Friday, March 9, 2007 2:10 PM brian-murphy-booth

DelegConfig (Kerberos/Delegation Configuration Reporting Tool)

Where is the tool?

  For 2.0+ framework - IIS 6.0, 7.0, 7.5 - http://blogs.iis.net/brian-murphy-booth/archive/2009/04/22/delegconfig-v2-beta.aspx

  For 1.1 framework - IIS 5.0, IIS 6.0 - http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1434 

What is this tool?

  This is an ASP.NET application that I wrote a couple years ago that is meant to be called from Internet Explorer on an actual client machine. The tool (aspx page) attempts to look at all the common settings that contribute towards successful Kerberos authentication and delegation. I had originally written a  simple ASP page for my co-workers to demonstrate how to see whether a request had authenticated with Kerberos or NTLM by doing Response.Write Request.ServerVariables("HTTP_AUTHORIZATION"). After a little while I decided "why stop there?!" The tool will now check all the common pitfalls of Kerberos authentication except for a couple issues that I can't check for when the web request fails entirely (if my page won't even run, how can I check those settings?).

I'd like to hear your feedback!! If you have problems, constructive criticism, or praise please let me know. If you have comments or suggestions that will benefit the masses, I'll try to find time to implement your suggestions into the tool.

Usage Tips:

  • READ THE "Explanation" SECTIONS!! This tool is meant to be a teacher. If you don't read your material, you probably aren't going to understand what to do or at least why you're doing something that it suggests you do.
  • Did I mention that you should read the "Explanation" sections?? Do it!!
  • There are some "Fix This" buttons that help automate addressing issues. Although it isn't 100% clear in some of the output, it is probably easiest to use the "Fix This" buttons instead of manually following any KB articles that are also included in the output. You can, however, do whichever you prefer since either method should fix the applicable configuration problem.
  • If the DelegConfig tool doesn't work as expected, please see the "KNOWN PROBLEMS AND WORKAROUNDS" section below
  • If you end up making changes to your configuration based on what the tool reports, it is common that you'll need to log on/off the workstation machine and/or restart the IIS service or back-end service before you see Kerberos/Delegation start to work as desired.
  • Part of "Delegation" is authenticating with a back-end service. Don't forget to add the back-end server information with the applicable hyperlink to make sure everything looks good there too.

---------------------------------------------------------------
REQUIRED COMPONENTS:
---------------------------------------------------------------
  1. All files in this ZIP are required for the ASPX page to operate properly.
  2. ASP.NET version 1.1.4322.2300 or higher (also works with v2.0.50727) must be installed on the IIS server.

---------------------------------------------------------------
OPTIONAL COMPONENTS:
---------------------------------------------------------------
  1. For more accurate results the .Net framework should be installed on the Workstation/Client

---------------------------------------------------------------
SETUP:
---------------------------------------------------------------
  1. Unzip files to desired location that is *local* to the IIS server.
  2. In the IIS MMC create a new virtual directory that points to the folder with the unzipped files.
  3. Configure the virtual directory as an IIS application
    a. In the IIS MMC right-click the vDir and choose Properties.
    b. On the "Virtual Directory" tab click "Create" (if already configured as an IIS app you'll see a "Remove" button instead)
  4. Ensure that "Scripts Only" (recommended) or "Scripts and Executables" is enabled for this vDir.

---------------------------------------------------------------
USAGE:
---------------------------------------------------------------
  1. View the Default.aspx page through a web browser with an address such as "http://MyServer/MyVirtualDirectory/"

---------------------------------------------------------------
KNOWN PROBLEMS AND WORKAROUNDS.
---------------------------------------------------------------
General:
  Generally speaking if there are any problems running this tool's Default.aspx page (errors of any sort) it is probably because Kerberos isn't working yet. :-p. In that case it is best to start by requesting the page locally from the IIS server. Certain types of problems only exist when IE attempts to connect to IIS using Kerberos and Kerberos is usually not used when local to the IIS server. Requesting the Default.aspx locally from the server will avoid many types of problems this DelegConfig tool can encounter. Once you can get this page working locally from the IIS server the tool will then report some of the problems that could affect Kerberos and/or Delegation. Once some of those items are addressed and Kerberos is closer to working you may be able to do additional checks by requesting the ASPX page from a remote IE machine.

--------------
Problem:
[HttpException (0x8007052e): Failed to start monitoring changes to '\\ServerName\ShareName'.]

  ASP.net uses a hierarchical system of reading configuration files starting with Machine.Config, then web.config from the root of the web site, then finally web.config file from the virtual directory the ASPX application is running. Any time one of these files changes, IIS wants to be able to reload the file and restart the web application to ensure the most recent configuration is being used. If the dot net framework is not able to read from the root of the web site using the ASPNET account, this error will be returned. This is typical of when the home directory is a UNC path.

Workaround:
  1. If running IIS 6.0 this can sometimes be fixed by disabling "Run www service in IIS 5.0 Isolation Mode".
  OR
  2. To ensure that ASPNET can read from the root of the web site, temporarily change the "Home Directory" of the site to a local path. Once you have resolved the Kerberos and Delegation issues based on the results of the ASPX application you can change the home directory back to the desired UNC path.


--------------
Problem:
  Continuous password prompt with underlying 401.1 response. There are 2 common possibilities for this.

Additional Information:
  Looking in the security event logs shows:

POSSIBILITY ONE (notice the Logon Process of Kerberos):
  Event Type: Failure Audit
  Event Source: Security
  Event Category: Logon/Logoff
  Event ID: 529
  Date:  1/1/2005
  Time:  6:00:00 PM
  User:  NT AUTHORITY\SYSTEM
  Computer: COMPUTERNAME
  Description:
  Logon Failure:
    Reason:  Unknown user name or bad password
    User Name: 
    Domain:  
    Logon Type: 3
     Logon Process: Kerberos
    Authentication Package: Kerberos

Workaround:
  You receive an "HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials" error message when you try to access a Web site that is part of an IIS 6.0 application pool
  http://support.microsoft.com/?id=871179

POSSIBILITY TWO (notice the strange Logon Process):
  Event Type: Failure Audit
  Event Source: Security
  Event Category: Logon/Logoff
  Event ID: 537
  Date:  1/1/2005
  Time:  6:00:00 PM
  User:  NT AUTHORITY\SYSTEM
  Computer: COMPUTERNAME
  Description:
  Logon Failure:
    Reason:  An error occurred during logon
    User Name: someuser
    Domain:  SOMEDOMAIN
    Logon Type: 3
    Logon Process: Ðù²
    Authentication Package: NTLM
    Workstation Name: COMPUTERNAME
    Status code: 0xC000006D
    Substatus code: 0x0
    Source Network Address: 127.0.0.1

Workaround:
  You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or IIS 6
  http://support.microsoft.com/?id=896861

Tags:

Comments

# re: DelegConfig (Kerberos/Delegation Configuration Reporting Tool)

Monday, June 4, 2007 8:22 AM by Eric

when trying to run this (i'm using .net 2.0), i get the following error: Parse Error Message: Could not load type 'DelegConfig.AspxPage'.

# re: DelegConfig (Kerberos/Delegation Configuration Reporting Tool)

Monday, June 4, 2007 9:16 AM by brian-murphy-booth

That error sounds like the virtual directory you created is not yet marked as an IIS application.

 1. Right-click the vDir you created.

 2. Click Properties

 3. Click the "Create" button on the Virtual Directory tab. It will then change to a "Remove" button which indicates the folder is now an "IIS application".

# re: DelegConfig (Kerberos/Delegation Configuration Reporting Tool)

Monday, June 18, 2007 1:48 PM by Mary Norbury

Hi Brian, I am trying to troubleshoot kerberos on Mac OS X (10.4.x) and your tool was recommended to me. However, the client machines are Mac OS X and the browsers are Safari and Firefox. I get a SQL application error when I try to run this so I'm assuming your tool requires IE? Thanks! Mary

# re: DelegConfig (Kerberos/Delegation Configuration Reporting Tool)

Tuesday, June 19, 2007 6:12 AM by brian-murphy-booth

There is no SQL code present in DelegConfig. So my guess there is that you have a global.asax or web.config that is causing something to execute at the level above the vDir that you created and it is that code that is having trouble. There is one piece of DelegConfig that executes client-side but if that doesn't run, you'll get a message saying to use PING.exe to fill in some info in the Address line. So the browser type should not affect whether the tool runs well enough to give you what you need.

First, make sure the vDir is configured as an "Application". If the folder looks like a minila folder (with or without a globe) then it isn't an application yet. In that case, go into the folder properties and click the "Create" button.

Next, rename the web.config in the folder in the level above where you created the DelegConfig virtual directory. Web.Config's are read hierarchically starting all the way from the root of the web site even if there are no applications present. If you have something in there such as the SqlMembershipProvider that causes a call to SQL, I can envision something might get in the way of DelegConfig.

# re: DelegConfig (Kerberos/Delegation Configuration Reporting Tool)

Tuesday, June 19, 2007 10:40 AM by Mary Norbury

This is the actual error I get from Safari: "Server Error in '/Kerberos' Application. Runtime Error" However, your app works fine from a PC. I do get feedback that indicates that my "current configuration is correct for delegating credentials with Kerberos". I did check the vDir on the web server and it does have a folder icon but this is nested under this heirarchy: Web Sites\Portal (globe icon) \ CurrentSite (Folder icon). On a Mac, I get tickets from both this CurrentSite and from my domain so I'm rather confused as to why I can't pull data from this site or why your app doesn't return results on the Mac. Thanks!