Windows 2003 Server/IIS 6
2003 domain
I've got a web application set up on a new web site in IIS that uses an application pool that runs as a domain user account. It also has a DNS alias and corresponding host header configured. My goal is to allow people in my domain to launch DTS packages that interact with remote file systems so I need to use Kerberos and Constrained Delegation. I have gotten it to work half way, which simply means it works (I can launch my DTS packages and interact with the remote systems) but I keep getting errors in the Event Log stating that I have duplicate servicePrincipalNames registered. Has anyone actually gotten constrained delegation to work with a DNS alias as opposed to the host name? I have referenced countless articles, like this one but none of them really tells me how to deal with accessing the site by DNS alias, they simply say that if you have an application pool running under a domain user account you need to configure an SPN that references the alias. This does not work, when I run AuthDiag and test the Kerberos configuration, I keep getting errors stating that servicePrincipalName for CONTOSO\user does not exist. What am I missing?
2003 domain
I've got a web application set up on a new web site in IIS that uses an application pool that runs as a domain user account. It also has a DNS alias and corresponding host header configured. My goal is to allow people in my domain to launch DTS packages that interact with remote file systems so I need to use Kerberos and Constrained Delegation. I have gotten it to work half way, which simply means it works (I can launch my DTS packages and interact with the remote systems) but I keep getting errors in the Event Log stating that I have duplicate servicePrincipalNames registered. Has anyone actually gotten constrained delegation to work with a DNS alias as opposed to the host name? I have referenced countless articles, like this one but none of them really tells me how to deal with accessing the site by DNS alias, they simply say that if you have an application pool running under a domain user account you need to configure an SPN that references the alias. This does not work, when I run AuthDiag and test the Kerberos configuration, I keep getting errors stating that servicePrincipalName for CONTOSO\user does not exist. What am I missing?