IIS Server Security - Domain Account for AppPool can't verify domain NTLM credentials

This is Interesting: Free IT Magazines  
Home > Archive > IIS Server Security > July 2004 > Domain Account for AppPool can't verify domain NTLM credentials





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Domain Account for AppPool can't verify domain NTLM credentials
SamW

2004-07-30, 7:52 am


I have created an application pool for some applications that we write. This application pool is configured to run as a domain account. The account has been added to the IIS_WPG group. And the application pool is working when Anonymous authentication is i
n use.

If I clear anonymous authentication and choose only Integrated Windows Authentication on the Application that runs in this AppPool then the typical NTLM passthrough authentication from my workstation fails (I am prompted for logon credentials). The failur
e is a 401.1 error, with failure auditing enabled this is also accompanied by an EventLog entry as follows:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 30/07/2004
Time: 14:03:10
User: NT AUTHORITY\SYSTEM
Computer: SICILY
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.10.134.7
Source Port: 4020

My workstation is on the Domain and my account has the correct priviliges to see the resource I am trying to access.

If I instead actually specify credentials for a local (non domain) account on the server I can access the resource without a problem.

If I reconfigure the application pool back to its default state of using the Network Service identity, then without any other confuration changes I can access the resource immediately without any prompting for credentials (the audit logs show a success au
dit for my account).

It is worth mentioning that the domain identity that I am trying to configure my AppPool to run as is on the same domain as my own account (all computers are also in the same domain in this case).

For some reason the domain account cannot verify NTLM information against the domain when it is running an AppPool but it can verify NTLM information against the local machine.

SamW

2004-07-30, 5:51 pm

Thanks to useful information in: http://support.microsoft.com/?id=215383

I have gotten rid of this problem via the use of the command:
cscript adsutil.vbs set w3svc/NTAuthenticationProviders NTLM

It seems likely that the steps involving setspn in this article might also solve the problem without the use of the above step but I have yet to verify this:
http://www.microsoft.com/resources/...rkridentity.asp



Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com