Re: IIS Kerberos Authentication issue;

Multiple SPNs can be set to the same account, however, multiple accounts
cannot have the same SPN. SPNs are registered in AD for an account. When
asking for a ticket, KDC browses all accounts to find where the SPN is
located. If it finds none, or finds more than one, it won't return a ticket.

Create a new alias (FQDN), register it in DNS, create a new SPN with that
and finally set the WebSite Hostheader with that new alias.

Tiago Halm

<alwynpereira@xxxxxxxxx> wrote in message
news:f7e33424-b655-44ea-98c8-c90fca8f752d@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hello

I have two web applications running in different app pools. First one
[WA1] runs in the default pool [P1-LocalService], and the other [WA2]
in a seperate pool [P2] with identify of a domain account: DA1.

Window integrated authentication is enabled for both;

I access the url using http://IISMachine_NBiosName

Initially I was able to access WA1, but was not able to run WA2. For
WA2 I got the credentials dialog popped thrice before the access
denied error 401.1

Then I set the spns for DA1
HTTP/IISMachine_NBiosName & HTTP/IISMachine_FQDNName.

After this WA2 started working but WA1 stopped working;

I got the following kerberos error in the event log
KRB_AP_ERR_MODIFIED error from the server host/IISMachine_FQDNName.
The targetName used was http/IISMachine_FQDNName. This indicates that
the password used to encrypt the kerberso services ticket is different
than that on the target server. Commonly this is due to identicaly
named machine accounts in the target realm (DomainFQDNName) and the
client realm. Please contact your system administrator;

Is it that we cannot have two web applications using integrated
authentication with different accounts? LocalService & Domain account?

Since the HTTP/IISMachine_NBiosName SPN is set for the user, I assume
this conflicts with the default HOST/IISMachine_NBiosName for the
computer account?

How do I resolve this to get both my applications working? without
making them run in the same pool :)

Regards,
Alwyn


.

Relevant Pages

  • Re: SuperSocket Error 19011
    ... usually if you use domain administrator account ... as SQL Server service account, it can register the SPN successfully. ... should use DsWriteAccountSpn API call to register the SPN with Active ...
    (microsoft.public.sqlserver.security)
  • Re: Integrated Windows Authentication Timeout?
    ... I think you can probably fix that problem by adding the SPN that is being ... queried for to the account running the service. ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Delegation problems
    ... This sounds like an SPN problem. ... as a service account, did you add an SPN to that service account in AD that ... delegate from my web server to the SQL service on the DB server when I ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Ldap Binding + Kerbros error
    ... I was suggesting to perform an LDAP query using the exact filter a specified ... A servicePrincipalName (SPN) is the Kerberos name of a service on the ... server authenticates with the client. ... account that is used to execute the Windows process that "is" the service. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Multiple Apache websites using Kerberos authentication (through the mod_auth_kerb module)
    ... Kerberos mechanism on one website. ... Is it possible to have only one Service Principal account and "attach" ... if the URL is http://www.example.com/ the SPN will ... that keytab entry to decrypt the ticket and in doing so authenticate ...
    (comp.protocols.kerberos)