Re: Application Pools, Domain User Accounts and Service Principal Names

Hi,

it is called ethereal (www.ethereal.com) :)

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

I'm a pretty big fan of the TechNet "kerberos troubleshooting"
article. It is the most thorough I've seen.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technol
ogies/security/tkerberr.mspx

The other thing that is critical is enabling event logging for
Logon/Logoff requests (both success and failure) so that you can see
what auth package is being used and what SPNs. A lot of those details
are recorded in the log messages. Learning to use a packet sniffer
like netmon or Ethereal can be helpful too.

Unfortunately, there is still some black magic involved when trying to
figure out why sometimes Negotiate fails over to NTLM. I'm still
trying to find the magic tool that tells me why Kerberos isn't
available when I think it should be.

Best of luck.

Joe K.

"Tom McDonnell" <qirexrd_@xxxxxxxxxxxx> wrote in message
news:uVoY6zyNGHA.2064@xxxxxxxxxxxxxxxxxxxxxxx

This is really out of my league, the documentation I have found is
purely technical, and nothing you can learn from. Well, it's back to
using .NET impersonation and recording static user credentials in the
registry...

I feel your pain. :)

The problem is there is no way I can communicate this to Microsoft
and say HOY! the documentation doesn't go nearly far enough, how
'bout improving it! I did sent them feedback for the article but I'm
sure that will just go off into oblivion.

Thanks Joe.



.