Made domain controllers 2003 and now windows integrated auth. doesn't work!

We were running two windows 2000 servers as domain controllers. We brought up two windows 2003 domain controllers, transferred all the master roles properly, and then decommisioned the 2k servers.

We're running an app server ona 2k member server. Some of our pages are sent to integrated auth. prior to this, they all worked fine. now they don't - it fails on a GetObject command and we get the error '80070035' .

however, if we change it to basic auth, it prompts us to login, we login, and it works just fine. but then we put it back to integrated auth. and it does not work.

so then we setup the site on the 2k3 domain controller, chose windows integrated auth, and it works on that server. However, we aren't sure if it is working because it's directly on the domain controller it is querying, or because it is a 2k3 box. we dont have a 2k Dc or a 2k3 member server to see for sure.

so my question is, what could be causing only basic auth to work, and not integrated auth? it worked fine and literally broke as soon as we switched out the domain controllers.

we even tried seizing the fsmo roles just in case they didnt transfer fully.

I've run netdiag and dcdiag and everything passes just fine.

any thoughts?

ok, here's an interesting twist. If I am on the server, and bring up the webpage on that server, it works. I can use both 'localhost' and the server's name, and it works. however, if i try to access the site from another server or workstation, it still does not work.

I copied this site out to multiple web servers, and got the same result - it works when I go access the server from the server, but not from another server or workstation.

This is very odd....

Unfortunately I don't have 2003 to play with, but my guess is there is some firewall blockage. Does W2003 have an integrated firewall?

I don't think it's that, because like I said, it works when you're directly ont he server. Meaning, I can access http://server1/login.asp from server1, but if I try to access http://server1/login.asp from server2 or workstation1, integrated auth fails - only basic auth works.

This won't help, Adam, but I have the same problem - I don't know if it worked before the domain controllers were made Server 2003, but I have a getObject asp script on an IIS 5.0 that works using basic authentication, but not with windows integrated. When you use a browser on the IIS server itself it works OK, but not when the client is elsewhere. Even when basic and integrated authentication are both enabled in IIS, and you go in with Mozilla using basic, it doesn't work. We want an authenticating page to check whether userts are in staff or student groups, but don't want to put them off by presenting them with username-password prompts. If you could let me know if you found a solution, I would be grateful.

I have a fix for the problem, and it should help you too!

It turns out that windows 2003 domains handle "double hop" authentication differently than windows 2000 domain controllers. here is how you fix the problem:

- Open up Active Directory Users and Computers on a domain controller
- Find the computer that has the IIS server that is running the app
- Double-click the computer name to open it up, and check the box that says "Trust Computer for delegation"
- Wait for replication or force it
- Reboot that server

Depending on how the app is written, that may be all you need. However, you may need to also enable delegation for the user accounts that access it. So if this doesn't work, do the following:

- locate your user account in AD Users and Computers, and double click it
- Click the "account" tab
- Under the "account options" section, scrool down and check "account is trusted for delgation"
- Wait for replication or force it
- Log off of any computers you are logged into, then login and try it again.

That fixed the issue for me. If it doesn't, or you have questions, reply back.

Adam,

I though it was very good of you to post that helpful reply, but it has not solved our problem, which remains as before. Is there anything else we can do?

Regards

Sorry that did not help the issue. It fixed it completely here, so I'm not sure what to tell you.

What are you trying to get with GetObject. If you are trying to access say a IIS metabase property then you will need to change the Metabase ACLs to allow, IUSR_MachineName to access the apporiate path. This can be done with MetabaseExplorer which is available with IIS 6.0 Resource Kit. If you are not trying to change anything in the IIS 6.0 metabase then this will not help you.

The web site uses SSL and authenticates the user, hence the code in the web page does not run under the IUSR_MachineName account. GetObject is getting the user so that we can then find what groups the user belongs to and hence if they are staff or student. I believe I have found the relevant Microsoft article: it is
http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;278836
I have not yet had time to try out Microsoft's solutions - except using basic authentication, which we don't want to do in this instance.

Thanks for your suggestion! Thanks for showing an interest in my problem.