Here is the situation. We have two domains, DomianA and DomainB.
There is a server (IIS 6.0, virtual server, W2003) in DomainA that hosts a website that users of DomainA are able to access with integrated windows authentication. When users in DomainB attempt to access the website, they get error 500 "No authority could be contacted for authentication." I setup an additional web site within IIS on this server, and the same results are returned. Now, this was working on a Saturday, and the following Monday is when it was reported to have stopped working. No changes have been made on the server. However, this problem is only on this particular server. I setup a webpage on another server in DomainA to use Integrated Windows Authentication. Any users in DomainA and DomainB are able to authenticate, so the trusts are there and working, along with DNS. DNS is setup the same on all servers we have. (I have checked it).
Web log of server that isn't working shows:
2006-02-13 18:26:46 10.128.8.137 GET /documentmanager/ - 80 - 172.29.93.210 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 500 0 2148074257
Packet capture shows a kerberos error of KRB5KDC_ERR_S_PRINCIPAL_UNKOWN (7)
Also, NTLM negotiation is also attempted with browsers that don't support kerberos (firefox).
To me, this doesn't make any sense why IIS integrated windows authentication between trusted domains would work on all servers except one. I have done plenty of searching and everything I find relates to no servers working. If anyone has had a similar problem please help. I've been working on this for a week now.
Thanks,
Jon
There is a server (IIS 6.0, virtual server, W2003) in DomainA that hosts a website that users of DomainA are able to access with integrated windows authentication. When users in DomainB attempt to access the website, they get error 500 "No authority could be contacted for authentication." I setup an additional web site within IIS on this server, and the same results are returned. Now, this was working on a Saturday, and the following Monday is when it was reported to have stopped working. No changes have been made on the server. However, this problem is only on this particular server. I setup a webpage on another server in DomainA to use Integrated Windows Authentication. Any users in DomainA and DomainB are able to authenticate, so the trusts are there and working, along with DNS. DNS is setup the same on all servers we have. (I have checked it).
Web log of server that isn't working shows:
2006-02-13 18:26:46 10.128.8.137 GET /documentmanager/ - 80 - 172.29.93.210 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) 500 0 2148074257
Packet capture shows a kerberos error of KRB5KDC_ERR_S_PRINCIPAL_UNKOWN (7)
Also, NTLM negotiation is also attempted with browsers that don't support kerberos (firefox).
To me, this doesn't make any sense why IIS integrated windows authentication between trusted domains would work on all servers except one. I have done plenty of searching and everything I find relates to no servers working. If anyone has had a similar problem please help. I've been working on this for a week now.
Thanks,
Jon
