Re: IIS integrated authentification file share permission problem

How is the second name "test" configured in DNS? Is it a CNAME or A record?
My experience with Kerberos is that when using DNS-based names, it only
forms SPNs based on A records. Thus, if your client specifies a name that
is the CNAME, Kerberos will look that up in DNS, find the object with the A
record name and build the SPN based on it. That may have something to do
with what's going on.

The best thing to do when troubleshooting delegation stuff is enable logon
event auditing on all servers so that you can see when Kerberos is being
used and what SPN was used and you can also see when Kerberos can't be
negotiated and NTLM is attempted (which won't delegate).

Network traces are also often helpful.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
<ng.w.purrer@xxxxxxxxxxx> wrote in message
news:1154623902.095943.160740@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I have one windows 2003 Server which is working as an ASP.net webserver
in an active directory environment.

Through this asp.net application I'd like to access files on a
fileshare.

The netbios - name from the webserver is "test1" with the ip adress
192.168.0.1.
but in the dns i have configured a second name test with the ip adress
192.168.0.2

(In the network configuration I added the second adress to the adapter
of the first.)

If i use the name test1 in the browser the access to the file through
the asp.net applications work well,
but if i use the name test i get an access denieded from the access to
the share.

the server "test1" is trusted for delegation (kerbos), the
authentifcation mode is integrated authentification, in the webconfig
file identity impersonate is true.

I read the
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q207671 but it
is for iis4 and ii5
and http://support.microsoft.com/?id=832769 but this doesn't work but i
heard something from spn (but in this topic it is used for the sql -
server)

So I tried
setspn -A host/test test1 didn't work neither setspn -A http/test test1

Do you have some suggestions?



.

Relevant Pages

  • Re: Kerberos Delegation of Authentication
    ... The SPN I would use is the DNS the web browser would use, ... Kerberos negotiation looks different from an NTLM one, ... >> No, just the SPSAdmin account. ...
    (microsoft.public.windows.server.active_directory)
  • WSE 3.0, Kerberos & Windows Server 2003 (IIS 6.0)
    ... I'm wondering if anyone that has successfully implemented a Kerberos on IIS ... /// various configuration and commandline parsing needs. ... SoapProtocolVersion _soapVersion = SoapProtocolVersion.Default; ... <response signatureOptions="IncludeAddressing, IncludeTimestamp, ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: pamkrbval: KDC policy rejects request for this entry
    ... If so can you do a kvno host/unix_client.domain.host.com and compare the number with the one in the keytab? ... Audit with a result code from the request of 0xC which from some ... The client libraries are based on MIT Kerberos V5 1.3.5 release. ... configuration guide I am following has a sample krb5.conf and only ...
    (comp.protocols.kerberos)
  • Re: Kerberos Authentication to VWMare...
    ... A Kerberos Error Message was received: ... Server Realm: ... We have checked the SPN using SetSPN with -L option and see that both MOSS ...
    (microsoft.public.windows.server.security)
  • Re: Standard mechanisms to manage domain->realm mappings in multi-domain infrastructure
    ... DNS TXT records used to link a DNS domain to Realm via ... Kerberos Server referrals ... KDC returns referrals to client when request made to local environment ... Still an IETF draft ...
    (comp.protocols.kerberos)