Re: IIS 6 und Kerberos

Well, then it looks like Kerberos authN is failing. But you still haven't provided all the necessary details to check things.

Did you read my blog posts? The problem could be duplicate SPNs, or it could be that the user account that the service ticket is being generated for is not the user account you are using to host your service etc.

What you can do is enable Kerberos logging on each box in question (http://support.microsoft.com/?id=262177). Then you will get some kind of error in your event logs. If you are getting KRB_AP_ERR_MODIFIED then it's probably a principal mismatch.

Cheers
Ken

"Tobia" <tobiat@xxxxxx> wrote in message news:OH8b1C0ZIHA.5088@xxxxxxxxxxxxxxxxxxxxxxx
There are simply too many unknowns here.


Following situation:
We have a W2003 domain (2 DCs), a W2003 R2 Server with MOSS 2007 and a additional W2003 R2Server with MS SQL Server 2005.
The MOSS installation is so, that the different services and functions use different user accounts, i.e. not all is running under administrator like the most sample installations.
The virtual server on port 80 (sharepoint-80) is configured to use one web application with the identity SPadmin (domain account, member in local administrators group and admin in Sharepoint). The shared services for the Office Server virtual server run under SP_SSP (also a domain account).
On SQL Server a named instance works for MOSS (db/MOSS), windows authentication is configured. The instance is running under a domain account (SQLMoss).
The authentication on IIS is set to negotiate and NTLM for the virtual server (sharepoint-80).
At the domain the user SPadmin has a SPN: HOST/MOSSserver and HOST/MOSSserver.dom.de
and the user SQLMOsss has a SPN : MSSQLsvc/db:xyz and MSSQLsvc/db.dom.de:xyz. SQLMoss is allowed to write its own SPN, so the right port is set when the db instance starts.
No other SPNs are registered for that services.
The problem:
The access to MOSS is working up to the authentication provider is changed to Negotiate. An Logon Window appears, after 3 trials it appears "HTTP Error 401.1 - Unauthorized: Access is
denied due to invalid credentials ". The MOSS sites are configured all to use local intranet zone in IE.
Are you missing more information?
Thanks for help!
Tobia


.

Relevant Pages

  • Re: How to set spn to use kerberos Authentication in IIS7 ?
    ... You would set the SPN to be the hostname, and you would register it under the user account that is running the application pool. ... Please see Kerberos and IIS FAQ here at www.adopenstatic.com/faq ...
    (microsoft.public.inetserver.iis.security)
  • Re: Multiple accounts with name....
    ... Its possible that a user account has registered the SPN for ... You can ldifde dump the domain to identify all objects that have ... MSSQLSvc/SqlServerName.ou.com for particular SPN ... > I checked the actual server names and AFAIK there is only one server! ...
    (microsoft.public.windows.server.setup)