Need to impersonate a web app across a Domain controller?

So I am a bit serious about this cause it caused my remaining hair to go grey.

The Developer and I were faced with a project to authenticate a client browser via a website to autologin to a domain controlled server to show video via logged in credentials passed by the NTLM authority on the given machine domain privileges. <-That’s a mouth full.

The developer a quite good one at that had used cassini in Visual Studio 2008 (as well as “shudder” MVC 2.0)to build the web app that worked on the local domain he was writing it on. So when we decided to move the code to a “shudder” Windows 2003 R2 Server that obviously has IIS6 and the only local database available was MS SQL 2000 (this should have killed it all together). So we pressed on and added the site and the permissions locally and with domain privileges on the server.

However we continued to hit 401.1 errors every time we attempted to browse the site. and on the server we would get 400 errors.

So after pulling out those grey hairs and throwing rocks at the monitor (not really). I researched and researched. Found very little on the subject. I started to play around with domain privileges. You know the kind that gets you into trouble.

and here is how I got it to work (for the time being).

I Registered this DLL (start-> run-> in open prompt): rundll32 %systemroot%\system32\iissuba.dll,RegisterIISSUBA

Let that run perhaps even reboot the server for good measure (meh windows).

I installed: Windows Server 2003 Service Pack 1 32-bit Support Tools (say that ten times fast).

Once I installed that I went to Start –> Program Files –> Windows Support Tools –> command Prompt. There I type one of two strings: setspn.exe -a http/<YourSite>:<YourPort> <Domain>\<Server>

Once that runs, Run this: setspn.exe -a http/<YourSite>  <Domain>\<Server>

Do NOT run them at the same time.

Kinda look the same eh? notice the port difference.

Now Add these two registry Scripts:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
“BackConnectionHostNames”=hex<hex of your site name>

May want to just go to the above area in the registry and create the key yourself.

Next Key:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
“DisableStrictNameChecking”=dword:00000001

If you have questions about the Registry edits above have a look here.

Now you can reboot for sure.

Ah but we are not done yet.

Make sure your site web.config and code are set to impersonate a domain.

Now we are done.

Enjoy. Please feel free to discuss this or any other fun you have with the above updates with me on twitter or on facebook.

 
This entry was posted in ASP.NET, How To, IIS, Windows. Bookmark the permalink.

Leave a Reply