Re: SetSPN.Exe
From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 05/24/05
- Next message: Landi: "Re: Cannot Create new VS Web Project"
- Previous message: Ken Schaefer: "Re: IIS6 and Authentication across Servers and Domains"
- In reply to: Ethem Azun: "Re: SetSPN.Exe"
- Next in thread: Ethem Azun: "Re: SetSPN.Exe"
- Reply: Ethem Azun: "Re: SetSPN.Exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 24 May 2005 23:26:50 +1000
In the normal course of events - you shoudn't be seeing what you are seeing.
Of the top of my head, I would have to ask: Is the index.aspx page that is
being requested located locally on the IIS server? Or is it located on some
remote server?
Cheers
Ken
-- Blog: www.adopenstatic.com/cs/blogs/ken/ Web: www.adopenstatic.com "Ethem Azun" <EthemAzun@discussions.microsoft.com> wrote in message news:46F52559-03C2-4F2A-9331-D9A56B52651C@microsoft.com... : : Hi Ken, : : I'm now totally mixed up :) : : My experience is as follows; : : 1) An IIS 6 with Win2003 on a domain. Users use domain accounts to access to : it. : 2) Installed an ASP.NET Application that does NOT use impersonation. (hence : no delegation?) : 3) The application uses Windows Integrated Security. (all other options are : cleared out.) : 4) I first put it under the default pool, run it and access it, everything : works fine. : 5) I change the application to work on an app pool that is running under a : domain account. : 6) The domain account is a user of the IIS_WPG group. : 7) I try to reach the index page (which is more or less a static page) and : pops up a challange window. (such as http://servername/appname/index.aspx or : http://fqdnofserver/appname/index.aspx) : 8) I try to login with domain accounts, local accounts etc, no luck. I check : the event log and see that the username field goes empty and auth type is : kerberos. : 9) I register the SPNs with server name and domain account name, the : challange window suddenly dissapears, everything works fine. : : To my understanding, there's no delegation here. According to what I : understand from what you said, the above should have worked without 9. : : Have I missed something? : : Thanks, : : Ethem : : : : : "Ken Schaefer" wrote: : : > "Ethem Azun" <EthemAzun@discussions.microsoft.com> wrote in message : > news:AE55C4FB-FCAB-4CB0-8470-1A3D6188F11E@microsoft.com... : > : : > : Hi Ken, : > : : > : Thanks for the reply. : > : : > : I might be mixed up about two things, please correct me if I'm wrong. : > : : > : 1) Is it a "must" to register an SPN for the server, if we want to run the : > : application under a domain identity? (keeping every setting default, such : > : as using kerberos etc.) : > : > If you want to use delegation, you need to register an SPN. When IIS is : > installed an SPN is registed for the default identity (Network Service) : > : > : > : 2) If that is so, and if what you suggested before (running different apps : > : with different accounts on the same site is not possible, if one of the : > : accounts is a domain account) is also true, then isn't this a very big : > : constraint? Then the concept of application pools is not very helpful at : > : all. : > : > Web App Pools are very useful for isolating web applications from each other : > (for security purposes, for stability purposes, and for scalability : > purposes). : > : > If you want to use different identities for each web app, then give them : > different FQDN. You can then register an SPN for each FQDN (with a different : > identity for each FQDN) : > : > : I believe it's a very normal request to be able to decide on this on the : > : application level (at least the pool level), and not on the server level. : > : > You can allocate different apps to different app pools, and run each app : > pool under a different identity. You can do all of this without registering : > an SPN. You only need to register an SPN if you want to configure : > delegation. : > : > : > : It : > : comes to the point that the only way to do such a thing is to force IIS to : > : use NTLM or running in IIS5 Compatibility mode. But this is not a good : > : practice. : > : > NTLM is not delegatable. IIS Compatibility mode doesn't solve the delegation : > issue. You will have the same proble,, : > : > : > : I think something is not fitting in this picture, or I'm overseeing : > : something. : > : : > : Thanks, : > : : > : Ethem : > : : > : : > : "Ken Schaefer" wrote: : > : : > : > "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message : > : > news:ujRTPQCYFHA.252@TK2MSFTNGP12.phx.gbl... : > : > :: The question is; is there a way to make two web applications to run : > under : > : > :: the same site, one under a domain account and the other under the : > Network : > : > :: Services account? (Both apps are reached inside the domain only.) : > : > : : > : > : I don't think this is possible. The SPN is registered by host name : > (e.g. : > : > : "servername" or "server.domain.com"), and you need to tie a single : > : > identity : > : > : to that host name. You can't use two different identities to a single : > : > : hostname. : > : > : > : > : > : > Should clarify that. I don't think you can use two identities with a : > single : > : > hostname /and/ the same service (HTTP). Obviously you can use different : > : > identities for different services... : > : > : > : > Cheers : > : > Ken : > : > : > : > : > : > : > : > : : > : > : : > : > : : > : > : "Ethem Azun" <EthemAzun@discussions.microsoft.com> wrote in message : > : > : news:FB697828-46FE-4559-B067-ADE97E1FE52D@microsoft.com... : > : > :: : > : > :: Hi, : > : > :: : > : > :: I have IIS 6 on 2003 which is registered on the domain. : > : > :: : > : > :: To run an ASP.NET Application with a domain account, I set the SPNs : > as : > : > :: follows; : > : > :: : > : > :: setspn -A HTTP/servername domain\newaccountname : > : > :: setspn -A HTTP/servername.domain.com domain\newaccountname : > : > :: setspn -A HTTPS/servername domain\newaccountname : > : > :: setspn -A HTTPS/servername.domain.com domain\newaccountname : > : > :: : > : > :: After this, the application runs fine with kerberos. But the other : > apps : > : > :: which run under the Network Services account start showing up : > challange : > : > :: windows and don't authenticate. To my understanding, they all : > suddenly : > : > :: started requesting Kerberos auth instead of NTLM and since Network : > : > : Services : > : > :: does not have an SPN (is it really so?), it does not work. : > : > :: : > : > :: The question is; is there a way to make two web applications to run : > under : > : > :: the same site, one under a domain account and the other under the : > Network : > : > :: Services account? (Both apps are reached inside the domain only.) : > : > :: : > : > :: Thanks for any ideas, comments, corrections. : > : > :: : > : > :: Ethem : > : > : : > : > : : > : > : > : > : > : > : > : > : > : >
- Next message: Landi: "Re: Cannot Create new VS Web Project"
- Previous message: Ken Schaefer: "Re: IIS6 and Authentication across Servers and Domains"
- In reply to: Ethem Azun: "Re: SetSPN.Exe"
- Next in thread: Ethem Azun: "Re: SetSPN.Exe"
- Reply: Ethem Azun: "Re: SetSPN.Exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
