0

I have web application running on windows server 2016. In this app I use HTTP.sys with negotiate authentication enabled. I have also configured Active Directory and when I enter my site I see that web browser gets kerberos ticket and sends them to the server.

Here are my tickets which client sends to server

Negotiate YIIGXQYGKwYBBQUCoIIGUTCCBk2gMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBhcEggYTYIIGDwYJKoZIhvcSAQICAQBuggX+MIIF+qADAgEFoQMCAQ6iBwMFACAAAACjggSlYYIEoTCCBJ2gAwIBBaENGwtURVNUSU5HLkNPTaIeMBygAwIBAqEVMBMbBEhUVFAbC3Rlc3RpbmcuY29to4IEZTCCBGGgAwIBF6EDAgEBooIEUwSCBE/R/HCZKt14z4a61a6lLbfWAAgnZULHgxR+q7LepzlA9Ui9cLc4m+Gz13oDsdaaUuEXsk0SofRV34kCPDnjA4uesKxsj0ehf7KbDtDuWwjWbDsOhNXkB9iAoeyJaei33TKarQ/nLB0PqzObJe4GFZ950+Ex/9SFVnZtJkuyIAqnvYmlvTlOGE/6alIAOmaB/LGkMbXNNTtMp9UVmeWr3SaYnSdvG+uyQ6Pg9YsiTDP4nOZGxDyS13TIWju68BCDSQy4OwsQOpKDJxyx/Sjw4I9+LRxH2FQWGIFhdfTYw0/dJFlqDKh7mT7vy7O5Y4ugbcIQdCqpw0SRW4QhLZp34p4C6NSGdGovdSQvmrnMtDTqHIAY03fkiM/CdErgyPLLMwBFdvg/5CKACvqjmvB395b5l7asCUNFUU2JY61eJGNBnUou+TLqiKQ9+WV2++blTWHmM4VF0tmm0IoK60V1WJW/WYKWR9oLXiEkldy3c+Fye5qn/8qCdaZ/uf2SRQfobuNs3ZPeAw03ITMv5sKs6+qaCYAGSO4Krf8/uPQ5Z/oFE9VuTZQLpkqRzDMPsETEw9SYNZDuyIs9ygo6SPhjH5/e4tF8lJnydwMKmu+hnuaR9k603ZzdceoeaSib1rEW0N2lDbXlr3AGk8Fei2cxlJ/HvjFGNM2E+56L0SB/60Zye1LaitbwtaNmv0T+/3t/vkgQs56bSgIciIblccfwnNTiOdk2AsDjsnbwxO1rX7w+0m+KLPE2JZdVMcwK9qp7VSbZxhIIb7KHs//aBF2lNmGcuiIAI0zGhz3+OOJY3iLY4ILnqWdxZSuhxbSqdc3pwqADJpEDwtuop3FU7aeXggZb9FnPsnD6427uUJa3URf6ez/+81VPl8uZtyXJhEaurVsE476ovcdmFjlJDigys6qeVx5onajMGsj2oyscmbZzu7jBgajO/hdFU0YiJ6nU4lzkVO+FQLt653IJ+9IhPSCrldRPfb1U8G99GrWXDt709t3gWh3xRv9wE5eSDZZMkdz8RXTyG7EvPf3iBxzQJCMnR8ww1n6UA+IO9oqp0KRxuzcY7und5NEaseX9XQ5nxAdtaemq+SzK3nXVv1Fe4IepAJFM19ahrdt3zeAsJCgUbPlFYC9Vt9AGgwxgSIYOR00Atr2T29lrphhkq5xB3T5qkh8Yyiso95AsYAcjTNg5JIDzh7jfawDJvzkbwfYu1mLNzMuk28JNHIizk7Rx28r/pvf58De3qMvkvPOg+MkNOdqUdnVpLbk/pVver2VGJsoDkEqi0iZNL3u7wh59akp/Xb3XlxlrEVn1YIC9R+S59WigryrVkEn5V084VuEa3H2dv73i9/9Y+XLwZKfuyk08mta2+SudsztJ3HZwxZjj8gO5huZTRMS+W1VOselbEbE5ELHd3lctzd95jwpFTH11ZFY8hUqY4iGTytWqX9L5dtsI4no7/2oWIhs+vOgCKaSCATowggE2oAMCAReiggEtBIIBKfQ2v/IAW0nX32RRVsIGhcFG0OPJ86br4RuxUkHxZPEgNu4/vCKo5tc5AJOw7MxtN6H6nGjb9bxWtxVr41ht2thsH1aPf2Q+ytTb+4GHKLdJ4eTGNigBSW6mqkpYUdI4gA1nUdXrTxDPdv3EQGrCw8kF46M0LyX+/nSTxlIwUjSSAxKpUVkHgRo0h8bQHet7kEwKc+aDA+I21oi0UTRHP53V/BEcB+aUemLMNaRlb/rgTk7Hrc1bfED89GriTxwW4G4u6d+zb/2HW0VEq8/4RG5+BNQbGzEpem9PpLy8acrSCexhOMfi0qmoXjnZYIeliLvG1afBISf2wIFWZgOMVIRCVVqgvSHpThDbTosmktOUgN1mTv8dVjiEtd9bGZG8xvUxjVFj9kCTCg==
Negotiate oYIGJDCCBiCgAwoBAaKCBhcEggYTYIIGDwYJKoZIhvcSAQICAQBuggX+MIIF+qADAgEFoQMCAQ6iBwMFACAAAACjggSlYYIEoTCCBJ2gAwIBBaENGwtURVNUSU5HLkNPTaIeMBygAwIBAqEVMBMbBEhUVFAbC3Rlc3RpbmcuY29to4IEZTCCBGGgAwIBF6EDAgEBooIEUwSCBE/PeOWPJXLIwrvpt/aZTDV4PWnSZxOn2CI4SSdJLsr+cW3J80zBspFqb5Mw71hN7wGMtEs4+PS4fSKIl0ax3DPGzxN0b4DazI77m9WdlhBJMBwTl+A4OuxL4CifKCG5FEzqp9ojyDf9Dofpi2RIJWqZcV+S5svguNAczLGCLGMI///l0ukWfuuj2g+1HjK5A2U95NtwWINKwOfn4qEWdTVpZSK8ebB09S0dnabRJSUVN3gTS7ci1AibgMJ6dKuyZeMX0MR/+Byke8ukXEVHSTLuiqophTWYefjNHboSmJSk1CZKDXOCqnWdikDQ+H4+UaaOt+alTCXqu576yLeJ/lj9h+pYxzXm71XKhzF8YrGTxNUCIOZDY9nckaV3GeHCeavJnKdOB3s0uigutQlRBRtCMCyJ8+aTHU8s3/L/yJ2TDBDSPGjdq5tTv+7kkvmxJ9P5YZfPEzLMUzfstunPamvzoPJgo2ldyNPx4wncC6jhuoeEzG0ieNEAGMLjxAFlNmfeomWlLx67ZpeSXRTmTojWAYKKhw7Sqd74pr/ph4Tt8w2VWbZDA4Rru54mTb6LHRtvzqIO7a9gQiG29TsoyKtqtDU9MrOqJQAgfC+y3Zn6z/Ct4gBhyVnTStp4SM851Yl4WXpY+0pEedRZeNWtNDpmyhRrJ4sKuy0cJFbW+Q6D8u8N6KWMH42qOE92UEYTwgK31zLg5Pd3CvrzUzx6sOoIMOJRTrObQ2OEOsZerLaQY8Dznq901ZsLculzk+7czak9D9c6Rm4Ggwmu/to3kL+zO9991+ynWIvb0qEb16sgxTri9ONjVLOMhCdzx7HFp38qoQgCJTIZ/MhftwdC2bRVjAklvqLJypsg3r6opdwjd9IWSVZ0ZmLK5PuNDRxhafcl3NWpTFA3qYRO4m4kC+8n9aEV/fqWUcc5bP7BwWAuUkfHF5nl2vxAMLuXuGCKSoqIyJ9KD4uQp9WFZj2qfjFELNI3tESXCrCMbfIBQXeW/fp9kvehCeS2EDnFpiXdoS1gh6Db1qBigRP/Xq8FAfj0TnLxl7wXvjoTV+T40IyKHsMBtgzii47VmFxGIq09MFIqn7xSfEp7V9S83AaH9Oqp639Z+oP2lmO/9aTzG2klped9ZgT3OGLbiV8bsFnQRzFETv9JvF34NIednyyE8nDWPfrw6S92SKFPRPSfzeWF+xXj1vAe+zezjSgXg4V0R7mVaqsRYji6ACPBEdYYIvyjXML0W4pAskPpNAoCBo+1G0o9iivTpY13nbu8xqIfBmqLxxv3NkcDO0NRpmM2TTgJ2v4oSsr/i2sVJhtO7gsYuY4Qbe0Tfa8QnybIrbpX94Q7yiJYuXhpyg9SRXVVnHdz9Xd2DN9DSKhLPpVw0aM0I5GLGEs4drqURUqw5aSbGsKQtxGhS9CABCoolOzOADOLyE5w2BSJAS9mh41RyyP/ZwPdVX70QW5SKkOLFTRSAqSCATowggE2oAMCAReiggEtBIIBKauTrgRQ1E7PNtOmQ6B+T2eorUqcb/bR9QA71bekL9dw9GfFjiFsOk6W5NCFzlQNSkQqwRY1SsQ6HPfsdnRbMPJtlu4KghRXJcxj0ltyCQnsRvQy6AaBaS9Voy9O1njxITNUakbpT750fxnqgrGpoquHAYF+SmSknllTpxScxmg7pmJKGib0gfMfvjJTU6P8WfJVm7nM+rdDSyjgHEPTGsgpfpwpt9gCMSe44Qlct9x8337T4yowplz/oT66fNwh3rfHDOyJ6gI+0asYGYIubXj6SDyefyRRgNWNSL6v6e02i3NeuADubryAy9bl63RhADjhiKIli/MpP1sH3jMPuK0mpKHeP7VnYEP1zT/QQw3d3894xT61xEKwkZWqLHtXe4Mqet2Qqyn+zg==

After sending the second ticket to the server i get response with 401 error in it.

I use Network monitor and KerberosAuthenticationTester.exe for troubleshooting. Although it doesn't help.

I think that I have troubles with http.sys kernel mode authentication. I know that http.sys runs under system account and i have to register SPN for it but i don't know how to find out its name.

So I have two main questions. First is how to register SPN to make kerberos kernel mode authentication. And the second is how i can troubleshoot such issues. I did't find any way to watch logs of http.sys ticket validation process.

Here is list of all spns registered at my domain 

Object Name =  WIN-7371PG2MFIQ
DN      =       CN=WIN-7371PG2MFIQ,OU=Domain Controllers,DC=testing,DC=com
Object Cat. =  CN=Computer,CN=Schema,CN=Configuration,DC=testing,DC=com
servicePrincipalNames
SPN( 1 )   =       ldap/WIN-7371PG2MFIQ.testing.com/testing.com
SPN( 2 )   =       Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/WIN-7371PG2MFIQ.testing.com
SPN( 3 )   =       ldap/WIN-7371PG2MFIQ.testing.com/ForestDnsZones.testing.com
SPN( 4 )   =       ldap/WIN-7371PG2MFIQ.testing.com/DomainDnsZones.testing.com
SPN( 5 )   =       TERMSRV/WIN-7371PG2MFIQ
SPN( 6 )   =       TERMSRV/WIN-7371PG2MFIQ.testing.com
SPN( 7 )   =       DNS/WIN-7371PG2MFIQ.testing.com
SPN( 8 )   =       GC/WIN-7371PG2MFIQ.testing.com/testing.com
SPN( 9 )   =       RestrictedKrbHost/WIN-7371PG2MFIQ.testing.com
SPN( 10 )   =       RestrictedKrbHost/WIN-7371PG2MFIQ
SPN( 11 )   =       RPC/7f8d73cf-6d4c-4ba0-9fc1-fcadbdb48035._msdcs.testing.com
SPN( 12 )   =       HOST/WIN-7371PG2MFIQ/TESTING
SPN( 13 )   =       HOST/WIN-7371PG2MFIQ.testing.com/TESTING
SPN( 14 )   =       HOST/WIN-7371PG2MFIQ
SPN( 15 )   =       HOST/WIN-7371PG2MFIQ.testing.com
SPN( 16 )   =       HOST/WIN-7371PG2MFIQ.testing.com/testing.com
SPN( 17 )   =       E3514235-4B06-11D1-AB04-00C04FC2DCD2/7f8d73cf-6d4c-4ba0-9fc1-fcadbdb48035/testing.com
SPN( 18 )   =       ldap/WIN-7371PG2MFIQ/TESTING
SPN( 19 )   =       ldap/7f8d73cf-6d4c-4ba0-9fc1-fcadbdb48035._msdcs.testing.com
SPN( 20 )   =       ldap/WIN-7371PG2MFIQ.testing.com/TESTING
SPN( 21 )   =       ldap/WIN-7371PG2MFIQ
SPN( 22 )   =       ldap/WIN-7371PG2MFIQ.testing.com

Object Name =  DESKTOP-8727TGP
DN      =       CN=DESKTOP-8727TGP,CN=Computers,DC=testing,DC=com
Object Cat. =  CN=Computer,CN=Schema,CN=Configuration,DC=testing,DC=com
servicePrincipalNames
SPN( 1 )   =       TERMSRV/DESKTOP-8727TGP
SPN( 2 )   =       TERMSRV/DESKTOP-8727TGP.testing.com
SPN( 3 )   =       RestrictedKrbHost/DESKTOP-8727TGP
SPN( 4 )   =       HOST/DESKTOP-8727TGP
SPN( 5 )   =       RestrictedKrbHost/DESKTOP-8727TGP.testing.com
SPN( 6 )   =       HOST/DESKTOP-8727TGP.testing.com

Object Name =  containerhost
DN      =       CN=containerhost,CN=Managed Service Accounts,DC=testing,DC=com
Object Cat. =  CN=ms-DS-Group-Managed-Service-Account,CN=Schema,CN=Configuration,DC=testing,DC=com
servicePrincipalNames
SPN( 1 )   =       HTTP/containerhost1.domain.test

Object Name =  Admin
DN      =       CN=Admin,CN=Users,DC=testing,DC=com
Object Cat. =  CN=Person,CN=Schema,CN=Configuration,DC=testing,DC=com
servicePrincipalNames
SPN( 1 )   =       http/testing.com

Object Name =  krbtgt
DN      =       CN=krbtgt,CN=Users,DC=testing,DC=com
Object Cat. =  CN=Person,CN=Schema,CN=Configuration,DC=testing,DC=com
servicePrincipalNames
SPN( 1 )   =       kadmin/changepw
Semen Koltsov
  • 1

1 Answers1

0

You have the SPN attached to your Admin user. Kerberos works by encrypting the ticket to the the key (password) of the principal (user) that has the SPN attached. That means it's encrypted to the Admin user. 

Object Name =  Admin
DN      =       CN=Admin,CN=Users,DC=testing,DC=com
Object Cat. =  CN=Person,CN=Schema,CN=Configuration,DC=testing,DC=com
servicePrincipalNames
SPN( 1 )   =       http/testing.com

Your IIS server has no knowledge of the user password so it has no way to decrypt the ticket.

What you need to do is REMOVE the SPN from the Admin user and ADD it to the computer principal running IIS. Note that you must remove it before you can add it to another principal.

Steve
  • 4,463
  • 1
  • 19
  • 24
  • I registered SPN for windows server machine. Client now sends only one ticket and it looks like it is right. Before this client sent two different tickets as I wrote already. The problem is that it still not working. I also tried to launch my web application with system account by uning Psexec.exe utility. But it did't help. – Semen Koltsov Apr 09 '19 at 15:47
  • "Not working" is not a particularly useful description of the issue. You should enable tracing. It will tell you what the actual error raised is. – Steve Apr 09 '19 at 21:00
  • I spent few days trying to catch error but did't found any error messages. Event viewer shows successful logon with 4624 event id. I thought that I will see KRB_AP_ERR_MODIFIED error message but it shows nothing. I assume that the main problem is that i run my application with admin account. I have to use http.sys separately without IIS. And now I'm trying to find out how to do something like app pools in IIS to register spn for system account or network service account that will be able to decrypt ticket, and run application on this account. – Semen Koltsov Apr 16 '19 at 17:35