jump to navigation

IIS Madness: 401, Application Pool identities, and IP addresses March 1, 2007

Posted by codinglifestyle in IIS, Security.
Tags: , , , , , , ,
add a comment
Okay, here’s the situation. Set up a new website using Windows authentication only on any port other than 80. Create a “hello world” default.htm.  So far, so good… you may access the site at http://machinename:port. Now set that site to use an application pool with a domain user as the identity. Ensure you run aspnet_regiis -ga MachineName\AccountName. Now you are challenged and receive a 401. 
 
You are now in an interesting scenario:
http://machine:100/default.htm – does not work
http://192.168.1.234:100/default.htm – does work (assumming machine’s IP is 192.168.1.234)
 
Why?
 
According to Microsoft, IIS’s Integrated Windows authentication uses Kerberos v5 authentication and NTLM authentication. If Active Directory is installed on a domain controller running Windows 2000 Server or Windows Server 2003, and the client browser supports the Kerberos v5 authentication protocol, Kerberos v5 authentication is used. To use Kerberos authentication, a service must register its service principal name (SPN) under the account in the Active Directory directory service that the service is running under.  By default, Active Directory registers the network basic input/output system (NetBIOS) computer name.  But what about the computer name under a different port?
 
In summary, the application pool’s identity is not authenticated correctly because of IIS will try to use Kerberos by default.
 
 
To work around this behavior if you have multiple application pools that run under different domain user accounts, you must force IIS to use NTLM as your authentication mechanism if you want to use Integrated Windows authentication only. To do this, follow these steps on the server that is running IIS:
1.
Start a command prompt.
2.
Locate and then change to the directory that contains the Adsutil.vbs file. By default, this directory is C:\Inetpub\Adminscripts.
3.
Type the following command, and then press ENTER:
cscript adsutil.vbs set w3svc/NTAuthenticationProviders “NTLM”
4.
To verify that the NtAuthenticationProviders metabase property is set to NTLM, type the following command, and then press ENTER:
cscript adsutil.vbs get w3svc/NTAuthenticationProviders
The following text should be returned:
NTAuthenticationProviders : (STRING) “NTLM”
Reference: http://support.microsoft.com/kb/871179
Advertisement

Programatically recycle an IIS application pool October 20, 2006

Posted by codinglifestyle in ASP.NET, IIS.
Tags: , , ,
3 comments

One of the many banes in my life is waiting for IIS to reset.  When developing certain components, like a webpart or webcontrol, I often use a post-build event to gac the assembly and issue an iisreset.  This is necessary for IIS to pick up the latest assembly from the GAC.  Recycling the app pool also forces IIS to reload the assembly, but I never could find a command I could issue from my post-build batch file to automate this.  Well, now I don’t need to look because I just wrote my own utility to recycle the application pool:

using System;
using System.Collections.Generic;
using System.Text;
using System.DirectoryServices;

namespace AppPoolRecycler
{
    class Program
    {
        static void Main(string[] args)
        {
            if (args.Length != 2)
            {
                Console.WriteLine(“Usage:\tapppoolrecycler.exe machine apppool\n\tapppoolrecycler.exe localhost mypool”);
                return;
            }
            try
            {
                string sMachine = args[0];
                string sAppPool = args[1];

                string sPath = “IIS://” + sMachine + “/W3SVC/AppPools/” + sAppPool;
                Console.WriteLine(sPath);
                DirectoryEntry w3svc = new DirectoryEntry(sPath);
                w3svc.Invoke(“Recycle”, null);
                Console.WriteLine(“Application pool recycled”);
            }
            catch (Exception ex)
            {
                Console.WriteLine(“Error: ” + ex.Message);
            }
        }
    }
}

Now in my post build event I can gac my assembly and recycle the app pool which is much faster than a reset.

AppPoolRecycler.exe sanpaula mssharepointportalapppool

 

Take a look at this blog entry for more information: http://blogs.aspitalia.com/daniele/post555/Riciclare-Application-Pool-IIS-Codice-CSharp.aspx

 ———————–

Update!  I’ve recently come across a way to do this using a script which should be installed on W2003: 

c:\windows\system32\iisapp.vbs /a mssharepointportalapppool /r