|
Home > Archive > IIS Server Security > May 2005 > SetSPN.Exe
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| Ethem Azun 2005-05-23, 2:48 am |
|
Hi,
I have IIS 6 on 2003 which is registered on the domain.
To run an ASP.NET Application with a domain account, I set the SPNs as
follows;
setspn -A HTTP/servername domain\newaccountname
setspn -A HTTP/servername.domain.com domain\newaccountname
setspn -A HTTPS/servername domain\newaccountname
setspn -A HTTPS/servername.domain.com domain\newaccountname
After this, the application runs fine with kerberos. But the other apps
which run under the Network Services account start showing up challange
windows and don't authenticate. To my understanding, they all suddenly
started requesting Kerberos auth instead of NTLM and since Network Services
does not have an SPN (is it really so?), it does not work.
The question is; is there a way to make two web applications to run under
the same site, one under a domain account and the other under the Network
Services account? (Both apps are reached inside the domain only.)
Thanks for any ideas, comments, corrections.
Ethem
| |
| Ken Schaefer 2005-05-24, 2:52 am |
| : The question is; is there a way to make two web applications to run under
: the same site, one under a domain account and the other under the Network
: Services account? (Both apps are reached inside the domain only.)
I don't think this is possible. The SPN is registered by host name (e.g.
"servername" or "server.domain.com"), and you need to tie a single identity
to that host name. You can't use two different identities to a single
hostname.
Cheers
Ken
--
Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com
"Ethem Azun" <EthemAzun@discussions.microsoft.com> wrote in message
news:FB697828-46FE-4559-B067-ADE97E1FE52D@microsoft.com...
:
: Hi,
:
: I have IIS 6 on 2003 which is registered on the domain.
:
: To run an ASP.NET Application with a domain account, I set the SPNs as
: follows;
:
: setspn -A HTTP/servername domain\newaccountname
: setspn -A HTTP/servername.domain.com domain\newaccountname
: setspn -A HTTPS/servername domain\newaccountname
: setspn -A HTTPS/servername.domain.com domain\newaccountname
:
: After this, the application runs fine with kerberos. But the other apps
: which run under the Network Services account start showing up challange
: windows and don't authenticate. To my understanding, they all suddenly
: started requesting Kerberos auth instead of NTLM and since Network
Services
: does not have an SPN (is it really so?), it does not work.
:
: The question is; is there a way to make two web applications to run under
: the same site, one under a domain account and the other under the Network
: Services account? (Both apps are reached inside the domain only.)
:
: Thanks for any ideas, comments, corrections.
:
: Ethem
| |
| Ken Schaefer 2005-05-24, 2:52 am |
| "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:ujRTPQCYFHA.252@TK2MSFTNGP12.phx.gbl...
:: The question is; is there a way to make two web applications to run under
:: the same site, one under a domain account and the other under the Network
:: Services account? (Both apps are reached inside the domain only.)
:
: I don't think this is possible. The SPN is registered by host name (e.g.
: "servername" or "server.domain.com"), and you need to tie a single
identity
: to that host name. You can't use two different identities to a single
: hostname.
Should clarify that. I don't think you can use two identities with a single
hostname /and/ the same service (HTTP). Obviously you can use different
identities for different services...
Cheers
Ken
:
:
:
: "Ethem Azun" <EthemAzun@discussions.microsoft.com> wrote in message
: news:FB697828-46FE-4559-B067-ADE97E1FE52D@microsoft.com...
::
:: Hi,
::
:: I have IIS 6 on 2003 which is registered on the domain.
::
:: To run an ASP.NET Application with a domain account, I set the SPNs as
:: follows;
::
:: setspn -A HTTP/servername domain\newaccountname
:: setspn -A HTTP/servername.domain.com domain\newaccountname
:: setspn -A HTTPS/servername domain\newaccountname
:: setspn -A HTTPS/servername.domain.com domain\newaccountname
::
:: After this, the application runs fine with kerberos. But the other apps
:: which run under the Network Services account start showing up challange
:: windows and don't authenticate. To my understanding, they all suddenly
:: started requesting Kerberos auth instead of NTLM and since Network
: Services
:: does not have an SPN (is it really so?), it does not work.
::
:: The question is; is there a way to make two web applications to run under
:: the same site, one under a domain account and the other under the Network
:: Services account? (Both apps are reached inside the domain only.)
::
:: Thanks for any ideas, comments, corrections.
::
:: Ethem
:
:
| |
| Ethem Azun 2005-05-24, 2:52 am |
|
Hi Ken,
Thanks for the reply.
I might be mixed up about two things, please correct me if I'm wrong.
1) Is it a "must" to register an SPN for the server, if we want to run the
application under a domain identity? (keeping every setting default, such as
using kerberos etc.)
2) If that is so, and if what you suggested before (running different apps
with different accounts on the same site is not possible, if one of the
accounts is a domain account) is also true, then isn't this a very big
constraint? Then the concept of application pools is not very helpful at all.
I believe it's a very normal request to be able to decide on this on the
application level (at least the pool level), and not on the server level. It
comes to the point that the only way to do such a thing is to force IIS to
use NTLM or running in IIS5 Compatibility mode. But this is not a good
practice.
I think something is not fitting in this picture, or I'm overseeing something.
Thanks,
Ethem
"Ken Schaefer" wrote:
> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
> news:ujRTPQCYFHA.252@TK2MSFTNGP12.phx.gbl...
> :: The question is; is there a way to make two web applications to run under
> :: the same site, one under a domain account and the other under the Network
> :: Services account? (Both apps are reached inside the domain only.)
> :
> : I don't think this is possible. The SPN is registered by host name (e.g.
> : "servername" or "server.domain.com"), and you need to tie a single
> identity
> : to that host name. You can't use two different identities to a single
> : hostname.
>
>
> Should clarify that. I don't think you can use two identities with a single
> hostname /and/ the same service (HTTP). Obviously you can use different
> identities for different services...
>
> Cheers
> Ken
>
>
>
> :
> :
> :
> : "Ethem Azun" <EthemAzun@discussions.microsoft.com> wrote in message
> : news:FB697828-46FE-4559-B067-ADE97E1FE52D@microsoft.com...
> ::
> :: Hi,
> ::
> :: I have IIS 6 on 2003 which is registered on the domain.
> ::
> :: To run an ASP.NET Application with a domain account, I set the SPNs as
> :: follows;
> ::
> :: setspn -A HTTP/servername domain\newaccountname
> :: setspn -A HTTP/servername.domain.com domain\newaccountname
> :: setspn -A HTTPS/servername domain\newaccountname
> :: setspn -A HTTPS/servername.domain.com domain\newaccountname
> ::
> :: After this, the application runs fine with kerberos. But the other apps
> :: which run under the Network Services account start showing up challange
> :: windows and don't authenticate. To my understanding, they all suddenly
> :: started requesting Kerberos auth instead of NTLM and since Network
> : Services
> :: does not have an SPN (is it really so?), it does not work.
> ::
> :: The question is; is there a way to make two web applications to run under
> :: the same site, one under a domain account and the other under the Network
> :: Services account? (Both apps are reached inside the domain only.)
> ::
> :: Thanks for any ideas, comments, corrections.
> ::
> :: Ethem
> :
> :
>
>
>
| |
| Ken Schaefer 2005-05-24, 8:35 am |
| "Ethem Azun" <EthemAzun@discussions.microsoft.com> wrote in message
news:AE55C4FB-FCAB-4CB0-8470-1A3D6188F11E@microsoft.com...
:
: Hi Ken,
:
: Thanks for the reply.
:
: I might be mixed up about two things, please correct me if I'm wrong.
:
: 1) Is it a "must" to register an SPN for the server, if we want to run the
: application under a domain identity? (keeping every setting default, such
: as using kerberos etc.)
If you want to use delegation, you need to register an SPN. When IIS is
installed an SPN is registed for the default identity (Network Service)
: 2) If that is so, and if what you suggested before (running different apps
: with different accounts on the same site is not possible, if one of the
: accounts is a domain account) is also true, then isn't this a very big
: constraint? Then the concept of application pools is not very helpful at
: all.
Web App Pools are very useful for isolating web applications from each other
(for security purposes, for stability purposes, and for scalability
purposes).
If you want to use different identities for each web app, then give them
different FQDN. You can then register an SPN for each FQDN (with a different
identity for each FQDN)
: I believe it's a very normal request to be able to decide on this on the
: application level (at least the pool level), and not on the server level.
You can allocate different apps to different app pools, and run each app
pool under a different identity. You can do all of this without registering
an SPN. You only need to register an SPN if you want to configure
delegation.
: It
: comes to the point that the only way to do such a thing is to force IIS to
: use NTLM or running in IIS5 Compatibility mode. But this is not a good
: practice.
NTLM is not delegatable. IIS Compatibility mode doesn't solve the delegation
issue. You will have the same proble,,
: I think something is not fitting in this picture, or I'm overseeing
: something.
:
: Thanks,
:
: Ethem
:
:
: "Ken Schaefer" wrote:
:
: > "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
: > news:ujRTPQCYFHA.252@TK2MSFTNGP12.phx.gbl...
: > :: The question is; is there a way to make two web applications to run
under
: > :: the same site, one under a domain account and the other under the
Network
: > :: Services account? (Both apps are reached inside the domain only.)
: > :
: > : I don't think this is possible. The SPN is registered by host name
(e.g.
: > : "servername" or "server.domain.com"), and you need to tie a single
: > identity
: > : to that host name. You can't use two different identities to a single
: > : hostname.
: >
: >
: > Should clarify that. I don't think you can use two identities with a
single
: > hostname /and/ the same service (HTTP). Obviously you can use different
: > identities for different services...
: >
: > Cheers
: > Ken
: >
: >
: >
: > :
: > :
: > :
: > : "Ethem Azun" <EthemAzun@discussions.microsoft.com> wrote in message
: > : news:FB697828-46FE-4559-B067-ADE97E1FE52D@microsoft.com...
: > ::
: > :: Hi,
: > ::
: > :: I have IIS 6 on 2003 which is registered on the domain.
: > ::
: > :: To run an ASP.NET Application with a domain account, I set the SPNs
as
: > :: follows;
: > ::
: > :: setspn -A HTTP/servername domain\newaccountname
: > :: setspn -A HTTP/servername.domain.com domain\newaccountname
: > :: setspn -A HTTPS/servername domain\newaccountname
: > :: setspn -A HTTPS/servername.domain.com domain\newaccountname
: > ::
: > :: After this, the application runs fine with kerberos. But the other
apps
: > :: which run under the Network Services account start showing up
challange
: > :: windows and don't authenticate. To my understanding, they all
suddenly
: > :: started requesting Kerberos auth instead of NTLM and since Network
: > : Services
: > :: does not have an SPN (is it really so?), it does not work.
: > ::
: > :: The question is; is there a way to make two web applications to run
under
: > :: the same site, one under a domain account and the other under the
Network
: > :: Services account? (Both apps are reached inside the domain only.)
: > ::
: > :: Thanks for any ideas, comments, corrections.
: > ::
: > :: Ethem
: > :
: > :
: >
: >
: >
| |
| Ethem Azun 2005-05-24, 8:37 am |
|
Hi Ken,
I'm now totally mixed up 
My experience is as follows;
1) An IIS 6 with Win2003 on a domain. Users use domain accounts to access to
it.
2) Installed an ASP.NET Application that does NOT use impersonation. (hence
no delegation?)
3) The application uses Windows Integrated Security. (all other options are
cleared out.)
4) I first put it under the default pool, run it and access it, everything
works fine.
5) I change the application to work on an app pool that is running under a
domain account.
6) The domain account is a user of the IIS_WPG group.
7) I try to reach the index page (which is more or less a static page) and
pops up a challange window. (such as http://servername/appname/index.aspx or
http://fqdnofserver/appname/index.aspx)
8) I try to login with domain accounts, local accounts etc, no luck. I check
the event log and see that the username field goes empty and auth type is
kerberos.
9) I register the SPNs with server name and domain account name, the
challange window suddenly dissapears, everything works fine.
To my understanding, there's no delegation here. According to what I
understand from what you said, the above should have worked without 9.
Have I missed something?
Thanks,
Ethem
"Ken Schaefer" wrote:
> "Ethem Azun" <EthemAzun@discussions.microsoft.com> wrote in message
> news:AE55C4FB-FCAB-4CB0-8470-1A3D6188F11E@microsoft.com...
> :
> : Hi Ken,
> :
> : Thanks for the reply.
> :
> : I might be mixed up about two things, please correct me if I'm wrong.
> :
> : 1) Is it a "must" to register an SPN for the server, if we want to run the
> : application under a domain identity? (keeping every setting default, such
> : as using kerberos etc.)
>
> If you want to use delegation, you need to register an SPN. When IIS is
> installed an SPN is registed for the default identity (Network Service)
>
>
> : 2) If that is so, and if what you suggested before (running different apps
> : with different accounts on the same site is not possible, if one of the
> : accounts is a domain account) is also true, then isn't this a very big
> : constraint? Then the concept of application pools is not very helpful at
> : all.
>
> Web App Pools are very useful for isolating web applications from each other
> (for security purposes, for stability purposes, and for scalability
> purposes).
>
> If you want to use different identities for each web app, then give them
> different FQDN. You can then register an SPN for each FQDN (with a different
> identity for each FQDN)
>
> : I believe it's a very normal request to be able to decide on this on the
> : application level (at least the pool level), and not on the server level.
>
> You can allocate different apps to different app pools, and run each app
> pool under a different identity. You can do all of this without registering
> an SPN. You only need to register an SPN if you want to configure
> delegation.
>
>
> : It
> : comes to the point that the only way to do such a thing is to force IIS to
> : use NTLM or running in IIS5 Compatibility mode. But this is not a good
> : practice.
>
> NTLM is not delegatable. IIS Compatibility mode doesn't solve the delegation
> issue. You will have the same proble,,
>
>
> : I think something is not fitting in this picture, or I'm overseeing
> : something.
> :
> : Thanks,
> :
> : Ethem
> :
> :
> : "Ken Schaefer" wrote:
> :
> : > "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
> : > news:ujRTPQCYFHA.252@TK2MSFTNGP12.phx.gbl...
> : > :: The question is; is there a way to make two web applications to run
> under
> : > :: the same site, one under a domain account and the other under the
> Network
> : > :: Services account? (Both apps are reached inside the domain only.)
> : > :
> : > : I don't think this is possible. The SPN is registered by host name
> (e.g.
> : > : "servername" or "server.domain.com"), and you need to tie a single
> : > identity
> : > : to that host name. You can't use two different identities to a single
> : > : hostname.
> : >
> : >
> : > Should clarify that. I don't think you can use two identities with a
> single
> : > hostname /and/ the same service (HTTP). Obviously you can use different
> : > identities for different services...
> : >
> : > Cheers
> : > Ken
> : >
> : >
> : >
> : > :
> : > :
> : > :
> : > : "Ethem Azun" <EthemAzun@discussions.microsoft.com> wrote in message
> : > : news:FB697828-46FE-4559-B067-ADE97E1FE52D@microsoft.com...
> : > ::
> : > :: Hi,
> : > ::
> : > :: I have IIS 6 on 2003 which is registered on the domain.
> : > ::
> : > :: To run an ASP.NET Application with a domain account, I set the SPNs
> as
> : > :: follows;
> : > ::
> : > :: setspn -A HTTP/servername domain\newaccountname
> : > :: setspn -A HTTP/servername.domain.com domain\newaccountname
> : > :: setspn -A HTTPS/servername domain\newaccountname
> : > :: setspn -A HTTPS/servername.domain.com domain\newaccountname
> : > ::
> : > :: After this, the application runs fine with kerberos. But the other
> apps
> : > :: which run under the Network Services account start showing up
> challange
> : > :: windows and don't authenticate. To my understanding, they all
> suddenly
> : > :: started requesting Kerberos auth instead of NTLM and since Network
> : > : Services
> : > :: does not have an SPN (is it really so?), it does not work.
> : > ::
> : > :: The question is; is there a way to make two web applications to run
> under
> : > :: the same site, one under a domain account and the other under the
> Network
> : > :: Services account? (Both apps are reached inside the domain only.)
> : > ::
> : > :: Thanks for any ideas, comments, corrections.
> : > ::
> : > :: Ethem
> : > :
> : > :
> : >
> : >
> : >
>
>
>
>
| |
| Ken Schaefer 2005-05-24, 8:37 am |
| In the normal course of events - you shoudn't be seeing what you are seeing.
Of the top of my head, I would have to ask: Is the index.aspx page that is
being requested located locally on the IIS server? Or is it located on some
remote server?
Cheers
Ken
--
Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com
"Ethem Azun" <EthemAzun@discussions.microsoft.com> wrote in message
news:46F52559-03C2-4F2A-9331-D9A56B52651C@microsoft.com...
:
: Hi Ken,
:
: I'm now totally mixed up
:
: My experience is as follows;
:
: 1) An IIS 6 with Win2003 on a domain. Users use domain accounts to access
to
: it.
: 2) Installed an ASP.NET Application that does NOT use impersonation.
(hence
: no delegation?)
: 3) The application uses Windows Integrated Security. (all other options
are
: cleared out.)
: 4) I first put it under the default pool, run it and access it, everything
: works fine.
: 5) I change the application to work on an app pool that is running under a
: domain account.
: 6) The domain account is a user of the IIS_WPG group.
: 7) I try to reach the index page (which is more or less a static page) and
: pops up a challange window. (such as http://servername/appname/index.aspx
or
: http://fqdnofserver/appname/index.aspx)
: 8) I try to login with domain accounts, local accounts etc, no luck. I
check
: the event log and see that the username field goes empty and auth type is
: kerberos.
: 9) I register the SPNs with server name and domain account name, the
: challange window suddenly dissapears, everything works fine.
:
: To my understanding, there's no delegation here. According to what I
: understand from what you said, the above should have worked without 9.
:
: Have I missed something?
:
: Thanks,
:
: Ethem
:
:
:
:
: "Ken Schaefer" wrote:
:
: > "Ethem Azun" <EthemAzun@discussions.microsoft.com> wrote in message
: > news:AE55C4FB-FCAB-4CB0-8470-1A3D6188F11E@microsoft.com...
: > :
: > : Hi Ken,
: > :
: > : Thanks for the reply.
: > :
: > : I might be mixed up about two things, please correct me if I'm wrong.
: > :
: > : 1) Is it a "must" to register an SPN for the server, if we want to run
the
: > : application under a domain identity? (keeping every setting default,
such
: > : as using kerberos etc.)
: >
: > If you want to use delegation, you need to register an SPN. When IIS is
: > installed an SPN is registed for the default identity (Network Service)
: >
: >
: > : 2) If that is so, and if what you suggested before (running different
apps
: > : with different accounts on the same site is not possible, if one of
the
: > : accounts is a domain account) is also true, then isn't this a very big
: > : constraint? Then the concept of application pools is not very helpful
at
: > : all.
: >
: > Web App Pools are very useful for isolating web applications from each
other
: > (for security purposes, for stability purposes, and for scalability
: > purposes).
: >
: > If you want to use different identities for each web app, then give them
: > different FQDN. You can then register an SPN for each FQDN (with a
different
: > identity for each FQDN)
: >
: > : I believe it's a very normal request to be able to decide on this on
the
: > : application level (at least the pool level), and not on the server
level.
: >
: > You can allocate different apps to different app pools, and run each app
: > pool under a different identity. You can do all of this without
registering
: > an SPN. You only need to register an SPN if you want to configure
: > delegation.
: >
: >
: > : It
: > : comes to the point that the only way to do such a thing is to force
IIS to
: > : use NTLM or running in IIS5 Compatibility mode. But this is not a good
: > : practice.
: >
: > NTLM is not delegatable. IIS Compatibility mode doesn't solve the
delegation
: > issue. You will have the same proble,,
: >
: >
: > : I think something is not fitting in this picture, or I'm overseeing
: > : something.
: > :
: > : Thanks,
: > :
: > : Ethem
: > :
: > :
: > : "Ken Schaefer" wrote:
: > :
: > : > "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
: > : > news:ujRTPQCYFHA.252@TK2MSFTNGP12.phx.gbl...
: > : > :: The question is; is there a way to make two web applications to
run
: > under
: > : > :: the same site, one under a domain account and the other under the
: > Network
: > : > :: Services account? (Both apps are reached inside the domain only.)
: > : > :
: > : > : I don't think this is possible. The SPN is registered by host name
: > (e.g.
: > : > : "servername" or "server.domain.com"), and you need to tie a single
: > : > identity
: > : > : to that host name. You can't use two different identities to a
single
: > : > : hostname.
: > : >
: > : >
: > : > Should clarify that. I don't think you can use two identities with a
: > single
: > : > hostname /and/ the same service (HTTP). Obviously you can use
different
: > : > identities for different services...
: > : >
: > : > Cheers
: > : > Ken
: > : >
: > : >
: > : >
: > : > :
: > : > :
: > : > :
: > : > : "Ethem Azun" <EthemAzun@discussions.microsoft.com> wrote in
message
: > : > : news:FB697828-46FE-4559-B067-ADE97E1FE52D@microsoft.com...
: > : > ::
: > : > :: Hi,
: > : > ::
: > : > :: I have IIS 6 on 2003 which is registered on the domain.
: > : > ::
: > : > :: To run an ASP.NET Application with a domain account, I set the
SPNs
: > as
: > : > :: follows;
: > : > ::
: > : > :: setspn -A HTTP/servername domain\newaccountname
: > : > :: setspn -A HTTP/servername.domain.com domain\newaccountname
: > : > :: setspn -A HTTPS/servername domain\newaccountname
: > : > :: setspn -A HTTPS/servername.domain.com domain\newaccountname
: > : > ::
: > : > :: After this, the application runs fine with kerberos. But the
other
: > apps
: > : > :: which run under the Network Services account start showing up
: > challange
: > : > :: windows and don't authenticate. To my understanding, they all
: > suddenly
: > : > :: started requesting Kerberos auth instead of NTLM and since
Network
: > : > : Services
: > : > :: does not have an SPN (is it really so?), it does not work.
: > : > ::
: > : > :: The question is; is there a way to make two web applications to
run
: > under
: > : > :: the same site, one under a domain account and the other under the
: > Network
: > : > :: Services account? (Both apps are reached inside the domain only.)
: > : > ::
: > : > :: Thanks for any ideas, comments, corrections.
: > : > ::
: > : > :: Ethem
: > : > :
: > : > :
: > : >
: > : >
: > : >
: >
: >
: >
: >
| |
| Ethem Azun 2005-05-24, 6:03 pm |
|
It's located locally.
"Ken Schaefer" wrote:
> In the normal course of events - you shoudn't be seeing what you are seeing.
>
> Of the top of my head, I would have to ask: Is the index.aspx page that is
> being requested located locally on the IIS server? Or is it located on some
> remote server?
>
> Cheers
> Ken
>
> --
> Blog: www.adopenstatic.com/cs/blogs/ken/
> Web: www.adopenstatic.com
>
>
>
> "Ethem Azun" <EthemAzun@discussions.microsoft.com> wrote in message
> news:46F52559-03C2-4F2A-9331-D9A56B52651C@microsoft.com...
> :
> : Hi Ken,
> :
> : I'm now totally mixed up
> :
> : My experience is as follows;
> :
> : 1) An IIS 6 with Win2003 on a domain. Users use domain accounts to access
> to
> : it.
> : 2) Installed an ASP.NET Application that does NOT use impersonation.
> (hence
> : no delegation?)
> : 3) The application uses Windows Integrated Security. (all other options
> are
> : cleared out.)
> : 4) I first put it under the default pool, run it and access it, everything
> : works fine.
> : 5) I change the application to work on an app pool that is running under a
> : domain account.
> : 6) The domain account is a user of the IIS_WPG group.
> : 7) I try to reach the index page (which is more or less a static page) and
> : pops up a challange window. (such as http://servername/appname/index.aspx
> or
> : http://fqdnofserver/appname/index.aspx)
> : 8) I try to login with domain accounts, local accounts etc, no luck. I
> check
> : the event log and see that the username field goes empty and auth type is
> : kerberos.
> : 9) I register the SPNs with server name and domain account name, the
> : challange window suddenly dissapears, everything works fine.
> :
> : To my understanding, there's no delegation here. According to what I
> : understand from what you said, the above should have worked without 9.
> :
> : Have I missed something?
> :
> : Thanks,
> :
> : Ethem
> :
> :
> :
> :
> : "Ken Schaefer" wrote:
> :
> : > "Ethem Azun" <EthemAzun@discussions.microsoft.com> wrote in message
> : > news:AE55C4FB-FCAB-4CB0-8470-1A3D6188F11E@microsoft.com...
> : > :
> : > : Hi Ken,
> : > :
> : > : Thanks for the reply.
> : > :
> : > : I might be mixed up about two things, please correct me if I'm wrong.
> : > :
> : > : 1) Is it a "must" to register an SPN for the server, if we want to run
> the
> : > : application under a domain identity? (keeping every setting default,
> such
> : > : as using kerberos etc.)
> : >
> : > If you want to use delegation, you need to register an SPN. When IIS is
> : > installed an SPN is registed for the default identity (Network Service)
> : >
> : >
> : > : 2) If that is so, and if what you suggested before (running different
> apps
> : > : with different accounts on the same site is not possible, if one of
> the
> : > : accounts is a domain account) is also true, then isn't this a very big
> : > : constraint? Then the concept of application pools is not very helpful
> at
> : > : all.
> : >
> : > Web App Pools are very useful for isolating web applications from each
> other
> : > (for security purposes, for stability purposes, and for scalability
> : > purposes).
> : >
> : > If you want to use different identities for each web app, then give them
> : > different FQDN. You can then register an SPN for each FQDN (with a
> different
> : > identity for each FQDN)
> : >
> : > : I believe it's a very normal request to be able to decide on this on
> the
> : > : application level (at least the pool level), and not on the server
> level.
> : >
> : > You can allocate different apps to different app pools, and run each app
> : > pool under a different identity. You can do all of this without
> registering
> : > an SPN. You only need to register an SPN if you want to configure
> : > delegation.
> : >
> : >
> : > : It
> : > : comes to the point that the only way to do such a thing is to force
> IIS to
> : > : use NTLM or running in IIS5 Compatibility mode. But this is not a good
> : > : practice.
> : >
> : > NTLM is not delegatable. IIS Compatibility mode doesn't solve the
> delegation
> : > issue. You will have the same proble,,
> : >
> : >
> : > : I think something is not fitting in this picture, or I'm overseeing
> : > : something.
> : > :
> : > : Thanks,
> : > :
> : > : Ethem
> : > :
> : > :
> : > : "Ken Schaefer" wrote:
> : > :
> : > : > "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
> : > : > news:ujRTPQCYFHA.252@TK2MSFTNGP12.phx.gbl...
> : > : > :: The question is; is there a way to make two web applications to
> run
> : > under
> : > : > :: the same site, one under a domain account and the other under the
> : > Network
> : > : > :: Services account? (Both apps are reached inside the domain only.)
> : > : > :
> : > : > : I don't think this is possible. The SPN is registered by host name
> : > (e.g.
> : > : > : "servername" or "server.domain.com"), and you need to tie a single
> : > : > identity
> : > : > : to that host name. You can't use two different identities to a
> single
> : > : > : hostname.
> : > : >
> : > : >
> : > : > Should clarify that. I don't think you can use two identities with a
> : > single
> : > : > hostname /and/ the same service (HTTP). Obviously you can use
> different
> : > : > identities for different services...
> : > : >
> : > : > Cheers
> : > : > Ken
> : > : >
> : > : >
> : > : >
> : > : > :
> : > : > :
> : > : > :
> : > : > : "Ethem Azun" <EthemAzun@discussions.microsoft.com> wrote in
> message
> : > : > : news:FB697828-46FE-4559-B067-ADE97E1FE52D@microsoft.com...
> : > : > ::
> : > : > :: Hi,
> : > : > ::
> : > : > :: I have IIS 6 on 2003 which is registered on the domain.
> : > : > ::
> : > : > :: To run an ASP.NET Application with a domain account, I set the
> SPNs
> : > as
> : > : > :: follows;
> : > : > ::
> : > : > :: setspn -A HTTP/servername domain\newaccountname
> : > : > :: setspn -A HTTP/servername.domain.com domain\newaccountname
> : > : > :: setspn -A HTTPS/servername domain\newaccountname
> : > : > :: setspn -A HTTPS/servername.domain.com domain\newaccountname
> : > : > ::
> : > : > :: After this, the application runs fine with kerberos. But the
> other
> : > apps
> : > : > :: which run under the Network Services account start showing up
> : > challange
> : > : > :: windows and don't authenticate. To my understanding, they all
> : > suddenly
> : > : > :: started requesting Kerberos auth instead of NTLM and since
> Network
> : > : > : Services
> : > : > :: does not have an SPN (is it really so?), it does not work.
> : > : > ::
> : > : > :: The question is; is there a way to make two web applications to
> run
> : > under
> : > : > :: the same site, one under a domain account and the other under the
> : > Network
> : > : > :: Services account? (Both apps are reached inside the domain only.)
> : > : > ::
> : > : > :: Thanks for any ideas, comments, corrections.
> : > : > ::
> : > : > :: Ethem
> : > : > :
> : > : > :
> : > : >
> : > : >
> : > : >
> : >
> : >
> : >
> : >
>
>
>
|
|
|
|
|