Hi,

I have an IIS 6 on Win2003 registered on a domain.

I'm running the following applications on this machine,

- an ASP.NET Web App
- Reporting Services Interface
- Reporting Services Server

All of the applications above use Windows Integrated Security. The ASP.NET
application works in its own Application Pool with a domain user account. Th
e
SPNs are configured to use this account correctly and Kerberos auth works
without any problems. I also see this through the Event Log messages that
users can log in using Kerberos.

On the other hand, Reporting Services works on the default application pool,
with Network Services account. When I try to access it, I keep seeing the
challange window.

The following behaviors are observed;

1) When connected to Reporting Services on the local server through
localhost (http://localhost/Reports), I don't see the popup. (I'm logged in
with a domain account which has local admin rights on the server.)
2) When connected to RS on the local server or from outside using the
NetBIOS name (http://servername/Reports), I see the popup, I try to login
with the same cridentials, doesn't wok.

On the security event log , I see the following failure for Reporting
Services;

Logon Failure:
Reason:		Unknown user name or bad password
User Name:
Domain:
Logon Type:	3
Logon Process:	Kerberos
Authentication Package:	Kerberos
Workstation Name:	-
Caller User Name:	-
Caller Domain:	-
Caller Logon ID:	-
Caller Process ID:	-
Transited Services:	-
Source Network Address:	172.16.96.215
Source Port:	3942

But for the Web Application, I see that the logon works correctly and the
above fields are filled. I tried running RS also with the domain account tha
t
the web app uses, but it wasn't very happy with it. (some extra permissions 
I
suppose.) Should this be the direction? Or is it because SPNs are set with
the domain account and not the Network Services account?

Another question, is it possible to set Kerberos and NTLM usage per
application on the same IIS Server?

I would be very glad of any help.

Thanks,

Ethem

[ Post a follow-up to this message ]

Ethem,

I do not have a whole lot of time, but I will try to help you with what I do
know.

The error message you are getting is the same one I get when the logging in
user is an AD account only (aka network service has no idea who you are, or
even the concept of the domain). This error message would not show up if you
were logged in locally, because you had already been authenticated, and you
have a kerberos ticket.

To answer the last question: yes, the metabase property is called
"NTAuthenticationProviders" and here is the Microsoft doc. You will notice
your answer is in the configurable locations section.

http://www.microsoft.com/technet/pr...e76d6309ac.mspx

And to try and answer the middle questions, it almost sounds like you have
not configured the SPNs for the service. To get headed in the right
direction, you must ask who will be consuming the reporting services? If it
is only going to be locally consumed then there shouldn't be a problem, but
if a remote host needs to consume it, the only way the remote host will be
able to find it is through what amounts to a 'service catalog' which is
populated by setting SPNs. (I also forget the exact specifics, but there is 
a
huge list of default SPNs that, if not specifically configured, get folded
into "HOST")

Hope this helps, and hopefully one of the Microsoft experts stops by and can
answer your questions more fully.

"Ethem Azun" wrote:

> Hi,
>
> I have an IIS 6 on Win2003 registered on a domain.
>
> I'm running the following applications on this machine,
>
> - an ASP.NET Web App
> - Reporting Services Interface
> - Reporting Services Server
>
> All of the applications above use Windows Integrated Security. The ASP.NET
> application works in its own Application Pool with a domain user account. 
The
> SPNs are configured to use this account correctly and Kerberos auth works
> without any problems. I also see this through the Event Log messages that
> users can log in using Kerberos.
>
> On the other hand, Reporting Services works on the default application poo
l,
> with Network Services account. When I try to access it, I keep seeing the
> challange window.
>
> The following behaviors are observed;
>
> 1) When connected to Reporting Services on the local server through
> localhost (http://localhost/Reports), I don't see the popup. (I'm logged i
n
> with a domain account which has local admin rights on the server.)
> 2) When connected to RS on the local server or from outside using the
> NetBIOS name (http://servername/Reports), I see the popup, I try to login
> with the same cridentials, doesn't wok.
>
> On the security event log , I see the following failure for Reporting
> Services;
>
> Logon Failure:
>  	Reason:		Unknown user name or bad password
>  	User Name:
>  	Domain:
>  	Logon Type:	3
>  	Logon Process:	Kerberos
>  	Authentication Package:	Kerberos
>  	Workstation Name:	-
>  	Caller User Name:	-
>  	Caller Domain:	-
>  	Caller Logon ID:	-
>  	Caller Process ID:	-
>  	Transited Services:	-
>  	Source Network Address:	172.16.96.215
>  	Source Port:	3942
>
> But for the Web Application, I see that the logon works correctly and the
> above fields are filled. I tried running RS also with the domain account t
hat
> the web app uses, but it wasn't very happy with it. (some extra permission
s I
> suppose.) Should this be the direction? Or is it because SPNs are set with
> the domain account and not the Network Services account?
>
> Another question, is it possible to set Kerberos and NTLM usage per
> application on the same IIS Server?
>
> I would be very glad of any help.
>
> Thanks,
>
> Ethem

[ Post a follow-up to this message ]

Hi pj,

Thanks for the reply. I continued my research on this topic and found the
following (please correct me if I'm wrong.)

1) NTLM / Kerberos selection cannot be done per application, can only be
done per web site. So, the answer to my last question seems to be "no".

2) As you also said, the problem occurs because I'm trying to run two apps
in a website under different accounts. The Network Service account which run
s
the RS is not known by AD and does not seem to have an SPN. The other domain
account is known by AD and has a valid SPN, that's why the Web App works. My
"solution" was to make RS work under this account too, then everything seems
fine. But this is very ugly. I thought at least the default Network Services
account would be known by the AD as a special account. In the following site
(
http://www.microsoft.com/technet/pr...08baa00157.mspx ) the last section gives more insight.

3) Since I registered the domain account and server to have an SPN for http
and https, whenever I create a virtual directory with Network Services as th
e
running account, I see the auth window, so I think it's really not possible
to use the different accounts on the same site.

4) I think I'm trying to implement a very basic scenario so I must be wrong
somewhere. It should not be this complicated. (I hope.)

Thanks,

Ethem

"pj_servadmin" wrote:
[vbcol=seagreen]
> Ethem,
>
> I do not have a whole lot of time, but I will try to help you with what I 
do
> know.
>
> The error message you are getting is the same one I get when the logging i
n
> user is an AD account only (aka network service has no idea who you are, o
r
> even the concept of the domain). This error message would not show up if y
ou
> were logged in locally, because you had already been authenticated, and yo
u
> have a kerberos ticket.
>
> To answer the last question: yes, the metabase property is called
> "NTAuthenticationProviders" and here is the Microsoft doc. You will notice
> your answer is in the configurable locations section.
>
> http://www.microsoft.com/technet/pr...e76d6309ac.mspx
>
> And to try and answer the middle questions, it almost sounds like you have
> not configured the SPNs for the service. To get headed in the right
> direction, you must ask who will be consuming the reporting services? If i
t
> is only going to be locally consumed then there shouldn't be a problem, bu
t
> if a remote host needs to consume it, the only way the remote host will be
> able to find it is through what amounts to a 'service catalog' which is
> populated by setting SPNs. (I also forget the exact specifics, but there i
s a
> huge list of default SPNs that, if not specifically configured, get folded
> into "HOST")
>
> Hope this helps, and hopefully one of the Microsoft experts stops by and c
an
> answer your questions more fully.
>
> "Ethem Azun" wrote:
> 

[ Post a follow-up to this message ]

Well I'm pretty much all out of ideas, without knowing a lot more about your
system. Is reporting services the SQL server reporting services? There is
actually a section for that or maybe even the SQL server security newsgroup,
as I don't know what to tell you next, and none of the Microsoft experts
stopped by yet either.

When setting up sql server for sharepoint (which we ended up not doing), I
remember that SQL server does not get an SPN added by default (I think), so
that actually might be your problem.

Out of curiousity, what were the setspn.exe lines you ran to configure the
SPN's?

(sorry I can't help more)

"Ethem Azun" wrote:
[vbcol=seagreen]
>
> Hi pj,
>
> Thanks for the reply. I continued my research on this topic and found the
> following (please correct me if I'm wrong.)
>
> 1) NTLM / Kerberos selection cannot be done per application, can only be
> done per web site. So, the answer to my last question seems to be "no".
>
> 2) As you also said, the problem occurs because I'm trying to run two apps
> in a website under different accounts. The Network Service account which r
uns
> the RS is not known by AD and does not seem to have an SPN. The other doma
in
> account is known by AD and has a valid SPN, that's why the Web App works. 
My
> "solution" was to make RS work under this account too, then everything see
ms
> fine. But this is very ugly. I thought at least the default Network Servic
es
> account would be known by the AD as a special account. In the following si
te
> (
> http://www.microsoft.com/technet/pr...08baa00157.mspx ) the last section gives more insight.
>
> 3) Since I registered the domain account and server to have an SPN for htt
p
> and https, whenever I create a virtual directory with Network Services as 
the
> running account, I see the auth window, so I think it's really not possibl
e
> to use the different accounts on the same site.
>
> 4) I think I'm trying to implement a very basic scenario so I must be wron
g
> somewhere. It should not be this complicated. (I hope.)
>
> Thanks,
>
> Ethem
>
> "pj_servadmin" wrote:
> 

[ Post a follow-up to this message ]

Hi pj,

I'll try to re-formulate the question and re-post it. The spn's are as
follows;

setspn -A HTTP/servername domain\newaccountname
setspn -A HTTP/servername.domain.com domain\newaccountname
setspn -A HTTPS/servername domain\newaccountname
setspn -A HTTPS/servername.domain.com domain\newaccountname

Do you see any problems with it?

Thanks,

Ethem

"pj_servadmin" wrote:
[vbcol=seagreen]
> Well I'm pretty much all out of ideas, without knowing a lot more about yo
ur
> system. Is reporting services the SQL server reporting services? There is
> actually a section for that or maybe even the SQL server security newsgrou
p,
> as I don't know what to tell you next, and none of the Microsoft experts
> stopped by yet either.
>
> When setting up sql server for sharepoint (which we ended up not doing), I
> remember that SQL server does not get an SPN added by default (I think), s
o
> that actually might be your problem.
>
> Out of curiousity, what were the setspn.exe lines you ran to configure the
> SPN's?
>
> (sorry I can't help more)
>
> "Ethem Azun" wrote:
> 

[ Post a follow-up to this message ]