PhishThis! » Microsoft

How to configure AD, SQL, and IIS for two-hop Kerberos authentication

Tom — Sun, 25 Oct 2009 00:01:48 +0000

Recently, some of our developers were writing an app that required impersonation from the web service, as the user, to the database. Admittedly, Kerberos isn’t one of my strong points.

There were two hops here. From the user -> IIS server and from IIS Server -> SQL Server, but the application in IIS would impersonate the user when authenticating with the SQL server.

So, the idea here is that from the user to the IIS server, we know Kerberos will work. The user passes its ticket to the web service. Nothing unusual. From there, the web app, running as a custom app pool ID, needs to pretend (delegate) to be the user when it authenticates to the SQL server.

There are a few requirements.
1) Your application in IIS should be running under a custom identity – domain\MyAppService
2) SQL Server needs to be running under a domain service account – domain\MySQLService
3) IIS needs to use Negotiate instead of NTLM for that application. It should do this by default, then fall back to NTLM. For whatever reason, my app was using NTLM. IIS should also have Windows Authentication enabled.
4) Change your connection string to impersonate the site user

Step 1 – Set the SPN on your app pool ID for the site, for the hostname and FQDN.
setspn -a http/mysite domain\MyAppService setspn -a http/mysite.domain.com domain\MyAppService

Step 2 – Set the SPN for the SQL service on your SQL service account – assuming you use the default SQL port
setspn -a MSSQLSvc/hostname domain\MySQLService setspn -a MSSQLSvc/hostname.domain.com domain/MySQLService setspn -a MSSQLSvc/hostname:1433 domain\MySQLService setspn -a MSSQLSvc/hostname.domain.com:1433 domain/MySQLService
Restart SQL

Step 3 – In Active Directory Users and Computers, find the service account, click the delegation tab, and trust it for delegation. You can set it for delegation to anywhere, or constrained delegation to the SPNs you’ll set for the SQL service account.

Step 4 – Force your site or application to use Negotiate. This won’t work with NTLM, so we’ll remove it. (Note: This is for IIS7/7.5)
- Find and open your applicationHost.config. It’s probably under c:\windows\system32\inetsrv\config. You can also set this in the system.webServer section of the web.config for the application.

- Scroll to the bottom and above /configuration copy this in:

If you get a 500 error after adding the above XML, it’s probably because Negotiate is already added elsewhere. Just remove the line that says add value=”Negotiate” and leave the remove NTLM line.

Reference: This post was extremely helpful in solving my problem – http://blogs.technet.com/askds/archive/2008/06/13/understanding-kerberos-double-hop.aspx – in the end, I did pretty much everything in that post, and still had the IIS server passing anonymous to SQL, which is what tipped me off that it was using NTLM and not Negotiate.

Windows 7 – How To Link Online IDs

Tom — Sat, 08 Aug 2009 02:12:36 +0000

I stumbled upon this today in Windows 7, completely by accident.

Linking your online ID will let you log in to Windows and then log in to any service for which you’ve installed a provider, without being prompted to login again. I associated my Windows Live ID with my home desktop computer login. When I went to Hotmail, all I had to do was click my email address to log in. I went over to MSDN to check my available downloads and simply clicked “Sign in” and was there. Pretty cool feature and a great time saver.

Here’s how to do it:

Click the Windows button.
Type “link online” and you should see “Link Online IDs” at the top of the search. Click it.
Select “Add an Online ID Provider” and select one from the list – at the time I’m writing this, only MS Live is available.

Download the installer, and install. You should see this:

Click “Link online ID” and enter your credentials. That’s it! Now head over to your Live/Passport enabled sites and login!

AjaxControlToolkit causes System.Security.SecurityException: Request for the permission of type ‘System.Web.AspNetHostingPermission … failed.

Tom — Wed, 11 Mar 2009 21:02:51 +0000

Here’s a quick one…

A developer was using AJAXControlToolkit in an application. Not a big deal. Except that it kept throwing that damn exception. You know the one:

Server Error in ” Application. Security Exception Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application’s trust level in the configuration file.

Exception Details: System.Security.SecurityException: Request for the permission of type ‘System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089′ failed.

I know what you’re going to say, but I prefer to not use caspol.exe to set the trust.

There were several other sites on the server using the toolkit that worked fine, without using caspol to set full trust.

The difference? Those other applications were compiling the AJAX DLL when the apps themselves were compiled. The developer in this case had just copied the DLL from the toolkit download and added the reference to her code.

I copied the DLL from one of the sites that I knew worked, and it magically started working. Copy her version of the DLL back, and it failed again (after IISReset).

I don’t really know how this happened, but if the DLL was referenced in the VS project, it should have been built with the rest of the app and then deployed with full trust…

So, if you’re running into this and you’re building the code yourself, make sure that the AjaxControlToolkit.dll is building with the rest of your application (the timestamp should be the same) as the other DLLs that were modified. Don’t just drop it in afterwards…it won’t work…

Using HttpWebRequest to perform HTTPS post fails with strange error message

Tom — Wed, 13 Aug 2008 21:30:45 +0000

Recently, after upgrading a server to Server 2008, some developers (ok, about 15 developers and BAs) began complaining that a post to a 3rd party vendor was no longer functioning. One of the devs whipped up a winform app to test from the server and locally from his workstation. From his Windows XP workstation, it was fine. From the Server 2008 box (and from my Vista laptop) it failed to connect with:

The underlying connection was closed: An unexpected error occurred on a send.

Descriptive.

A full stack trace revealed:

System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. —> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
at System.Net.Sockets.Socket.Receive(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags)
at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
— End of inner exception stack trace —
at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Threading.ExecutionContext.runTryCode(Object userData)
at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.ConnectStream.WriteHeaders(Boolean async)
The underlying connection was closed: An unexpected error occurred on a send.
at System.Net.HttpWebRequest.GetRequestStream()

Keep in mind that this worked fine on XP and 2003. Vista and 2008 always threw that exception…without exception. The code was just doing a basic XML post to an HTTPS service with authentication enabled.

ASCIIEncoding ascii = new ASCIIEncoding();
string requestToSend = body;
byte[] data = ascii.GetBytes(requestToSend);
HttpWebRequest webRequest = (HttpWebRequest)WebRequest.Create(destination);

webRequest.Credentials = new NetworkCredential("User", "Pass");
webRequest.Method = "POST";
webRequest.UserAgent = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2";
webRequest.ContentType = "text/xml";
webRequest.ContentLength = data.Length;
webRequest.KeepAlive = false;                                              

//Throws an exception HERE
Stream outStream = webRequest.GetRequestStream();
outStream.Write(data, 0, data.Length);
outStream.Close();

From that stack trace, I could see that the remote server was closing the connection…but, I had no idea why. Something in how it made the request was different than XP or 2003.

ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3;

As it turns out, the defult behavior in Vista and Server 2008 is to use TLS first for secure connections. If the server doesn’t support TLS, it’s supposed to negotiate with the client to use SSL3. In this case, the remote server wasn’t negotiating at all…It was just dropping the connection.

http://blogs.msdn.com/wndp/archive/2006/04/12/tls_enabled_by_default.aspx

Long story short:

If you upgrade to Server 2008 or Vista, and your HTTPS XML POSTs are failing due to some strange error, try to force SSL3.

How to export your IIS7 config from one server and import into another

Tom — Tue, 27 May 2008 23:05:03 +0000

UPDATE: While the post below will still work, there is a better way to do this. Please check out the Microsoft Web Deployment Tool if you need to keep your servers in sync.

http://www.iis.net/extensions/WebDeploymentTool

This tool will package registry, COM, and GAC settings. It also says that it’ll integrate with VS2010, so that your developers can package the application for easy deployment on your IIS boxes. I don’t know whether to rejoice or be scared :) Back to the original article…

I had copied the IIS7 config files from an already-configured server to a new server I was building. The two servers were going to be load balanced (non-NLB). After overwriting the config files on the new server with those that I had exported from the old server, I discovered that my app pools kept crashing. I attempted to reset the domain account credentials on the app pools, but found myself getting:

hresult:0×80090005, Message: Failed to commit configuration. Bad Data.

Built-in account works, domain accounts did not. Given that I’m much too lazy to re-configure all of the application pool IDs, I began looking for a way to gracefully import settings from the other server. Turns out, there isn’t an “import” button, so to speak. I did find that using “Shared configuration” I could essentially accomplish an import.

In IIS manager, you need to export the config from the already-configured server. In IIS manager, click the Server node, and go to Shared Configuration under Management.

Click “Export Configuration”

Enter the path you’d like to export the config to, and set an encryption key password:

Copy administration.config, applicationHost.config, and configEncKey.key to your new server to a temp location.

On the new server, go back to the “Shared Configuration” section and check “Enable shared configuration.” Enter the location in physical path and click “Apply.” It should prompt for the encryption password that you had set. Enter it, and reset IIS.

After resetting IIS, go back to Shared Configuration and uncheck “Enable shared configuration.” Click apply. You should see this:

Click YES and it will import all of the settings from your Shared Config into the local config on your new IIS server.

At this point, all you should need to do is change your server-specific site bindings, and it should be good to go.

PowerShell Script for Remote Event Log Viewing

Tom — Thu, 13 Dec 2007 04:27:52 +0000

I had an issue today where I needed to find the frequency of an error on some of my VMs. It seems like I get VMSCSI errors at the same time each which (which probably means high SAN activity, but I’m trying to nail everything down). Either way, I needed to check all of my event logs for EventID 11 and 15. It’s slow…and by slow I mean it took about 30 minutes to scan 10 or so VMs…but it works, and I was able to get a decent idea of the times I’m seeing these errors.
[source language='c#']
$servers = .\getservernames.ps1 Tom

foreach ($server in $servers)
{
if ((get-wmiobject -computer $server win32_computersystem).manufacturer -eq “VMware, Inc.”)
{
         get-wmiobject -query
            “select * from Win32_NTLogEvent where LogFile = ‘System’ AND EventCode = 11
            OR EventCode = 15″ |
            foreach { add-content c:\temp\$server.log “$_.timegenerated – $_.eventcode” }
     }
}
[/source]
Aaaand, it’ll return logs for each server, with a time stamp, the event ID, and nothing more. Quick, dirty, but took me 5 minutes and got the info I needed…30 minutes later :p There’s probably a better way. I’ll have to see what I can come up with.

Windows Server 2008

Tom — Mon, 03 Dec 2007 22:21:10 +0000

According to this article (thanks www.ActiveWin.com for the link) at Network World, Server 2008 may flop. Why? Because 50% of IT Pros surveyed have no plans to deploy Server 2008. This is misleading. “Not having plans” doesn’t mean “won’t.” I don’t “plan” to put gas in my car within the next 12 hours, but that doesn’t mean I’m never putting gas in my car.