AuthDiag v1.1

Posted: Jul 11, 2006  4 comments  

Average Rating

Tags

Ulad Malashanka's Blog RSS

Ulad

IIS Diagnostics Toolkit contains new version of AuthDiag tool.

It has updated authmon.dll that is capable to get traces from all appPools.

To make it work you should run from command prompt:

cd /d "C:\Program Files\IIS Resources\AuthDiag"

cacls . /E /G IIS_WPG:F

iisreset

rundll32 authmon.dll,Begin

Then if you make requests to IIS w3wp_<pid>.log file will be created in AuthDiag's directory, where <pid> is process ID of IIS worker process.

To stop tracing run: iisreset

Here is a sample of log file with my comments:

<AuthMonRow Number="5" tid="0x8f8" Date="01/13/2006 00:55:09.484"

       Name="OnNewRequest" SiteId="1" Conn="0xdf00000040000018" Req="0xdf00000060000019"

       Verb="GET"

       Url="/"

       Auth_header_length="0" Auth_header=""

       />

 

IE sends anonymous request, IIS will respond with 401

 

<AuthMonRow Number="8" tid="0x8f8" Date="01/13/2006 00:55:09.797"

       Name="HttpSendHttpResponse"

       Req="0xdf00000060000019"

       StatusCode="401" Reason="Unauthorized"

       />

 

IE sends request with Kerberos blob

 

<AuthMonRow Number="10" tid="0x8f8" Date="01/13/2006 00:55:12.422"

       Name="OnNewRequest" SiteId="1" Conn="0xdf00000040000018" Req="0xdf0000006000001a"

       Verb="GET"

       Url="/"

       Auth_header_length="4538" Auth_header="Negotiate YIINPwY..."

       />

 

AcceptSecurityContext will resolve the blob to user token

 

<AuthMonRow Number="12" tid="0x8f8" Date="01/13/2006 00:55:12.422"

       Name="AcceptSecurityContext" Result="0x0" ContextAttr="0x802"

       Package="Kerberos" UserName="DOMAIN\account"

       ClientName="account@DOMAIN.TEST.COM"

       ServerName="HTTP/test-iis.test.com@DOMAIN.TEST.COM"

       time_taken="0 ms"

       />

 

Opening the file impersonating authenticated user (REDMOND\uladm)

 

<AuthMonRow Number="18" tid="0x8f8" Date="01/13/2006 00:55:12.437"

       ProcIdentity="NT AUTHORITY\NETWORK SERVICE" ThreadIdentity="DOMAIN\account(SecurityImpersonation)"

       Name="CreateFileW" File="\\?\e:\inetpub\wwwroot\iisstart.htm"

       Success="Yes" Error_Number="0" Error=""

       time_taken="0 ms"

       />

 

<AuthMonRow Number="19" tid="0x8f8" Date="01/13/2006 00:55:12.437"

       Name="HttpSendHttpResponse"

       Req="0xdf0000006000001a"

       StatusCode="200" Reason="OK"

       />

 

<AuthMonRow Number="21" tid="0x8f8" Date="01/13/2006 00:55:13.297"

       Name="OnNewRequest" SiteId="1" Conn="0xdf00000040000018" Req="0xdf0000006000001b"

       Verb="GET"

       Url="/pagerror.gif"

       Auth_header_length="0" Auth_header=""

       />

 

iisstart.htm refers to pagerror.gif, IE tries to get it anonymously,

IIS will respond again with 401

 

<AuthMonRow Number="23" tid="0x8f8" Date="01/13/2006 00:55:13.297"

       Name="HttpSendHttpResponse"

       Req="0xdf0000006000001b"

       StatusCode="401" Reason="Unauthorized"

       />

 

<AuthMonRow Number="25" tid="0x8f8" Date="01/13/2006 00:55:13.469"

       Name="OnNewRequest" SiteId="1" Conn="0xdf00000040000018" Req="0xdf0000006000001c"

       Verb="GET"

       Url="/pagerror.gif"

       Auth_header_length="4538" Auth_header="Negotiate YIINPwYGK..."

       />

 

IE sends request with Kerberos blob,

AcceptSecurityContext will resolve the blob to user token

 

<AuthMonRow Number="26" tid="0x8f8" Date="01/13/2006 00:55:13.469"

       Name="AcceptSecurityContext" Result="0x0" ContextAttr="0x802"

       Package="Kerberos" UserName="DOMAIN\account"

       ClientName="account@DOMAIN.TEST.COM"

       ServerName="HTTP/test-iis.test.com@DOMAIN.TEST.COM"

       time_taken="0 ms"

       />

 

<AuthMonRow Number="27" tid="0x8f8" Date="01/13/2006 00:55:13.469"

       ProcIdentity="NT AUTHORITY\NETWORK SERVICE" ThreadIdentity="DOMAIN\account(SecurityImpersonation)"

       Name="CreateFileW" File="\\?\e:\inetpub\wwwroot\pagerror.gif"

       Success="Yes" Error_Number="0" Error=""

       time_taken="0 ms"

       />

 

<AuthMonRow Number="28" tid="0x8f8" Date="01/13/2006 00:55:13.469"

       Name="HttpSendHttpResponse"

       Req="0xdf0000006000001c"

       StatusCode="200" Reason="OK"

       />

Comments

  1. 半导体激光治疗仪
    June 9, 2007

    半导体激光治疗仪
  2. 半导体激光治疗仪
    June 9, 2007

    半导体激光治疗仪
  3. Eduard
    October 13, 2007

    Hi,

    Am playing around with version  1.0.........

    Where can I find ver 1.1 ???

    I looked at the download section at MS, but nothing (only v1.0)

    WKR
  4. davcox
    September 15, 2009

    We didn't change the version in the IIS Diagnostics Tookit ... 1.0 was the last and only version.  

Submit a Comment

Microsoft Communities