Re: integrated authentication
- From: "Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 25 May 2006 16:18:13 +1000
Hi,
a) in Internet Explorer, you will need to add app.mydomain.com to Internet
Explorer's local Intranet security zone. IE will not attempt Kerberos
authentication to websites in the Internet security zone
b) You will also need to ensure that all web applications underneath
app.mydomain.com are run in web app pools with the Domain\MyUserApp user
context
c) You will also need to check that the user accounts (for the users who are
authenticating) in question are not marked as "sensitive and non
delegatable" in Active Directory.
Cheers
Ken
"Frédéric de Thysebaert" <frdt@xxxxxxxxxxxxxx> wrote in message
news:uarDPFzfGHA.1456@xxxxxxxxxxxxxxxxxxxxxxx
yes I think that's right for me, ..
To do this I have check the delegation check box on the general tab of
computer object in AD. Is it right ?
Thanks
"Robert Ginsburg" <robert.ginsburg@xxxxxxxx> a écrit dans le message de
news: eNRxU2yfGHA.4900@xxxxxxxxxxxxxxxxxxxxxxx
Have you configured the server as trusted for kerberos delegation ?
"Frédéric de Thysebaert" <frdt@xxxxxxxxxxxxxx> wrote in message
news:OcgmL0vfGHA.1520@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
I have a intranet asp application runing on IIS6. with data on SQL
server runing on an other computer (the two servers are member server of
our active directory domain). Access to the data are based on the user
account who connect to the IIS application.
The application is runing on the port 80 with a host header as
app.mydomain.com (others applications are runing on port 80 without
hostheader).
The application run in an application pool with a domain account from
active directory.
With basic authentication, the user can launch the application and have
access to the data. ( I use impersonate = true in the web.config file)
I try now to activate the integrated authentication .. but nothing is
runing, I always have a popup asking for user and password and the same
user account cant access the application
I had set using the documentation a SPN for the identity runing the
application pool with the tool setspn and the synthaxe setspn -A
HTTP/app.mydomain.com mydomain\myuserapp
I had set the NTAuthenticationProviders to "Negociate,NTLM" within the
right virtual directory and using the script adsutil.vbs
I had restart the iis server (iisreset)
using the authentication & diagnostique tools from microsoft on the web
server and verifying kerberos security I just see " Service principal
name (SPN) for user mydomain\myuserapp' not found in Active Directory"
but with adsiedit on the same account I have a SPN set .. It's the only
one trace i have to debug my authentication problem ..
Do you have some ideas
.
- References:
- integrated authentication
- From: Frédéric de Thysebaert
- Re: integrated authentication
- From: Robert Ginsburg
- Re: integrated authentication
- From: Frédéric de Thysebaert
- integrated authentication
- Prev by Date: Re: Unable to get anonymous access working
- Next by Date: Re: WMV and IIS
- Previous by thread: Re: integrated authentication
- Next by thread: WMV and IIS
- Index(es):
Relevant Pages
|
