AuthDiag v1.1

IIS Diagnostics Toolkit contains new version of AuthDiag tool.

It has updated authmon.dll that is capable to get traces from all appPools.

To make it work you should run from command prompt:

cd /d "C:\Program Files\IIS Resources\AuthDiag"

cacls . /E /G IIS_WPG:F

iisreset

rundll32 authmon.dll,Begin

Then if you make requests to IIS w3wp_<pid>.log file will be created in AuthDiag's directory, where <pid> is process ID of IIS worker process.

To stop tracing run: iisreset

Here is a sample of log file with my comments:

<AuthMonRow Number="5" tid="0x8f8" Date="01/13/2006 00:55:09.484"

       Name="OnNewRequest" SiteId="1" Conn="0xdf00000040000018" Req="0xdf00000060000019"

       Verb="GET"

       Url="/"

       Auth_header_length="0" Auth_header=""

       />

 

IE sends anonymous request, IIS will respond with 401

 

<AuthMonRow Number="8" tid="0x8f8" Date="01/13/2006 00:55:09.797"

       Name="HttpSendHttpResponse"

       Req="0xdf00000060000019"

       StatusCode="401" Reason="Unauthorized"

       />

 

IE sends request with Kerberos blob

 

<AuthMonRow Number="10" tid="0x8f8" Date="01/13/2006 00:55:12.422"

       Name="OnNewRequest" SiteId="1" Conn="0xdf00000040000018" Req="0xdf0000006000001a"

       Verb="GET"

       Url="/"

       Auth_header_length="4538" Auth_header="Negotiate YIINPwY..."

       />

 

AcceptSecurityContext will resolve the blob to user token

 

<AuthMonRow Number="12" tid="0x8f8" Date="01/13/2006 00:55:12.422"

       Name="AcceptSecurityContext" Result="0x0" ContextAttr="0x802"

       Package="Kerberos" UserName="DOMAIN\account"

       ClientName="account@DOMAIN.TEST.COM"

       ServerName="HTTP/test-iis.test.com@DOMAIN.TEST.COM"

       time_taken="0 ms"

       />

 

Opening the file impersonating authenticated user (REDMOND\uladm)

 

<AuthMonRow Number="18" tid="0x8f8" Date="01/13/2006 00:55:12.437"

       ProcIdentity="NT AUTHORITY\NETWORK SERVICE" ThreadIdentity="DOMAIN\account(SecurityImpersonation)"

       Name="CreateFileW" File="\\?\e:\inetpub\wwwroot\iisstart.htm"

       Success="Yes" Error_Number="0" Error=""

       time_taken="0 ms"

       />

 

<AuthMonRow Number="19" tid="0x8f8" Date="01/13/2006 00:55:12.437"

       Name="HttpSendHttpResponse"

       Req="0xdf0000006000001a"

       StatusCode="200" Reason="OK"

       />

 

<AuthMonRow Number="21" tid="0x8f8" Date="01/13/2006 00:55:13.297"

       Name="OnNewRequest" SiteId="1" Conn="0xdf00000040000018" Req="0xdf0000006000001b"

       Verb="GET"

       Url="/pagerror.gif"

       Auth_header_length="0" Auth_header=""

       />

 

iisstart.htm refers to pagerror.gif, IE tries to get it anonymously,

IIS will respond again with 401

 

<AuthMonRow Number="23" tid="0x8f8" Date="01/13/2006 00:55:13.297"

       Name="HttpSendHttpResponse"

       Req="0xdf0000006000001b"

       StatusCode="401" Reason="Unauthorized"

       />

 

<AuthMonRow Number="25" tid="0x8f8" Date="01/13/2006 00:55:13.469"

       Name="OnNewRequest" SiteId="1" Conn="0xdf00000040000018" Req="0xdf0000006000001c"

       Verb="GET"

       Url="/pagerror.gif"

       Auth_header_length="4538" Auth_header="Negotiate YIINPwYGK..."

       />

 

IE sends request with Kerberos blob,

AcceptSecurityContext will resolve the blob to user token

 

<AuthMonRow Number="26" tid="0x8f8" Date="01/13/2006 00:55:13.469"

       Name="AcceptSecurityContext" Result="0x0" ContextAttr="0x802"

       Package="Kerberos" UserName="DOMAIN\account"

       ClientName="account@DOMAIN.TEST.COM"

       ServerName="HTTP/test-iis.test.com@DOMAIN.TEST.COM"

       time_taken="0 ms"

       />

 

<AuthMonRow Number="27" tid="0x8f8" Date="01/13/2006 00:55:13.469"

       ProcIdentity="NT AUTHORITY\NETWORK SERVICE" ThreadIdentity="DOMAIN\account(SecurityImpersonation)"

       Name="CreateFileW" File="\\?\e:\inetpub\wwwroot\pagerror.gif"

       Success="Yes" Error_Number="0" Error=""

       time_taken="0 ms"

       />

 

<AuthMonRow Number="28" tid="0x8f8" Date="01/13/2006 00:55:13.469"

       Name="HttpSendHttpResponse"

       Req="0xdf0000006000001c"

       StatusCode="200" Reason="OK"

       />

5 Comments

  • 半导体激光治疗仪

  • 半导体激光治疗仪

  • Hi,

    Am playing around with version 1.0.........
    Where can I find ver 1.1 ???
    I looked at the download section at MS, but nothing (only v1.0)

    WKR

  • We didn't change the version in the IIS Diagnostics Tookit ... 1.0 was the last and only version.

  • Hi,

    I realize that this blog post is old, but was wondering if anyone is still around who is familiar with the MS AuthDiag tool?

    The reason for my question is that I am seeing a message when I run the AuthDiag "Test Authentication" that I don't understand (and which doesn't make much sense to me:

    "Service principal name (SPN) for user 'domain\myusername' not found in Active Directory."

    The reason that this message doesn't make sense (to me) is that I don't think that there are SPNs for "users".

    I understand that a user object in AD can have servicePrincipalName attributes (e.g., HTTP/host.foo.com), but I didn't think that there are SPNs *FOR* users in AD?

    Assuming that the AuthDiag message is poorly-worded, can anyone explain what that message is telling me, i.e., what is AuthDiag checking for, and not finding?

    Thanks,
    Jim

Comments have been disabled for this content.