Re: Delegation / IIS6 / share located on another computer



Hi,

Can you look in the Security Event log of the webserver, and verify that the client is actually authenticating using Kerberos (and not NTLM)?

http://www.adopenstatic.com/cs/blogs/ken/archive/2006/08/02/194.aspx has screenshots of what you are looking for.

Cheers
Ken

"J Talbot" <talbotj123@xxxxxxxxx> wrote in message news:4667cf7a$0$5362$9a6e19ea@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thanks Ken for your interesting articles which certainly make the process much clearer. However, after reading through :

1) The IE client has "Enable IWA" turned on. SERVER B is in the Local Intranet zone and I have "Automatic logon only in Intranet Zone" enabled.
2) from reading your articles I was under the impression that SPN for IIS is correctly set if the application group is running as Network Service - which it already is.

I have also turned Kerberos logging on for both servers but no errors are showing in Event Viewer | System

Thanks

JT


"Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx> wrote in message news:eJi0btLqHHA.4132@xxxxxxxxxxxxxxxxxxxxxxx
IIS and Kerberos Part 1 - What is Kerberos and how does it work?
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/19/512.aspx

IIS and Kerberos Part 2 - What are Service Principal Names?
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/11/19/606.aspx

IIS and Kerberos. Part 3 - A simple scenario
http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/16/1054.aspx

IIS and Kerberos Part 4 - A simple delegation scenario
http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/27/1282.aspx

You need to verify that IE is configured correctly
You need to ensure that an SPN for CIFS is correctly set
You need to ensure that the client is using Kerberos to authenticate to IIS (because you choose the "trust this computer to delegate to any service" - this procludes Protocol Transition)

Cheers
Ken


"J Talbot" <talbotj123@xxxxxxxxx> wrote in message news:4666c503$0$10210$9a6e19ea@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi

I have read a lot of articles on how to configure delegation correctly to enable me to use IWA to gain access to an IIS site which is based on a shared folder located on another computer in the domain but it doesn't let me in and was wondering if someone knew why. This is a pure 2003 domain.

I have setup the following :

SERVER A (the domain controller) - has the shared folder
SERVER B has the virtual folder setup in IIS that is pointing to the share located on another computer (i..e. \\SERVERA\share\ - For the directory security I have anonymous access off and IWA turned on. I also have "Read" and "Directory browsing" turned on. The folder itself has Everyone full permissions.

In Active Directory I have set Delegation for SERVER B to "Trust this computer to delegation for any service".

However, when I go to site on SERVER B (logged in as domain admin) I am asked for manual login - attempting to login as Domain Admin I just get asked repeatedly until I get a 401.3 - Access denied error.

Are there any other steps I need to take for this to work ?

Thanks

JT








.



Relevant Pages

  • Re: Windows (Trusted) Authentication and SQL Server
    ... I can still run the application when logged in locally to the IIS machine, ... > The account whose credentials are being delegated must be a domain account ... > be marked in Active Directory as trusted for delegation. ... > Server) does not need to be marked as trusted. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: IIS6/Kerberos/Application Pools/Integrated Security...
    ... Since you don't know which server the request will end up with, you need to use a domain user account to run the web app pool, not a machine specific account ... IIS and Kerberos Part 1 - What is Kerberos and how does it work? ...
    (microsoft.public.inetserver.iis.security)
  • Re: UNC Virtual Directories; NTFS permission authentication not ac
    ... If you want Kerberos delegation to work, you need to have everything setup correctly end-to-end. ... The browser must authenticate using Kerberos, which means that both IE must attempt Kerberos *and* the relevant server SPNs must be created/set correctly. ... > Windows Authentication option the ...
    (microsoft.public.inetserver.iis.security)
  • Re: Serializing credentials and reauthenticating. How?
    ... if your calling process is trusted for delegation with any protocol in AD ... In IIS, to get Kerberos you need to enable IWA auth and ensure the metabase ... We may go SSL/Basic from client to ALSB. ...
    (microsoft.public.dotnet.security)
  • Re: Delegation through Linked Server Stops working
    ... "Troubleshooting Kerberos delation" is nearly a 90 page doc. ... you do when/if you open a ticket. ... This post was about delegation working and then suddenly ... delegation on linked server fails in our network when we use ...
    (microsoft.public.sqlserver.security)