|
Home > Archive > IIS Server Security > July 2005 > IIS 6.0 Kerberos authentication
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IIS 6.0 Kerberos authentication
|
|
| Eduard Timchenko 2005-07-05, 5:56 pm |
|
Hi,
I have AAA site (not default web site) in IIS 6 on Windows 2003 Server.
The AAA site uses Windows Integrated authentication.
I have a problem of accessing the AAA site using DNS or FQDN name from other
Windows 2003 Servers in the same domain - i have been prompted to enter user
and password and get error of wrong user or password (security log recieve
authentication failure messages).
I do succeed to access AAA site by using URL with IP address
Using AuthDiag tool i see that i have a problem with Kerberos Authentication
(SPN not set), but NTLM authentication succeeds (this is why URL with IP
works)
More than that - if i configure IIS to work in IIS 5 compatibility mode - i
do not have any problem to access the AAA site using DNS name or FQDN.
The Kerberos, NTLM settings and Security settings on all Windows 2003
servers seems to be correct. The IE settings of trusted sites & local sites
does not resolve a problem.
Could you help me to understand why the authentication fails and what to do
in order to use Worker Process Isolation mode?
Thanks
--
Eduard Timchenko
Business Technology Solutions Group
Verint Systems
| |
| Wei-Dong XU [MSFT] 2005-07-06, 2:49 am |
| Hi Eduard,
By default, IIS6 uses the worker process to serve the internet request,
which is one process providing the service (we could find this from site
properties->Home direcotry->Application Pool). We will need to specify one
account as this process's identity. This technet IIS article introduces the
configuration of this identity for you:
http://www.microsoft.com/technet/pr...3/Library/IIS/f
05a7c2b-36b0-4b6e-ac7c-662700081f25.mspx
At your scenario, Kerberos will need to register the SPN name under this
identity account in Active Directory. This kb article introduces more
information for you with the resolution:
871179 You receive an "HTTP Error 401.1 - Unauthorized: Access is denied
due to
http://support.microsoft.com/?id=871179
Please feel free to let me know if you have any question. It is my pleasure
to be of any assistance.
Best Regards,
Wei-Dong XU
Microsoft Product Support Services
This posting is provided "AS IS" with no warranties, and confers no rights.
|
|
|
|
|