Re: Service principal name (SPN) / Active Directory Problem
- From: "Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 16 May 2006 16:06:02 +1000
You should not add SPNs unless there is a need to do so.
Firstly, what are the relevant log file entries for the requests in question
(assuming IIS 6.0)?
Secondly, after you disable "Show Friednly HTTP Errors" in IE, and reload
the page, what is the full error message you see on the screen? 403 errors
can occur for lots of reasons - we nee to find out which one is the real
underlying cause.
Basically an SPN (Service Principal Name) allows Kerberos Authentication to
work - it allows Active Directory to create service tickets for particular
services, and allows the remote service to decrypt the ticket. However,
adding additional SPNs can also break Kerberos AuthN, because Active
Directory does not know who the end user account is. So, don't add any
unless necessary.
Cheers
Ken
"RCarbol" <rcarbol@xxxxxxxxxxxxx> wrote in message
news:74CC07B1-C59B-4299-956A-70C6A494E2FE@xxxxxxxxxxxxxxxx
I'm having problems getting a web application working -- it's throwing a
403
error.
I ran AuthDiag to determine what was wrong, and it's giving me the
message:
Service principal name (SPN) for user 'DOMAIN\MACHINE_asp' not found in
Active Directory
Is there something I can run (preferably from the command line) to add
this
MACHINE_asp user into Active Directory?
--
Thanks.
.
- Prev by Date: event id 529 logon type 8, multi tier custom application
- Next by Date: SSL certificates without AD
- Previous by thread: event id 529 logon type 8, multi tier custom application
- Next by thread: Re: Service principal name (SPN) / Active Directory Problem
- Index(es):
