Re: Delegation / IIS6 / share located on another computer
- From: "Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 7 Jun 2007 21:17:46 +1000
Hi,
Can you look in the Security Event log of the webserver, and verify that the client is actually authenticating using Kerberos (and not NTLM)?
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/08/02/194.aspx has screenshots of what you are looking for.
Cheers
Ken
"J Talbot" <talbotj123@xxxxxxxxx> wrote in message news:4667cf7a$0$5362$9a6e19ea@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thanks Ken for your interesting articles which certainly make the process much clearer. However, after reading through :
1) The IE client has "Enable IWA" turned on. SERVER B is in the Local Intranet zone and I have "Automatic logon only in Intranet Zone" enabled.
2) from reading your articles I was under the impression that SPN for IIS is correctly set if the application group is running as Network Service - which it already is.
I have also turned Kerberos logging on for both servers but no errors are showing in Event Viewer | System
Thanks
JT
"Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx> wrote in message news:eJi0btLqHHA.4132@xxxxxxxxxxxxxxxxxxxxxxxIIS and Kerberos Part 1 - What is Kerberos and how does it work?
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/19/512.aspx
IIS and Kerberos Part 2 - What are Service Principal Names?
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/11/19/606.aspx
IIS and Kerberos. Part 3 - A simple scenario
http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/16/1054.aspx
IIS and Kerberos Part 4 - A simple delegation scenario
http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/27/1282.aspx
You need to verify that IE is configured correctly
You need to ensure that an SPN for CIFS is correctly set
You need to ensure that the client is using Kerberos to authenticate to IIS (because you choose the "trust this computer to delegate to any service" - this procludes Protocol Transition)
Cheers
Ken
"J Talbot" <talbotj123@xxxxxxxxx> wrote in message news:4666c503$0$10210$9a6e19ea@xxxxxxxxxxxxxxxxxxxxxxxxxxxxHi
I have read a lot of articles on how to configure delegation correctly to enable me to use IWA to gain access to an IIS site which is based on a shared folder located on another computer in the domain but it doesn't let me in and was wondering if someone knew why. This is a pure 2003 domain.
I have setup the following :
SERVER A (the domain controller) - has the shared folder
SERVER B has the virtual folder setup in IIS that is pointing to the share located on another computer (i..e. \\SERVERA\share\ - For the directory security I have anonymous access off and IWA turned on. I also have "Read" and "Directory browsing" turned on. The folder itself has Everyone full permissions.
In Active Directory I have set Delegation for SERVER B to "Trust this computer to delegation for any service".
However, when I go to site on SERVER B (logged in as domain admin) I am asked for manual login - attempting to login as Domain Admin I just get asked repeatedly until I get a 401.3 - Access denied error.
Are there any other steps I need to take for this to work ?
Thanks
JT
.
- References:
- Delegation / IIS6 / share located on another computer
- From: J Talbot
- Re: Delegation / IIS6 / share located on another computer
- From: Ken Schaefer
- Delegation / IIS6 / share located on another computer
- Prev by Date: Re: Delegation / IIS6 / share located on another computer
- Next by Date: Re: Changing user for App Pool in IIS6
- Previous by thread: Re: Delegation / IIS6 / share located on another computer
- Next by thread: Re: Delegation / IIS6 / share located on another computer
- Index(es):
Relevant Pages
|
