IIS 6.0 Kerberos authentication
Web Server forum
Back To The Forum Home!Search!Private Messaging System
Visit your User Control Panel!Register your FREE username now!Visit Our Calendar!View the Member List!Faqs!Search our Forums!

Web Server Talk Web Server Talk > Web Servers reviews > IIS server support > IIS Server Security > IIS 6.0 Kerberos authentication




  Last Thread   Next Thread Next
  Show Printable Version Email this Page Subscribe to this Thread      Post New Thread    Post A Reply      

    IIS 6.0 Kerberos authentication  
Eduard Timchenko


View Ip Address Report This Message To A Moderator Edit/Delete Message


 
07-05-05 10:56 PM


Hi,
I have AAA site (not default web site) in IIS 6 on Windows 2003 Server.
The AAA site uses Windows Integrated authentication.

I have a problem of accessing the AAA site using DNS or FQDN name from other
Windows 2003 Servers in the same domain - i have been prompted to enter user
and password and get error of wrong user or password (security log recieve
authentication failure messages).

I do succeed to access AAA site by using URL with IP address

Using AuthDiag tool i see that i have a problem with Kerberos Authentication
(SPN not set), but NTLM authentication succeeds (this is why URL with IP
works)

More than that - if i configure IIS to work in IIS 5 compatibility mode - i
do not have any problem to access the AAA site using DNS name or FQDN.

The Kerberos, NTLM settings and Security settings on all Windows 2003
servers seems to be correct. The IE settings of trusted sites & local sites
does not resolve a problem.

Could you help me to understand why the authentication fails and what to do
in order to use Worker Process Isolation mode?

Thanks
--
Eduard Timchenko
Business Technology Solutions Group
Verint Systems




[ Post a follow-up to this message ]



    RE: IIS 6.0 Kerberos authentication  
Wei-Dong XU [MSFT]


View Ip Address Report This Message To A Moderator Edit/Delete Message


 
07-06-05 07:49 AM

Hi Eduard,

By default, IIS6 uses the worker process to serve the internet request,
which is one process providing the service (we could find this from site
properties->Home direcotry->Application Pool). We will need to specify one
account as this process's identity. This technet IIS article introduces the
configuration of this identity for you:
http://www.microsoft.com/technet/pr...3/Library/IIS/f
05a7c2b-36b0-4b6e-ac7c-662700081f25.mspx

At your scenario, Kerberos will need to register the SPN name under this
identity account in Active Directory. This kb article introduces more
information for you with the resolution:
871179 You receive an "HTTP Error 401.1 - Unauthorized: Access is denied
due to
http://support.microsoft.com/?id=871179

Please feel free to let me know if you have any question. It is my pleasure
to be of any assistance.

Best Regards,
Wei-Dong XU
Microsoft Product Support Services
This posting is provided "AS IS" with no warranties, and confers no rights.




[ Post a follow-up to this message ]



    Sponsored Links  




 



   All times are GMT. The time now is 02:20 AM.      Post New Thread    Post A Reply      
  Last Thread   Next Thread Next


Most Popular forums 
Apache Server MySQL for Windows Sendmail
Red Hat Networking SuSe Linux Debian Linux
FreeBSD administration Sun Solaris administration Unix Shell programming
WebSphere Portal Server Exchange 2000 administration PostgreSQL administration
Linux Security Computer Security Firewalls

Forum Jump:
Rate This Thread:

Forum Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts 		HTML code is OFF
vB code is ON
Smilies are ON
[IMG] code is OFF
 
Medical and Health forum | Computer Games Reviews | Graphics design forum

Back To The Top
Home | Usercp | Faq | Register