Off Topic IIS SSO Problem

WebFooL · 12-05-2009, 02:05 PM

Hi,
and sorry that this is so way off topic.

The problem that we have with IIS and SSO is just for one application.
We use it on loads of system but i cant get it working on this..

Maybe some one can shine a light on it.

Right now all is working if i Use the Internal DNS name.
But as quick that i use the External DNS namn it fails.
Giving me a "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'." error.

I have added the spn for the remote address (setspn -a http/external.dns.name Internaldns)
But that did not change anything.

I have got the feeling that it is when IIS translate the user info over to the SQL server it all goes crazy.

Dose anybody have a idea?

The real weird thing is if i first go to the internal address where it works.
Then i can use the external address form another computer (as long that the ticket from the first computer is alive)

A well hope that some one with some IIS skills can shine a light on this. :P

Cheers,
WebFooL

mdh · 12-05-2009, 02:42 PM

Do you see any blocked activity on ports 88, 113 or 751? I'm thinking that there may be Kerberos authentication attempts from the outside that are being blocked. I may be way off base, but its worth checking.

WebFooL · 12-05-2009, 02:48 PM

I have only portforwarded port 80 on the external dns name..
Will try adding 88 and see if i that works.

Thanks mdh,
Let you know if it works :P

WebFooL · 12-05-2009, 03:04 PM

Ok Now i have confirmation,

It is when the IIS send over NTLM sessions to the SQL server.

Sadly opening the Kerberos ports did not help.

mdh · 12-05-2009, 03:27 PM

Have you read these?

http://blogs.msdn.com/sql_protocols/...nnections.aspx

http://www.phishthis.com/2009/10/24/...hentication-2/

http://support.microsoft.com/kb/319723

WebFooL · 12-05-2009, 03:42 PM

I found the http://support.microsoft.com/kb/319723 and have started working after those instructions.
But i will have to check with the devs of the application on how they normally do SSO with external DNS name.

I keep you posted..

And thanks so far.. .

mdh · 12-05-2009, 03:51 PM

Based on what you told me, I found those with a Google search on the following criteria:

iis ntlm sql port

Sometimes I get a hit, and sometimes I get hit...

dwasserman · 12-05-2009, 11:40 PM

Do you have internal dns? try put an static entry whit the external name (fqdn) whit the internal ip

WebFooL · 12-06-2009, 03:49 AM

dwasserman,
Thanks for the idea. after adding the setspn http/remote.dns.name serveraddress
But i also want my staff to be enable to login without having to connect the VPN.

(otherwise i can be happy with the internal dns name)

dwasserman · 12-06-2009, 05:10 PM

add the host in the reverse zone also (ip to name resolver) or play in all workstation with host file (an old trick).

12-05-2009, 02:05 PM	#1 (permalink)
WebFooL Join Date: Jan 2009 Location: Sweden (Eskilstuna) URLs submitted: 57 Posts: 3,696	Off Topic IIS SSO Problem Hi, and sorry that this is so way off topic. The problem that we have with IIS and SSO is just for one application. We use it on loads of system but i cant get it working on this.. Maybe some one can shine a light on it. Right now all is working if i Use the Internal DNS name. But as quick that i use the External DNS namn it fails. Giving me a "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'." error. I have added the spn for the remote address (setspn -a http/external.dns.name Internaldns) But that did not change anything. I have got the feeling that it is when IIS translate the user info over to the SQL server it all goes crazy. Dose anybody have a idea? The real weird thing is if i first go to the internal address where it works. Then i can use the external address form another computer (as long that the ticket from the first computer is alive) A well hope that some one with some IIS skills can shine a light on this. :P Cheers, WebFooL __________________ "Of all the things I've lost, I miss my mind the most" Untangle Reseller (Sweden) WebFooL@fakenews.se http://fakenews.se/ Need space to Upload content for you forum post? http://about.me/webfool

12-05-2009, 02:42 PM	#2 (permalink)
mdh Join Date: Aug 2007 URLs submitted: 171 Posts: 4,802	Do you see any blocked activity on ports 88, 113 or 751? I'm thinking that there may be Kerberos authentication attempts from the outside that are being blocked. I may be way off base, but its worth checking. __________________ This space reserved for profound thought.....which does happen on occasion."

12-05-2009, 02:48 PM	#3 (permalink)
WebFooL Join Date: Jan 2009 Location: Sweden (Eskilstuna) URLs submitted: 57 Posts: 3,696	I have only portforwarded port 80 on the external dns name.. Will try adding 88 and see if i that works. Thanks mdh, Let you know if it works :P __________________ "Of all the things I've lost, I miss my mind the most" Untangle Reseller (Sweden) WebFooL@fakenews.se http://fakenews.se/ Need space to Upload content for you forum post? http://about.me/webfool

12-05-2009, 03:04 PM	#4 (permalink)
WebFooL Join Date: Jan 2009 Location: Sweden (Eskilstuna) URLs submitted: 57 Posts: 3,696	Ok Now i have confirmation, It is when the IIS send over NTLM sessions to the SQL server. Sadly opening the Kerberos ports did not help. __________________ "Of all the things I've lost, I miss my mind the most" Untangle Reseller (Sweden) WebFooL@fakenews.se http://fakenews.se/ Need space to Upload content for you forum post? http://about.me/webfool

12-05-2009, 03:27 PM	#5 (permalink)
mdh Join Date: Aug 2007 URLs submitted: 171 Posts: 4,802	Have you read these? http://blogs.msdn.com/sql_protocols/...nnections.aspx http://www.phishthis.com/2009/10/24/...hentication-2/ http://support.microsoft.com/kb/319723 __________________ This space reserved for profound thought.....which does happen on occasion."

12-05-2009, 03:42 PM	#6 (permalink)
WebFooL Join Date: Jan 2009 Location: Sweden (Eskilstuna) URLs submitted: 57 Posts: 3,696	I found the http://support.microsoft.com/kb/319723 and have started working after those instructions. But i will have to check with the devs of the application on how they normally do SSO with external DNS name. I keep you posted.. And thanks so far.. . __________________ "Of all the things I've lost, I miss my mind the most" Untangle Reseller (Sweden) WebFooL@fakenews.se http://fakenews.se/ Need space to Upload content for you forum post? http://about.me/webfool

12-05-2009, 03:51 PM	#7 (permalink)
mdh Join Date: Aug 2007 URLs submitted: 171 Posts: 4,802	Based on what you told me, I found those with a Google search on the following criteria: iis ntlm sql port Sometimes I get a hit, and sometimes I get hit... __________________ This space reserved for profound thought.....which does happen on occasion."

12-05-2009, 11:40 PM	#8 (permalink)
dwasserman Join Date: Jun 2008 Location: Argentina URLs submitted: 57 Posts: 3,561	Do you have internal dns? try put an static entry whit the external name (fqdn) whit the internal ip

12-06-2009, 03:49 AM	#9 (permalink)
WebFooL Join Date: Jan 2009 Location: Sweden (Eskilstuna) URLs submitted: 57 Posts: 3,696	dwasserman, Thanks for the idea. after adding the setspn http/remote.dns.name serveraddress But i also want my staff to be enable to login without having to connect the VPN. (otherwise i can be happy with the internal dns name) __________________ "Of all the things I've lost, I miss my mind the most" Untangle Reseller (Sweden) WebFooL@fakenews.se http://fakenews.se/ Need space to Upload content for you forum post? http://about.me/webfool

12-06-2009, 05:10 PM	#10 (permalink)
dwasserman Join Date: Jun 2008 Location: Argentina URLs submitted: 57 Posts: 3,561	add the host in the reverse zone also (ip to name resolver) or play in all workstation with host file (an old trick).