userPrincipalName with IIS security?

• Previous message: kingda: "ActiveX component can't create object: Scripting:FileSystemObject"
• Next in thread: David Wang [Msft]: "Re: userPrincipalName with IIS security?"
• Reply: David Wang [Msft]: "Re: userPrincipalName with IIS security?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 16 Sep 2005 12:11:13 +0100

Hi all, I have an odd issue...

I have an IIS 6 server (actually running Exchange OWA) and two users, one of
whom is allowed full access and the other is denied all access. The denied
user is a member of domains admins and exchange admins, and can log onto a
mailbox fine using Outlook but not with OWA, the allowed user is just a
normal domain user but can access their mailbox in OWA no problem.

Looking through the AD properties of the two users, I found the only
distinction (apart from one being more administrative) is that the allowed
user has a 'userPrincipalName' set whereas the failing user doesn't. Is
there any configuration setting that might be in force on IIS that might
cause this to happen?

I'm aware that userPrincipalName is used for Kerberos authentication, but
not sure what happens if a user doesn't have one (I've done the same thing
in other environments for users without a userPrincipalName many times).
Could it be that the IIS/OWA configuration is disallowing NTLM as its
'integrated' authentication method, so forcing Kerberos and that's failing?

I've looked around the other configuration options, and can see nothing that
would explain why one user would connect and the other be refused.

Any ideas?
Thanks,
Dave

• Previous message: kingda: "ActiveX component can't create object: Scripting:FileSystemObject"
• Next in thread: David Wang [Msft]: "Re: userPrincipalName with IIS security?"
• Reply: David Wang [Msft]: "Re: userPrincipalName with IIS security?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]