|
Home > Archive > IIS Server Security > October 2006 > Multiple websites in one IIS with Integrated Windows Authentication
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Multiple websites in one IIS with Integrated Windows Authentication
|
|
| ramram49 2006-10-07, 10:41 pm |
| Hi,
I have setting up two intranet web sites (say Site_A and Site_B) on the same IIS 6 server. Both serve internal staff only.
For Site_A, I leave everything as default.
For Site_B, I modified "Multiple identities for this Web site" as follows:
IP Address: 130.20.1.20
TCP port: 80
Host Header Value: hkg-intranet
Now, my problem:
- if I "Enable anonymous access", then we can access both web.
- if I disable anonymous access and enable "Integrated Winodws authentication", then both web sites prompt for username. No matter which username I used (including domain admin), I cannot access the sites.
I can access the site only if I enter the machine local admin username and password.
In the web server security event log, we have:
Event ID: 529
Reason: Unknown user name or bad password
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
May I ask, is it not possible to have two web sites on the same server with "Integrated Windows authentication" enabled?
Thanks in advance. | |
| Ken Schaefer 2006-10-09, 1:42 am |
| You can have as many sites as you want using IWA and domain based
credentials.
Something else is wrong in your setup. Are you logging on using
Domain\Username?
Cheers
Ken
"ramram49" <ramram49.2fci8b@mail.webservertalk.com> wrote in message
news:ramram49.2fci8b@mail.webservertalk.com...
>
> Hi,
>
> I have setting up two intranet web sites (say Site_A and Site_B) on the
> same IIS 6 server. Both serve internal staff only.
>
> For Site_A, I leave everything as default.
>
> For Site_B, I modified "Multiple identities for this Web site" as
> follows:
>
> IP Address: 130.20.1.20
> TCP port: 80
> Host Header Value: hkg-intranet
>
> Now, my problem:
> - if I "Enable anonymous access", then we can access both web.
> - if I disable anonymous access and enable "Integrated Winodws
> authentication", then both web sites prompt for username. No matter
> which username I used (including domain admin), I cannot access the
> sites.
>
> I can access the site only if I enter the machine local admin username
> and password.
>
> In the web server security event log, we have:
>
> Event ID: 529
> Reason: Unknown user name or bad password
> Logon Type: 3
> Logon Process: Kerberos
> Authentication Package: Kerberos
>
> May I ask, is it not possible to have two web sites on the same server
> with "Integrated Windows authentication" enabled?
>
> Thanks in advance.
>
>
>
> --
> ramram49
> ------------------------------------------------------------------------
> Posted via http://www.webservertalk.com
> ------------------------------------------------------------------------
> View this thread: http://www.webservertalk.com/message1693270.html
>
| |
| ramram49 2006-10-09, 6:25 am |
| Hi Ken,
Yes..I am logging on using domain\username format.
On the DC, there is such system error logged:
Source: Kerberos
Event ID: 4
Description: The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/hcl-intranet.mydomain.com. The target name used was HTTP/hkg-intranet.mydomain.com. This indicates that the password used to encrypt the kerberos service ticket is different that that on the target server. Commonly, this is due to identically named machine accounts in the target realm (MYDOMAIN.COM), and the client realm. Please contact your system administrator.com
Kindly give me some more hints..^^
quote:
Originally posted by Ken Schaefer
[B]You can have as many sites as you want using IWA and domain based
credentials.
Something else is wrong in your setup. Are you logging on using
Domain\Username?
Cheers
Ken
| |
| Ken Schaefer 2006-10-11, 1:41 am |
| Hi,
You have two options:
a) Configure IIS to send NTLM only for that website - at the moment IIS is
sending both Negotiate (Kerberos) and NTLM as available authentication
mechanisms to the client, and the client is choosing Kerberos
b) If you wisht to use Kerberos rather than NTLM, then you will need to
register an SPN (Service Principal Name) for the FQDN of the website you are
accessing. If the website is running in a web app pool that is running under
LocalSystem/Network Service, then register the SPN under the IIS server's
machine account. If the web app pool is running under a custom account, then
register the SPN under the user account that is being used as the process
identity for the web app pool.
Cheers
Ken
"ramram49" <ramram49.2fetke@mail.webservertalk.com> wrote in message
news:ramram49.2fetke@mail.webservertalk.com...
>
> Hi Ken,
>
> Yes..I am logging on using domain\username format.
>
> On the DC, there is such system error logged:
>
> Source: Kerberos
> Event ID: 4
>
> Description: The kerberos client received a KRB_AP_ERR_MODIFIED error
> from the server host/hcl-intranet.mydomain.com. The target name used
> was HTTP/hkg-intranet.mydomain.com. This indicates that the password
> used to encrypt the kerberos service ticket is different that that on
> the target server. Commonly, this is due to identically named machine
> accounts in the target realm (MYDOMAIN.COM), and the client realm.
> Please contact your system administrator.com
>
> Kindly give me some more hints..^^
>
> Ken Schaefer wrote:
>
>
>
> --
> ramram49
> ------------------------------------------------------------------------
> Posted via http://www.webservertalk.com
> ------------------------------------------------------------------------
> View this thread: http://www.webservertalk.com/message1693270.html
>
| |
| ramram49 2006-10-11, 3:25 am |
| Hi Ken,
Thanks. I have register an SPN for the "extra" web site and it works.
Ram
quote:
Originally posted by Ken Schaefer
[B]Hi,
You have two options:
a) Configure IIS to send NTLM only for that website - at the moment IIS is
sending both Negotiate (Kerberos) and NTLM as available authentication
mechanisms to the client, and the client is choosing Kerberos
b) If you wisht to use Kerberos rather than NTLM, then you will need to
register an SPN (Service Principal Name) for the FQDN of the website you are
accessing. If the website is running in a web app pool that is running under
LocalSystem/Network Service, then register the SPN under the IIS server's
machine account. If the web app pool is running under a custom account, then
register the SPN under the user account that is being used as the process
identity for the web app pool.
Cheers
Ken
|
|
|
|
|