Re: Application Pools, Domain User Accounts and Service Principal Names

Note that I've recently tried to do this with a CNAME record in DNS
that just aliases the A record associated with the machine account's
DNS/SPN, but Kerberos seems to be too clever and resolves the alias
back to the A record name before creating its SPN.

wow.interesting.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

My experience has been that to have an SPN that belongs to the domain
service account that does not conflict with the SPNs already assigned
to the machine account, you need a new DNS name and a new A record in
DNS for that name. Then, if you give the machine account the SPN
corresponding to the new DNS name, should be ok.

Note that I've recently tried to do this with a CNAME record in DNS
that just aliases the A record associated with the machine account's
DNS/SPN, but Kerberos seems to be too clever and resolves the alias
back to the A record name before creating its SPN.

I feel your pain. :)

HTH,

Joe K.

"Tom McDonnell" <qirexrd_@xxxxxxxxxxxx> wrote in message
news:u8mJNz3MGHA.1180@xxxxxxxxxxxxxxxxxxxxxxx

I've been involved in building an application in ASP.NET which has
utilised application pools in IIS6 to allow the site to run under the
credentials of a domain user and authenticate with SQL Server.

Having recently rolled this application out to a number of sites, we
have encountered a problem where Windows integrated authentication is
enabled, but users credentials are not accepted. I've figured out the
problem to be due to there being no Service Principal Name for the
domain account.

Having found some documentation from Microsoft about this issue, I've

tried to create the SPN, but it causes authentication to then fail
with

the NETWORK SERVICE user.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpa
g2/html/paght000009.asp#paght000009_additionalconsiderations

How can Windows be configured so both the NETWORK SERVICE and domain
users can be used to perform Windows authentication in IIS6
application pools?



.

Relevant Pages

  • ACE/STEVE
    ... frssysvol ... DC Server1 is advertising itself as a DC and has DNS ... Failed cannot test for Host SPN ...
    (microsoft.public.win2000.dns)
  • Re: Confusing Kerberos Error
    ... I think I'm with you on the DNS error. ... This error is typically caused by a DNS error, or incorrect SPN ... The kerberos ticket is ... A User requests authentication for fileserver1. ...
    (microsoft.public.windows.server.general)
  • Re: Kerberos Delegation of Authentication
    ... The SPN I would use is the DNS the web browser would use, ... Kerberos negotiation looks different from an NTLM one, ... >> No, just the SPSAdmin account. ...
    (microsoft.public.windows.server.active_directory)
  • RE: sbs2003 pdc and bdc no DNS name listed.
    ... New users created in sbs2003 still have no rights to the SQL server. ... SQL has no DNS name. ... A service principal name (SPN) is the ...
    (microsoft.public.windows.server.sbs)
  • RE: Msg 15404: Could not obtain information about user
    ... not register the Service Principal Name (SPN) for the SQL Server service. ... authentication to fall back to NTLM instead of Kerberos. ...
    (microsoft.public.sqlserver.security)