Group: Forum Members
Last Login: 12/13/2010 5:09:00 PM
|I have set up a Visual WebGui ASP.NET application in an IIS 7 site on Server 2008 R2. The site is SSL secured and requires Windows authentication. After the authentication prompt, the user can access the first screen and maybe one more before being prompted again for a logon. At this point, the worker process w3wp.exe crashes (logged in the Application event log). Three occurrences of the 4649 error are found in the security event log at the same time.
The crash happens even after moving the app to a non-authenticated site, in which case the 4649 error is not generated, so the Kerberos error is not causing the app to crash. Rather, a symptom of the app crashing when on an authenticated site is the 4649 error. This error appears to correspond to a KRB_AP_ERR_REPEAT Kerberos error.
Here’s the security event:
Log Name: Security
Date: 12/13/2010 1:59:24 PM
Event ID: 4649
Task Category: Other Logon/Logoff Events
Keywords: Audit Failure
A replay attack was detected.
Security ID: SYSTEM
Account Name: SERVER01$
Account Domain: SVR08R2DOMAIN
Logon ID: 0x3e7
Credentials Which Were Replayed:
Account Name: WebUser01
Account Domain: SVR08R2DOMAIN.ORG
Process ID: 0x786e098
Workstation Name: -
Detailed Authentication Information:
Request Type: KRB_AP_REQ
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
This event indicates that a Kerberos replay attack was detected- a request was received twice with identical information. This condition could be caused by network misconfiguration.