|
Home > Archive > IIS Server Security > September 2005 > Prompt for authentication 401.1 error, custom app poool w/ anon access on virt dir.
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Prompt for authentication 401.1 error, custom app poool w/ anon access on virt dir.
|
|
| knowthediff@gmail.com 2005-08-31, 6:00 pm |
| Hello,
I am trying to tighten up security on my web server. I have created a
new application pool with a domain user listed for the account. This
account has also be given the following rights:
a) put it into the IIS_WPG group on the server
b) grant it:
(i) Adjust memory quotas for a process
(ii) Replace a process level token
The virtiual directory I am using is running under the default
anonymous user account (IUSR_MACHINE). When I attempt to acess my
virtual directory I am prompted for credentials. I believe this is a
double hop issue but do not know how to get around the problem. No
matter what security I try in the prompt dialog I cannot get access.
If I log onto the server console and attempt to access the same page
from the console it works without prompting me.
If I change the anonymous account on the virtual directory to the same
domain account that I have set up for the app pool everything works as
it should, however I would like to use the default anonymous account
instead of the domain user for anon. access.
I have tried to use the Auth diagnostics tool and found this message:
Service principal name (SPN) for user 'domain\account' not found in
Active Directory. How can I fix this? Any help would be great. Just
as a note I do not have domani admin account privledges.
Thanks
-J
| |
| Ken Schaefer 2005-09-04, 5:51 pm |
| Hi,
When posting to multiple groups, please put all the groups into the To:
field. This means that everyone from all groups can see all responses.
Answered in inetserver.iis group
Cheers
Ken
--
IIS Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com
<knowthediff@gmail.com> wrote in message
news:1125520458.432255.224190@g14g2000cwa.googlegroups.com...
: Hello,
: I am trying to tighten up security on my web server. I have created a
: new application pool with a domain user listed for the account. This
: account has also be given the following rights:
: a) put it into the IIS_WPG group on the server
: b) grant it:
: (i) Adjust memory quotas for a process
: (ii) Replace a process level token
:
: The virtiual directory I am using is running under the default
: anonymous user account (IUSR_MACHINE). When I attempt to acess my
: virtual directory I am prompted for credentials. I believe this is a
: double hop issue but do not know how to get around the problem. No
: matter what security I try in the prompt dialog I cannot get access.
:
: If I log onto the server console and attempt to access the same page
: from the console it works without prompting me.
:
: If I change the anonymous account on the virtual directory to the same
: domain account that I have set up for the app pool everything works as
: it should, however I would like to use the default anonymous account
: instead of the domain user for anon. access.
:
: I have tried to use the Auth diagnostics tool and found this message:
: Service principal name (SPN) for user 'domain\account' not found in
: Active Directory. How can I fix this? Any help would be great. Just
: as a note I do not have domani admin account privledges.
:
: Thanks
: -J
:
|
|
|
|
|