Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Kerberos question

Status
Not open for further replies.
unclerico

unclerico

IS-IT--Management
Jun 8, 2005
2,738
US
Windows Server 2003 SP1
IIS 6
IE 6

My current config:
- In IIS I have created a new top level website along with a new application pool that uses a domain user as it's identity. I have added a DNS alias (payroll.contoso.com) and pointed it to my webserver. The website is using port 80 and has payroll.contoso.com added as a host header
- The directory security is set to Integrated Windows Authentication
- In AD, I have created the account that will be used as the application pool identity
- I have delegated authority to both the web server and the service account running the application pool
- SPN's are registered for both the web server and the service account running the application pool (HTTP/payroll.contoso.com and HTTP/payroll)
- NTAuthenticationProviders is set to Negotiate
- All network/AD functionality is golden
- Have looked at KB326985 and TechNet
- If I look in the event log on the web server I see multiple events like this:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 10/27/2006
Time: 11:47:22 AM
User: NT AUTHORITY\SYSTEM
Computer: WEBSERVER1
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.1.100
Source Port: 4307


For more information, see Help and Support Center at
Click to expand...
- I am getting 401.1 errors (You are not authorized to view this page) when I try to access a page on the site
- In IE, if I clear the box labeled "Enable Integrated Windos Authentication" everything works just fine, except it uses NTLM for the authentication (I could use NTLM, but I am trying to bypass the doule-hop authentication so that I can interact with my SQL Server on another machine)
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 10/27/2006
Time: 12:03:14 PM
User: CONTOSO\john.doe
Computer: WEBSERVER1
Description:
Successful Network Logon:
User Name: john.doe
Domain: CONTOSO
Logon ID: (0x0,0x60AC1A0F)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: WORKSTATION1
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.1.100
Source Port: 4361


For more information, see Help and Support Center at
Click to expand...
I have this EXACT same configuration set up in my test environment and it works beautifully, but it absolutely will not work in the live environment. I'm not 100% sure if this is on the IIS side or not so I posted here. I am totally stumped so 8 million stars to who ever can help me out on this
 
Status
Not open for further replies.

Similar threads

edgar28
  • Locked
  • Question
Question on Network cards - Windows Server 2019
Replies
1
Views
277
DrB0b
DrB0b
DrB0b
  • Locked
  • Question
HyperV Virtual Switch and Physical NIC question
Replies
3
Views
283
DrB0b
DrB0b
DrB0b
  • Locked
  • Question
General Windows Server Datacenter/Standard Licensing Question
Replies
1
Views
194
DrB0b
DrB0b
Krus1972
  • Locked
  • Question
Web.Config URL Rewrite Question
Replies
0
Views
185
Krus1972
Krus1972
Shimness
  • Locked
  • Question
Hyper-V Server Build Questions
Replies
6
Views
376
technome
technome

Part and Inventory Search

Sponsor

Back
Top