Re: Strange auth denial with IE Integrated Security and IIS; but not Firefox, Netscape

From: Kevin C (kc_at_noneya.com)
Date: 11/23/04


Date: Tue, 23 Nov 2004 11:47:24 -0600

I got it. It stemmed from my domain account not have a registered SPN with
AD for that machine. Thanks for your help.

"Bernard" <qbernard@hotmail.com.discuss> wrote in message
news:O04%232AT0EHA.2568@TK2MSFTNGP11.phx.gbl...
> Well, I will try. From your explanation
> defaultapppool - no problem
> new apppool - error
>
> it looks like the new AppPool doesn't have certain required access right,
> application impersonation same ?
> and both app pool are running the same process identity ?
>
> I can't think of anything now, but have check the IIS log file for the two
> different app pool ?
> --
> Regards,
> Bernard Cheah
> http://www.tryiis.com/
> http://support.microsoft.com/
> http://www.msmvps.com/bernard/
>
>
>
> "Kevin C" <kc@noneya.com> wrote in message
> news:eAfacnK0EHA.2016@TK2MSFTNGP15.phx.gbl...
> > Firefox 1.0R
> > Netscape - 7.1
> >
> > Bernard,
> > Basic Auth is not on, only Windows Integrated. Please help me
understand
> > this a little better. By default, in previous apps I have always had
> > "Enable Integrated Auth" on. If I am running a non-AD domain and set up
a
> > simple site and setup WindowsAuth are you saying that it will force
> > Kerberos? Is the new app domain jump that the new AppPool has created
> > presenting a delegation problem? If I move the virtual directory back
to
> > the DefaultAppPool and set impersonation back to the domain accout
> everthing
> > works perfect. Moving it out to the new AppPool is what is triggering
> this
> > behavior and I cant figure out what is going on here. I must say I am a
> > little frusterated ;)
> >
> > Kevin
> >
> >
> > "Bernard" <qbernard@hotmail.com.discuss> wrote in message
> > news:updR$jE0EHA.1300@TK2MSFTNGP14.phx.gbl...
> > > What I suspect is Kerberos auth failed, when the "Enable Windows
> > Integrated
> > > Authentication" is on. IE will force kerberos auth, without it, it
will
> > pick
> > > NTLM if kerberos failed.
> > >
> > > site question. what version of firefox and netscape you are using..
> > > and basic auth is not enabled in the site property, right ?
> > >
> > > --
> > > Regards,
> > > Bernard Cheah
> > > http://www.tryiis.com/
> > > http://support.microsoft.com/
> > > http://www.msmvps.com/bernard/
> > >
> > >
> > >
> > > "Kevin C" <kc@noneya.com> wrote in message
> > > news:uuNvcxmzEHA.824@TK2MSFTNGP11.phx.gbl...
> > > > I am having a rather weird error occur when trying to connect to my
> web
> > > > applications. Here is the scenario:
> > > > - There is a application pool that I have created to host my web
> > apps
> > > > - The App pool is running under a domain account
> > > > - Anonymous access is off and WindowsAuth is on
> > > > - turned off any identity impersonation settings for the asp.net
> > app;
> > > > therefore it is using what is in the machine.config. Which is
> <identity
> > > > impersonate="false" userName="" password=""/>
> > > > - The domain account has sufficient privileges to ASP.NET Temp
dir
> > > > - ACL set for proper accounts
> > > >
> > > > Here is the weird thing. When I turn off the "Enable Windows
> Integrated
> > > > Authentication" option in IE I get challenged and everything works
> fine
> > > once
> > > > I supply the correct creds - same things happens with Firefox and
> > > Netscape.
> > > > But, if I turn that option back on I get prompted and can't get
> through.
> > > I
> > > > have check the logs and all I see is the 401 challenge. Does
anyone
> > have
> > > > any ideas? The only real difference I have done today is move this
> app
> > > into
> > > > running with the AppPool under a domain account.
> > > >
> > > > Kevin
> > > >
> > > >
> > >
> > >
> >
> >
>
>



Relevant Pages