I recently had to connect to my Server 2008 R2 computer (only allowing Network Level Authentication (NLA) for RD) from an older XP client running SP3. No luck at first. Turns out that to use NLA from XP SP3, I had to make two registry changes.
I found out how to do this on https://support.soundenterprises.net/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=221, but I also included that information below just in case the source link disappeared one day.
Enabling Network Level Authentication on Windows XP Service Pack 3 for access to Server 2008 via Remote Desktop
When connecting to a Windows 2008 Server using remote desktop from a Windows XP client running service pack 2 or earlier, you get the following error message:
"The remote computer requires Network Level Authentication, which your computer does not support."
To enable NLA in XP machines; first install XP SP3, then edit the registry settings on the XP client machine to allow NLA.
Next, configure XP for NLA as follows:
1. Click Start, click Run, type regedit, and then press ENTER.
2. In the navigation pane, locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3. In the details pane, right-click Security Packages, and then click Modify.
4. In the Value data box, type tspkg. Leave any data that is specific to other SSPs, and then click OK.
5. In the navigation pane, locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
6. In the details pane, right-click SecurityProviders, and then click Modify.
7. In the Value data box, type credssp.dll. Leave any data that is specific to other SSPs, and then click OK.
8. Exit Registry Editor.
9. Restart the computer.
Saturday, October 24, 2009
Thursday, October 1, 2009
Server 2008 R2 / ApplicationPoolIdentity / Databases
I recently set up a new website on a Windows Server 2008 R2 computer running IIS 7.5 and SQL Server 2008. The new site would not run...wouldn't even start (.NET security issus, database login error). After some painful investigation on the issues, I encapsulated the steps to correctly use IIS 7.5's new ApplicationPoolIdentity support and allow access to a SQL Server 2008 database.
Microsoft will continue to cramp down on security and the use of ApplicationPoolIdentity is the default settings for a new website (so I'm blogging this to help others and to remind myself).
To the best of my knowledge, here are the steps to get your site up and running on 2008 R2 (if you have any corrections or feedback, please comment):
Whew!
Microsoft will continue to cramp down on security and the use of ApplicationPoolIdentity is the default settings for a new website (so I'm blogging this to help others and to remind myself).
To the best of my knowledge, here are the steps to get your site up and running on 2008 R2 (if you have any corrections or feedback, please comment):
1) Using IIS, select “Application Pools”. Right-click the pool to modify and
choose “Advanced Settings”. In the “Process Model” section:
a. Verify “Identify” is set to ApplicationPoolIdentity.
b. Verify “Load User Profile” is set to true.
2) Using IIS, select the site to modify. In the IIS section, double-click
“Authentication”. Next “Edit” the “Anonymous Authentication” name and verify
“Application pool identity” is chosen.
3) Using SQL Studio Management Studio, select “Security”, then “Logins”. Add
“New Login” using:
a. Set “Login name” to “IIS AppPool\yourIISSiteName”.
b. Select “Windows authentication” (don’t worry that this doesn’t resemble a
real account on the computer; click OK).
4) Optional for security flexibility on the site files:
a. Using Windows Explorer, right-click the site directory and choose
“Properties”. Select the “Security” tab and choose “Add”.
b. In the “Enter the object names select” box, enter
“IIS AppPool\yourIISSiteName”. Click OK.
c. Before leaving the “Permissions” dialog, customize the permissions for the
new account (read, write, execute, etc.).
Whew!
Subscribe to:
Posts (Atom)