Re: IIS6/Kerberos/Application Pools/Integrated Security...

Hi,

Kerberos can work in an NLB scenario. However similar rules apply to a single server situation:
a) IIS must be able to decrypt the service ticket. Since you don't know which server the request will end up with, you need to use a domain user account to run the web app pool, not a machine specific account (localsystem, network service etc)

b) ensure you don't have duplicate SPNs registered (e.g. if you added an SPN under a user account, ensure that it's not registered under the machine account)

c) an SPN incorporates all the resources at a FQDN (e.g. www.yourapplication.com). You can not have different parts of that web application in different web app pools that run under different user accounts (e.g. /myApp1 and /myApp2 run under different account), because the DC doesn't know which account's password to encrypt the service ticket wth.

See:
IIS and Kerberos Part 1 - What is Kerberos and how does it work?
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/19/512.aspx

IIS and Kerberos Part 2 - What are Service Principal Names?
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/11/19/606.aspx

IIS and Kerberos. Part 3 - A simple scenario
http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/16/1054.aspx

IIS and Kerberos Part 4 - A simple delegation scenario
http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/27/1282.aspx

Cheers
Ken

"kevindk" <kevindk@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:FA2E940A-3F3B-4559-A1C2-A8EB67ECC5E6@xxxxxxxxxxxxxxxx
So after some serious "fun" trying to get Kerberos to work for me I think I
have determined that my configuration is going to require NTLM. Here's the
situation. We have a load balanced server farm backed by 3 different
servers, say A, B, and C. Each of these servers is configured via host
headers to respond to say domain.com, use only IWA, and hosts several
application pools running with different domain accounts for different
applications to use.

I've tried adding SPNs, but to no avail. so I configured IIS to only
respond to NTLM authentication requests and things have started to work. My
question is this: in this setup is NTLM the only configuration available to
me or am I missing some other setting or scenario?

.

Relevant Pages

  • RE: SOME Users cannot access OWA others do, error HTTP 500
    ... I understand that some account access OWA ... IIS 6.0 compression corruption causes access violations ... compressed copy of the affected files on the SBS server: ...
    (microsoft.public.windows.server.sbs)
  • Re: Authenticating Windows 2003 users to a central LDAP
    ... We have two KDC servers with realm nyu.edu. ... of those kerberos servers. ... Thus a user account in the AD will be associated with a Kerberos ... We are running a Windows 2003 R2 server whose domain ...
    (comp.protocols.kerberos)
  • Re: Virtual Directory - Permission Denied with fso CopyFile
    ... TestUser (normal user account with same credentials on all machines). ... I logged into the IIS server as vdirUser and simply typed ... open and I had read and write permissions to the share. ... I logged off and back into the IIS server as the administrator and deleted ...
    (microsoft.public.inetserver.iis)
  • RE: Anybody seen this error?
    ... This error is caused when the IIS common files fail when making ADSI calls ... account doesn't have the correct access to the IIS metabase. ... I (Admin) have a separate administrative account with all rights. ... | Active Directory Services cannot find the web server. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Anonymous Account not working
    ... the Iusr_ you are using may have been defined before the final ... IIS install on that box. ... I think the problem may be with the local account. ... built the server there was another server that was named WEB02, ...
    (microsoft.public.inetserver.iis.security)