Re: IIS 6 und Kerberos

---

• From: "Tobia" <tobiat@xxxxxx>
• Date: Mon, 4 Feb 2008 16:14:12 +0100

---

There are simply too many unknowns here.

Following situation:
We have a W2003 domain (2 DCs), a W2003 R2 Server with MOSS 2007 and a additional W2003 R2Server with MS SQL Server 2005.
The MOSS installation is so, that the different services and functions use different user accounts, i.e. not all is running under administrator like the most sample installations.
The virtual server on port 80 (sharepoint-80) is configured to use one web application with the identity SPadmin (domain account, member in local administrators group and admin in Sharepoint). The shared services for the Office Server virtual server run under SP_SSP (also a domain account).
On SQL Server a named instance works for MOSS (db/MOSS), windows authentication is configured. The instance is running under a domain account (SQLMoss).
The authentication on IIS is set to negotiate and NTLM for the virtual server (sharepoint-80).
At the domain the user SPadmin has a SPN: HOST/MOSSserver and HOST/MOSSserver.dom.de
and the user SQLMOsss has a SPN : MSSQLsvc/db:xyz and MSSQLsvc/db.dom.de:xyz. SQLMoss is allowed to write its own SPN, so the right port is set when the db instance starts.
No other SPNs are registered for that services.
The problem:
The access to MOSS is working up to the authentication provider is changed to Negotiate. An Logon Window appears, after 3 trials it appears "HTTP Error 401.1 - Unauthorized: Access is
denied due to invalid credentials ". The MOSS sites are configured all to use local intranet zone in IE.
Are you missing more information?
Thanks for help!
Tobia

.

---

• Follow-Ups:
  • Re: IIS 6 und Kerberos
    • From: Ken Schaefer

• References:
  • Re: IIS 6 und Kerberos
    • From: Tobia
  • Re: IIS 6 und Kerberos
    • From: Ken Schaefer
  • Re: IIS 6 und Kerberos
    • From: Tobia
  • Re: IIS 6 und Kerberos
    • From: Ken Schaefer

• Prev by Date: Re: IIS 6 und Kerberos
• Next by Date: Re: ¿How can
• Previous by thread: Re: IIS 6 und Kerberos
• Next by thread: Re: IIS 6 und Kerberos
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Kerberos Authentication to VWMare... ... A Kerberos Error Message was received: ... Server Realm: ... We have checked the SPN using SetSPN with -L option and see that both MOSS ... (microsoft.public.windows.server.security) Re: Ldap Binding + Kerbros error ... I was suggesting to perform an LDAP query using the exact filter a specified ... A servicePrincipalName (SPN) is the Kerberos name of a service on the ... server authenticates with the client. ... account that is used to execute the Windows process that "is" the service. ... (microsoft.public.windows.server.active_directory) Re: SuperSocket Error 19011 ... usually if you use domain administrator account ... as SQL Server service account, it can register the SPN successfully. ... should use DsWriteAccountSpn API call to register the SPN with Active ... (microsoft.public.sqlserver.security) Re: Delegation problems ... The connection string uses a variable defined in the web.config. ... the SPN you have on the service account? ... delegate from my web server to the SQL service on the DB server when I ... (microsoft.public.dotnet.framework.aspnet.security) Re: Delegation problems ... This sounds like an SPN problem. ... as a service account, did you add an SPN to that service account in AD that ... delegate from my web server to the SQL service on the DB server when I ... (microsoft.public.dotnet.framework.aspnet.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.inetserver.iis.security  > 2008-02