Re: Application Pools, Domain User Accounts and Service Principal Names

My experience has been that to have an SPN that belongs to the domain
service account that does not conflict with the SPNs already assigned to the
machine account, you need a new DNS name and a new A record in DNS for that
name. Then, if you give the machine account the SPN corresponding to the
new DNS name, should be ok.

Note that I've recently tried to do this with a CNAME record in DNS that
just aliases the A record associated with the machine account's DNS/SPN, but
Kerberos seems to be too clever and resolves the alias back to the A record
name before creating its SPN.

I feel your pain. :)

HTH,

Joe K.

"Tom McDonnell" <qirexrd_@xxxxxxxxxxxx> wrote in message
news:u8mJNz3MGHA.1180@xxxxxxxxxxxxxxxxxxxxxxx
I've been involved in building an application in ASP.NET which has
utilised application pools in IIS6 to allow the site to run under the
credentials of a domain user and authenticate with SQL Server.

Having recently rolled this application out to a number of sites, we have
encountered a problem where Windows integrated authentication is enabled,
but users credentials are not accepted. I've figured out the problem to be
due to there being no Service Principal Name for the domain account.

Having found some documentation from Microsoft about this issue, I've
tried to create the SPN, but it causes authentication to then fail with
the NETWORK SERVICE user.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000009.asp#paght000009_additionalconsiderations

How can Windows be configured so both the NETWORK SERVICE and domain users
can be used to perform Windows authentication in IIS6 application pools?


.

Relevant Pages

  • Re: quick confirmation about kerberos & network service...
    ... I have portal server on a server and external users access it ... Today I'm using HTTPS + Basic authentication. ... > When you set an SPN on an account, you are allowing that account to ... > SPN to connect to the service. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Integrated Windows Authentication Timeout?
    ... I think you can probably fix that problem by adding the SPN that is being ... queried for to the account running the service. ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Delegation problems
    ... This sounds like an SPN problem. ... as a service account, did you add an SPN to that service account in AD that ... delegate from my web server to the SQL service on the DB server when I ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Ldap Binding + Kerbros error
    ... I was suggesting to perform an LDAP query using the exact filter a specified ... A servicePrincipalName (SPN) is the Kerberos name of a service on the ... server authenticates with the client. ... account that is used to execute the Windows process that "is" the service. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Delegation problems
    ... The connection string uses a variable defined in the web.config. ... the SPN you have on the service account? ... delegate from my web server to the SQL service on the DB server when I ...
    (microsoft.public.dotnet.framework.aspnet.security)