Re: KDC Service Account
- From: "Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 26 May 2007 00:57:41 +1000
Hi,
I'm not sure what you mean by "KDC service account" - the KDC runs inside LSASS on your domain controllers. It is always run as LocalSystem.
Are you talking about the web application pool user identity on your FMAIL server?
Cheers
Ken
"Tony Holm" <TonyHolm@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:37000925-9C66-43D0-B88D-28C8FEEC5EA2@xxxxxxxxxxxxxxxx
"Ken Schaefer" wrote:
"Tony Holm" <Tony Holm@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:055A66D8-2194-4DA3-8015-422731FFDC71@xxxxxxxxxxxxxxxx
>I am trying to configure OWA with patch for KB 920209 to enable Smart >Card
> login to OWA.
>
> Part of the KB is creating a KDC Service Account, which appears to > require
> using "setspn". The examples leave LOTS to be desired.
>
> Do I run setspn on the OWA server or domain controller?
> One of the command line options is the "computername". Is this the OWA
> server or Domain Contoller name?
SetSPN can be run on any computer. SetSPN makes changes to AD attributes for
the specified computername (i.e. you run it anywhere, it connects to a DC,
and makes the changes specified)
When you use SetSPN, you specify the Service Principal Name you wish to
register (whether that be under a computer account or user account).
The following may help shed some light:
IIS and Kerberos Part 1 - What is Kerberos and how does it work?
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/19/512.aspx
IIS and Kerberos Part 2 - What are Service Principal Names?
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/11/19/606.aspx
IIS and Kerberos. Part 3 - A simple scenario
http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/16/1054.aspx
IIS and Kerberos Part 4 - A simple delegation scenario
http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/27/1282.aspx
Cheers
Ken
--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
Ken,
While your articles are very informative and written in low enough english
for me to understand, I still can't get it to work.
Situation:
Domain is MYCOMPANY.COM (MYCOMPANY)
Exchange server is CMAIL
Exchange front-end server is FMAIL
KDC service account is C.KDC
Completed steps in MS KB 920209
- Created user account C.KDC
- In GPO set account for "Enable computers and user accounts to be trusted
for delegation"
- Set Exchange/IIS settings for Integrated Authentication
- Added site to "Intranet Zone" and turned on Integrated Authentication in IE
I tried the following SETSPN lines:
SETSPN -A HTTP/FMAIL MYCOMPANY\C.KDC
SETSPN -A HTTP/WEBMAIL.MYCOMPANY.COM MYCOMPANY\C.KDC
Nothing works yet. FMAIL keeps prompting me for username and password.
When I type them in it still doesn't work. After 3 tries it says "Error:
Access is Denied"
Tony
.
- References:
- Re: KDC Service Account
- From: Tony Holm
- Re: KDC Service Account
- Prev by Date: Re: Grant/Deny access to a group of computers
- Next by Date: Re: Domain Account Access with anonymous access enabled
- Previous by thread: Re: KDC Service Account
- Next by thread: RPC Server not Available Error
- Index(es):
