Re: Windows authentication query

From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 04/13/04 

Date: Tue, 13 Apr 2004 17:30:15 +1000

Hi,

Setting an SPN once should be enough in most cases. Why is it a "per client"
setting in your case? The Kerberos ticket must have an SPN, and when you
install IIS, only the NetBIOS name of the IIS server is registered with the
KDC. The use of SetSPN allows you to register other service names (e.g. a
FQDN) with the KDC (i.e. with your Domain Controllers). so you'd have to do
this once for each FQDN that IIS is using, and once for each FQDN of the
remote service(s) that IIS has to access.

Let me investigate WRT to question 2. Do you have a two-way trust? or just a
one-way trust? (I'm not whether that's relevant, but it's the only think I
can think off OTOH)

Cheers
Ken

"Madhu Gopinathan" <madhugops@rediffmail.com> wrote in message
news:u%23ejacSIEHA.3848@tk2msftngp13.phx.gbl...
: Hi Ken,
: Thanks for your prompt reply. I investaigated the links you sent, and
it
: started working when I started using the NetBIOS name of the IIS machine.
: Thanks a million!!
:
: However, I have a few further queries, and I hope you can solve them
for
: me.
: 1. Just adding the SPNs using SetSPN was not enough for using IP address
and
: FQDNs in my machine path. I had to add the IP address and the FQDN of the
: IIS server in the list of sites that would be available in the intranet.
: Since this is a per-client setting, this would be a cumbersome solution.
Is
: there any way for accesses to sites using IP address and FQDNs without
: having to resort to a per-client setting? Maybe a GPO level setting or
: something?
:
: 2. Delegation is succeeding only for users accounts residing in the same
: domain as the IIS server. For users from trusted domains, the
impersonation
: level is Impersonate and not Delegate. I verified this by examining the
: impersonation level of the thread token in the DLLHOST process. Is there
: something still amiss in my settings somewhere? Is it not supposed to
: delegate credentials from domains trusted by the domain that the IIS
server
: resides in?
:
: Thanks again,
: Madhu
:
: "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
: news:OlWOp#GIEHA.3536@TK2MSFTNGP09.phx.gbl...
: > Hi,
: >
: > You need to configure both the computer and user accounts for
delegation.
: > Then you may need to use the SetSPN.exe tool to register the service
: > principal name if you are accessing the site under anything other than
the
: > NetBIOS name of the machine. Try the following links:
: >
: > http://support.microsoft.com/default.aspx?scid=kb;en-us;810572
: > HOW TO: Configure an ASP.NET Application for a Delegation Scenario
: >
: > http://support.microsoft.com/?id=294382
: >
: > Authentication May Fail with "401.3" Error If Web Site's "Host Header"
: > Differs from Server's NetBIOS Name
: >
: > http://support.microsoft.com/default.aspx?kbid=325894
: > HOW TO: Configure Computer Accounts and User Accounts So That They Are
: > Trusted for Delegation in Windows Server 2003 Enterprise Edition (also
: > includes Windows 2000 instructions)
: >
: >
: > Cheers
: > Ken
: >
: >
: >
: > "Madhu Gopinathan" <madhugops@rediffmail.com> wrote in message
: > news:erhW21GIEHA.3848@tk2msftngp13.phx.gbl...
: > Hi,
: > I have a setup of IIS 5.0 on a Windows 2000 server. I have created a
: web
: > site to run under Windows authentication. The default asp in this site
: > accesses active directory objects. Now I want this setup to support
: > delegation, so I have trusted the computer account of the IIS server for
: > delegation and made sure that the user being delegated is not a
sensetive
: > account. However, in my event viewer on my DC (which is not the IIS
: server),
: > I get logon/logoff events under ANONYMOUS LOGON context.
: >
: > What is wrong here? I have tried everything to get a delegation
setup,
: > however it just does not seem to succeed. I have also updated the
: > EnableNegotiate key on the client browser machine, this also does not
: help.
: >
: > Thanks,
: > Madhu
: >
: >
:
:

Relevant Pages

  • Re: Windows authentication query
    ... IIS server in the list of sites that would be available in the intranet. ... > You need to configure both the computer and user accounts for delegation. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Fixed but no idea why.
    ... Our topology is that the IIS SMTP server box is outside our firewall ... Do I not need to set the FQDN? ... itself as (EHLO/HELO hostname). ...
    (microsoft.public.inetserver.iis.smtp_nntp)
  • RE: IIS Client Certificate Mapping and Windows 2000 Delegation to SQL
    ... AD certificate mapping may not work for delegation. ... Only the IIS ... >Windows authentication) using the credentials mapped to their certificate. ...
    (microsoft.public.inetserver.iis.security)
  • Re: PROBLEM: ASP on IIS 5 secured via "Windows Integrated Authentication" accessing "
    ... uses NT group based permissons on the SQL Server, ... > transfered to the IIS box and IIS does a local logon. ... > delegation for all accounts. ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS5.0 + ADSI + Inetgrated Auth.
    ... Your problem lies with delegation. ... Basic auth should work (i've successfully used ASP pages that use ADSI to ... IIS installed on one of the Member Servers ... When i run the same on the Member Server where IIS resides all goes fine. ...
    (microsoft.public.inetserver.iis.security)