Re: KDC Service Account
- From: Tony Holm <TonyHolm@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 21 May 2007 10:09:00 -0700
"Ken Schaefer" wrote:
"Tony Holm" <Tony Holm@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:055A66D8-2194-4DA3-8015-422731FFDC71@xxxxxxxxxxxxxxxx
I am trying to configure OWA with patch for KB 920209 to enable Smart Card
login to OWA.
Part of the KB is creating a KDC Service Account, which appears to require
using "setspn". The examples leave LOTS to be desired.
Do I run setspn on the OWA server or domain controller?
One of the command line options is the "computername". Is this the OWA
server or Domain Contoller name?
SetSPN can be run on any computer. SetSPN makes changes to AD attributes for
the specified computername (i.e. you run it anywhere, it connects to a DC,
and makes the changes specified)
When you use SetSPN, you specify the Service Principal Name you wish to
register (whether that be under a computer account or user account).
The following may help shed some light:
IIS and Kerberos Part 1 - What is Kerberos and how does it work?
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/19/512.aspx
IIS and Kerberos Part 2 - What are Service Principal Names?
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/11/19/606.aspx
IIS and Kerberos. Part 3 - A simple scenario
http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/16/1054.aspx
IIS and Kerberos Part 4 - A simple delegation scenario
http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/27/1282.aspx
Cheers
Ken
--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
Ken,
While your articles are very informative and written in low enough english
for me to understand, I still can't get it to work.
Situation:
Domain is MYCOMPANY.COM (MYCOMPANY)
Exchange server is CMAIL
Exchange front-end server is FMAIL
KDC service account is C.KDC
Completed steps in MS KB 920209
- Created user account C.KDC
- In GPO set account for "Enable computers and user accounts to be trusted
for delegation"
- Set Exchange/IIS settings for Integrated Authentication
- Added site to "Intranet Zone" and turned on Integrated Authentication in IE
I tried the following SETSPN lines:
SETSPN -A HTTP/FMAIL MYCOMPANY\C.KDC
SETSPN -A HTTP/WEBMAIL.MYCOMPANY.COM MYCOMPANY\C.KDC
Nothing works yet. FMAIL keeps prompting me for username and password.
When I type them in it still doesn't work. After 3 tries it says "Error:
Access is Denied"
Tony
.
- Follow-Ups:
- Re: KDC Service Account
- From: Ken Schaefer
- Re: KDC Service Account
- Prev by Date: Session timeout is quicker than i expecting IN ASP 3.0. Please, check this out
- Next by Date: RPC Server not Available Error
- Previous by thread: Session timeout is quicker than i expecting IN ASP 3.0. Please, check this out
- Next by thread: Re: KDC Service Account
- Index(es):
Relevant Pages
|
