "(null)"

I assume your web site/application is *not* a Sharepoint site.

In Sharepoint Administration website you may need to configure a new
"managed" website, and have it excluded from Sharepoint. Sharepoint works by
intercepting requests via it's ISAPI filter, then doing it's own thing. By
excluding your website's/web application's path in Sharepoint, you stop this
from happening.

Cheers
Ken


"DougM" wrote in message
news:68ac046a.0409222055.6a57b98a@posting.google.com...
> Ken,
>
> thanks for the reply.
>
> The other server that was broken turned out be as simple a matter as
> ticking the "Trust computer for delegation" check box in AD. There was
> an assumption that this had been done...
>
> On the broken server:
>
> a) WFetch shows WWW-Authenticate:NTLM
>
> b) The site is accessed using the server NetBIOS name in the URL, not
> the FQDN or IP address. The site shows up as being in the Local
> Intranet zone.
>
> Looking at Metabase.xml shows numerous entries relating to Sharepoint
> Services (so it was installed on this server at some point) and
> further research on Google reveals that Sharepoint services disables
> Kerberos authentication for IIS. Microsoft Knowledge Base Article -
> 832769 shows how to use the adsutil.vbs script to edit the
> authenticatio method in the Metabase to configure it to be
> "Negotiate,NTLM" again. The command line
>
> cscript adsutil.vbs set w3svc/1/NTAuthenticationProviders
> "Negotiate,NTLM"
>
> has been applied to the IIS server.
>
> However... doing this results in an "Enter Network Password" dialogue
> box every time a user hits the site and while WFetch shows a
> WWW-Authenticate:Negotiate header, it also returns an error "Unable to
> InitializeSecurityContext" at the end of the headers section.
>
> So now I'm guessing that Sharepoint Services has broken kerberos for
> IIS and I need to work out how to fix it. None of the rest of the
> above KB article is applicable as the application pool runs under the
> "Network Services" account.
>
> Thanks in advance,
> Doug.
>
> "Ken Schaefer" wrote in message
> news:...
>> Well, for starters:
>>
>> a) Is the IIS server sending back a WWW-Authenticate: Negotiate header?
>> (Check using WFetch, or Ethereal, or check in the metabase to see what
>> Auth
>> providers are set)
>>
>> b) Is the server being accessed by FQDN or IP Address by the client? In
>> which case IE will not even attempt Kerberos Auth unless you add the site
>> to
>> the local Intranet security zone. THis is because Kerberose Auth requires
>> access to the KDC (DCs in Windows world), and that usually isn't possible
>> when accessing sites "on the wider internet".
>>
>> Cheers
>> Ken
>>
>> "DougM" wrote in message
>> > We have a Win2K3 Server running an ASP .NET application that connects
>> > to a Win2K3 server running SQL 2000 on the backend.
>> >
>> > Whenever a user opens the application page in their client browser
>> > they get the error message:
>> > "The following error occurred whilst loading the page: Login failed
>> > for user '(null)'. Reason: Not associated with a trusted SQL Server
>> > connection."
>>

Re: Kerberos not being used, only NTLM - Login failed for user "(null)"

DougM wrote:
[...]

(sorry for not watching this thread for one week)

> cscript adsutil.vbs set w3svc/1/NTAuthenticationProviders
> "Negotiate,NTLM"

Good.

> However... doing this results in an "Enter Network Password" dialogue
> box every time a user hits the site and while WFetch shows a

Please verify that your worker process has access to ASP.NET application
files. I was recently found this error on my client's server -
application was sometimes working (thanks to impersonation), but
sometimes he was receiving "enter network password" dialog and and/or
IIS error 401 (AFAIR - but mayb it was 403?). Appending access right for
IIS_WPG on ASP.NET application directory solved the problem; I also had
to fix permissions on C:\windows\temp , but that was the other time they
had problems with ASp.NET :)


B.