Re: Application Pools, Domain User Accounts and Service Principal Names

I'm a pretty big fan of the TechNet "kerberos troubleshooting" article. It
is the most thorough I've seen.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx

The other thing that is critical is enabling event logging for Logon/Logoff
requests (both success and failure) so that you can see what auth package is
being used and what SPNs. A lot of those details are recorded in the log
messages. Learning to use a packet sniffer like netmon or Ethereal can be
helpful too.

Unfortunately, there is still some black magic involved when trying to
figure out why sometimes Negotiate fails over to NTLM. I'm still trying to
find the magic tool that tells me why Kerberos isn't available when I think
it should be.

Best of luck.

Joe K.

"Tom McDonnell" <qirexrd_@xxxxxxxxxxxx> wrote in message
news:uVoY6zyNGHA.2064@xxxxxxxxxxxxxxxxxxxxxxx

This is really out of my league, the documentation I have found is purely
technical, and nothing you can learn from. Well, it's back to using .NET
impersonation and recording static user credentials in the registry...

I feel your pain. :)

The problem is there is no way I can communicate this to Microsoft and say
HOY! the documentation doesn't go nearly far enough, how 'bout improving
it! I did sent them feedback for the article but I'm sure that will just
go off into oblivion.

Thanks Joe.


.