Re: SPS wont use kerberos
From: Al Blake (al_at_blakes.net)
Date: 05/31/04
- Next message: RussKie: "New exploit?"
- Previous message: Ken Schaefer: "Re: SPS wont use kerberos"
- In reply to: Ken Schaefer: "Re: SPS wont use kerberos"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 31 May 2004 18:12:07 +1000
Dont worry about it ;)
I am reposting the information from wfetch: if it ends up here twice then so
be it.
Havent checked the webserver log yet as this is a *production* server - so
there are certain hours I can mess around with it. I'll try to trace that
part of it later tonight. (what am I particularly looing for in the IIS
logs?)
Al.
===wfectch stuff=====
Sharepoint application is running as CGGS\Sharepoint. This user is trusted
for delegation.
User and FQDN (portal.cggs.act.edu.au) have been added as SPN on server
ATHENA:
C:\Program Files\Resource Kit>setspn -L athena
Registered ServicePrincipalNames for CN=ATHENA,OU=Permit Student
Access,OU=CGGS Member Servers,OU=Machines,DC=cggs,DC=act,DC=edu,DC=au:
HTTP/cggs.act.edu.au/Sharepoint
HTTP/CGGS\Sharepoint
HOST/portal.cggs.act.edu.au
HOST/portal
HTTP/portal.cggs.act.edu.au
HTTP/portal
HOST/intranet
HTTP/intranet
HTTP/intranet.cggs.act.edu.au
SMTPSVC/athena.cggs.act.edu.au
SMTPSVC/ATHENA
HOST/ATHENA
HOST/athena.cggs.act.edu.au
When I use wfetch to watch the conversation between the server and the
browser I see that the browser asks for Negotiate:
WWWConnect::Connect("portal.cggs.act.edu.au","80")\nIP =
"192.168.31.9:80"\nsource port: 4372\r\n
ISC_REQ_MUTUAL_AUTH | ISC_REQ_DELEGATE set\nSEC_I_CONTINUE_NEEDED\nREQUEST:
**************\nGET /default.aspx HTTP/1.1\r\n
Host: portal.cggs.act.edu.au\r\n
Accept: */*\r\n
Connection: Keep-Alive\r\n
Authorization: Negotiate YIINSwYGKw
etc etc etc
Host responds with Negotiate:
HTTP/1.1 401 Unauthorized\r\n
Content-Length: 1539\r\n
Content-Type: text/html\r\n
Server: Microsoft-IIS/6.0\r\n
WWW-Authenticate: Negotiate etc etc
\r\n
X-Powered-By: ASP.NET\r\n
MicrosoftSharePointTeamServices: 6.0.2.5530\r\n
Date: Mon, 31 May 2004 05:45:19 GMT\r\n
\r\n
then host sends back the 'not authorised page'
SEC_I_CONTINUE_NEEDED\n<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">\r\n
<HTML><HEAD><TITLE>You are not authorized to view this page</TITLE>\r\n
<META HTTP-EQUIV="Content-Type" Content="text/html;
charset=Windows-1252">\r\n
<STYLE type="text/css">\r\n
BODY { font: 8pt/12pt verdana }\r\n
etc
Client tries again:
REQUEST: **************\nGET /default.aspx HTTP/1.1\r\n
Host: portal.cggs.act.edu.au\r\n
Accept: */*\r\n
Connection: Keep-Alive\r\n
Authorization: Negotiate etc etc
Host replies with an Unable to InitializeSecurityContext.
RESPONSE: **************\nHTTP/1.1 401 Unauthorized\r\n
Content-Length: 1539\r\n
Content-Type: text/html\r\n
Server: Microsoft-IIS/6.0\r\n
WWW-Authenticate: Negotiate etc etc
X-Powered-By: ASP.NET\r\n
MicrosoftSharePointTeamServices: 6.0.2.5530\r\n
Date: Mon, 31 May 2004 05:45:19 GMT\r\n
\r\n
0x80090322 Unable to InitializeSecurityContext <<<<<<====== here's where it
fails
So any ideas why this is failing given that I have added everything I can
think of as an SPN (!), I have given both the machine account AND the
apppool account delegate permission in AD *and* kerberos is working for 4
other IIS webs on the same server - it is only not working for the SPS
site... :(
Regards
Al Blake, Canberra, Australia
- Next message: RussKie: "New exploit?"
- Previous message: Ken Schaefer: "Re: SPS wont use kerberos"
- In reply to: Ken Schaefer: "Re: SPS wont use kerberos"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
