Re: Service principal name (SPN) / Active Directory Problem
- From: "Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 31 May 2006 15:00:20 +1000
Hi,
Thanks for the information.
At the very least:
You will need to register a SPNs for HTTP/servername and
HTTP/servername.domain.com under the Domain\WebTest3_asp account.
Alternatively you can register the HOST/servername and
HOST/servername.domain.com SPNs
You can use the SetSPN tool from the Windows Resource Kit to do this:
http://support.microsoft.com/kb/892777
Or you can use ADSIEdit.msc (this is a GUI tool, if you prefer to be able to
see the current SPNs, and just copy then relevant information across):
http://technet2.microsoft.com/WindowsServer/en/Library/ebca3324-5427-471a-bc19-9aa1decd3d401033.mspx?mfr=true
Note: All web applications residing at the location http://servername must
be running in one (or more) app pools that have the same identity
(WebTest3_asp). You can't have apps running in app pools with different
identities (e.g. http://servername/app1 -> WebTest3_asp, and
http://servername/webapp2 running in an app pool under Network Service)
The two events that you see are logon/logoff failuring auditing events. You
should have got more events related to Kerberos issues (did you restart the
box after setting the reg key?)
Cheers
Ken
<rcarbol@xxxxxxxx> wrote in message
news:1149006824.105733.277650@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Ken Schaefer wrote:
a) The URL that is being used to access the web page - are you using
http://servername or http://servername.domain.com? Or are you using some
kind of DNS alias?
We're using http://servername within an intranet. Does it make a
difference?
b) The website's web application pool: what user context is it being run
under? Is it Network Service? Or a custom user context?
I think it must be some custom user; the Identity is set to an account
of the form
[domain]\webtest3_asp
c) Lastly, can you enable Kerberos logging on the IIS box, and post the
relevant event log entries? Thanks
http://support.microsoft.com/?id=262177
Done. Two events reported when I tried to hit the website:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 2006/05/30
Time: 10:22:43 AM
User: NT AUTHORITY\SYSTEM
Computer: WEBTEST3
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: [domain]/[my account]
Source Workstation: VE657818
Error Code: 0xC0000064
.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 2006/05/30
Time: 10:22:43 AM
User: NT AUTHORITY\SYSTEM
Computer: WEBTEST3
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: [domain]/[my account]
Domain:
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: VE657818
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 142.15.48.132
Source Port: 2384
Thanks,
Roger
.
- References:
- Re: Service principal name (SPN) / Active Directory Problem
- From: Ken Schaefer
- Re: Service principal name (SPN) / Active Directory Problem
- From: Ken Schaefer
- Re: Service principal name (SPN) / Active Directory Problem
- From: Ken Schaefer
- Re: Service principal name (SPN) / Active Directory Problem
- From: rcarbol
- Re: Service principal name (SPN) / Active Directory Problem
- Prev by Date: Re: Access problems on "Windows Server 2003 Web Edition". using IIS 6.0
- Next by Date: Re: integrated authentication
- Previous by thread: Re: Service principal name (SPN) / Active Directory Problem
- Next by thread: SSL certificates without AD
- Index(es):
Relevant Pages
|
