Re: Credentials not passed on when using ASP.NET

I thought I had setup an spn using the setspn utility. I did the following
according to http://support.microsoft.com/default.aspx?scid=kb;en-us;871179
In my application pool, I set the Identity to a domain user,
MyDomain\SvcAcct

Added the user, MyDomain\SvcAcct to the IIS_WPG group

As the domain administrator, I ran Setspn on ServerA . When this didn't
work, I repeated it on the Primary Domain Controller of the domain and that
didn't work either. How I ran the command is listed below:

Setspn -A HTTP/<netbios name> MyDomain\SvcAcct

Have I made a mistake when setting up my spn?

Thanks,

Jennifer

"Consultant" <consultant_mcngp@xxxxxxxxx> wrote in message
news:OzmqwgGpGHA.4208@xxxxxxxxxxxxxxxxxxxxxxx
you need to setup an spn for it

"Jay-nospam" <jaynospam@xxxxxxxxxxxxxx> wrote in message
news:9qKdncjhL6_2JC_ZnZ2dnUVZ_s2dnZ2d@xxxxxxxxxxx
Hi there,

I am having trouble getting an ASP.NET web application to connect to
another computer and passing the proper credentials and I hope someone
can help me.

I have a stand-alone Windows 2003 Server, ServerA, running as a Web
Server that uses ASP.NET. The default.aspx file tries to access a file in
a share on another computer, ServerB. ServerA and ServerB are on the same
domain and are both running Windows 2003 Server.



The Domain Controller is running Windows 2000 Server. I want to use
Integrated Windows Authentication to access the file. When I connect to
the Web site and then check the event viewer on ServerB, I can see that
ServerA is using the Anonymous Logon to connect to ServerB instead of
passing through my windows credentials. On ServerA, I have done the
following:



In IIS, set the authentication to Integrated Windows Authentication and
deselected Allow Anonymous logon

Did the following according to
http://support.microsoft.com/default.aspx?scid=kb;en-us;871179

In my application pool, I set the Identity to a domain user,
MyDomain\SvcAcct

Added the user, MyDomain\SvcAcct to the IIS_WPG group

As the domain administrator, I ran Setspn on ServerA . When this didn't
work, I repeated it on the Primary Domain Controller of the domain and
that didn't work either. How I ran the command is listed below:

Setspn -A HTTP/<netbios name> MyDomain\SvcAcct



Then I followed the instructions at
http://technet2.microsoft.com/WindowsServer/en/Library/b207ee9c-a055-43f7-b9be-20599b694a311033.mspx?mfr=true
and on the Primary Domain Controller of the domain I also went into
Active Directory Services Users and Groups and selected the "Trust this
computer for delegation" option for ServerA and I also followed the
instructions at
http://technet2.microsoft.com/WindowsServer/en/Library/91a98c38-38c5-49dc-83bf-e69d8e1dbbfa1033.mspx?mfr=true
and I selected the "Account is trusted for delegation" option for the
MyDomain\SvcAcct user.

Following http://support.microsoft.com/kb/215383/, on ServerA, I ran the
following:



Cscript adsutil.vbs set w3svc/1/NTAuthenticationProviders
"Negotiate,NTLM"

I signed in to my client computer as MyDomain\UserA

In IE 6.0, on the client computer, as instructed in
http://support.microsoft.com/kb/810572/, I selected the "Enable
Integrated Windows Authentication (requires restart)" option on the
Advanced tab and then cleared my cache and close my IE 6.0 session and
started another.



In my web.config file for the website, I added the following line after
the </authorization> closing tag:

<identity impersonate="true" />



When I connect to the Website on ServerA from the client computer, I am
not prompted for credentials and that is what I would expect. When I turn
on auditing, I can also see that UserA is accessing the default.aspx file
for the Website and that is also what I would expect. However, the event
viewer on ServerB shows that the Anonymous Logon is what is being used to
connect to it.



When I run the Auth Diagnostics 1.0 tool from Microsoft that is refered
to in http://support.microsoft.com/default.aspx?scid=kb;en-us;871179 on
my Website on ServerA, I see the message, "Service Principal name (SPN)
for user 'MyDomain\SvcAcct' not found in Active Directory"

Anything I see on the Internet says to run Setspn for this problem but we
have done this. Am I doing something wrong when I do this? Is there
another reason why the credentials are not being passed on?

When I try this with a straight html file, I am able to access the file.



What am I doing wrong?



Thanks,



Jennifer








.