Re: Kerberos
- From: "CK" <c_kettenbach@xxxxxxxxxxx>
- Date: Wed, 02 Apr 2008 17:25:47 GMT
Ultimately Ken, I am trying to configure KCD from this web server, to
another web server running the Exchange 2007 Web Service. We are having the
double hop issue. A couple of questions for that setup. There are two client
access servers in a cluster that handle the web service requests. There is a
dns entry for the cluster. We will call it "CASCLUSTER" that resolves to one
IP address. It consists of CAS01 and CAS02. Do you know the proper way to
set up an SPN for this scenario? I have a service account I use on the web
server that has an SPN. The CAS boxes run under the default application pool
and use the "NETWORK SERVICE" account. The IT gods do not want to change the
application pool identities. So I guess my question is how do I set up an
SPN for the cluster that uses Network Service and not a domain service
account? All this is dependent of course on getting Kerberos configured on
the web server. I appreciate any help you might be able to provide. We have
been struggling with this for the last month. I have some fancy exchange web
service code that works great on my local box but when we tried to deploy it
to our dev environment, we started finding out about the double hop issue
and figured KCD is our best choice to resolve it. Ok enough babbling. Thanks
for hearing me out.
Cheers,
~ck
"CK" <c_kettenbach@xxxxxxxxxxx> wrote in message
news:rYOIj.23285$0o7.11481@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I would love to. Please tell me how to do that. I have installed Network
Monitor but I do not know how to porperly use it. Should it be installed on
the client or on the web server? I currently have it installed on the
client. I appreciate your help Ken. You seem to be the authoritative
source. Great blog by the way sir.
~ck
"Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:ulxOUDOlIHA.3888@xxxxxxxxxxxxxxxxxxxxxxx
Can you get a packet capture between your browser and the webserver?
Cheers
Ken
--
My IIS blog: http://adopenstatic.com/blog
"CK" <c_kettenbach@xxxxxxxxxxx> wrote in message
news:i%MIj.11612$qS5.2465@xxxxxxxxxxxxxxxxxxxxxxx
I did all the steps you mentioned and I still get
Logon Process: NtLmSsp
Authentication Package: NTLM
Any ideas? I enable Kerberos logging but I don't see any new entries in
the Event Log. What am I missing here? I also want to mention that this
webserver is on a VM. Not sure if that makes a difference.
Thanks,
~ck
"Tiago Halm" <thalm@xxxxxxxxxxxxxxxxxx> wrote in message
news:OOeG25ElIHA.3400@xxxxxxxxxxxxxxxxxxxxxxx
You probably followed much of these steps (Ken must have pointed them).
Make it work in IIS to get a sense on how it works
1. make sure NTAuthenticationProviders is not overridden so we start
with the default "Negotiate, NTLM".
type
cscript adsutil.vbs delete w3svc/NTAuthenticationProviders
cscript adsutil.vbs delete w3svc/1/NTAuthenticationProviders
cscript adsutil.vbs delete w3svc/1/ROOT/NTAuthenticationProviders
See more steps on:
http://support.microsoft.com/kb/215383
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/ea7cd846-33da-49c9-927f-d4e76d6309ac.mspx?mfr=true
2. Create an FQDN (xxx.yyy.zzz) in DNS pointing to IIS ip address
3. Select a WebSite, make sure all VDirs use the same AppPool as the
WebSite and define the Host Header on port 80 with that FQDN
(xxx.yyy.zzz). Specify the port address if needed.
4. create the SPN, by using the account setup on the hostheader
setspn.exe http/xxx.yyy.zzz domain\apppoolaccount5. Setup IIS with Integrated Windows Authentication. Force inheritance
if needed.
Open IE, make sure xxx.yyy.zzz is a local intranet site, browse a page,
look into the security log. Filter by 540 event (not sure about this
one) and your windows account.
Final t-shoot stage is to enable kerberos logging:
http://support.microsoft.com/kb/262177
let us know the steps you took until now ...
Tiago Halm
"CK" <c_kettenbach@xxxxxxxxxxx> wrote in message
news:1pxIj.378$ch4.135@xxxxxxxxxxxxxxxxxxxxxxx
I can not get Kerberos to work on my web server. I have done all of Ken
Schaefers troubleshooting techniques still to no avail. I created a
test.htm page and when i hit it, I check the security event log and it
is still using NTLM. Any ideas why Kerberos is not running? I am
ultimately trying to set up constrianed delegation to an Exchange 2007
web service. I have been working on this for weeks and I am absolutely
stumped. Does anyone have any suggestions at this point?
Cheers,
CK
.
- References:
- Kerberos
- From: CK
- Re: Kerberos
- From: Tiago Halm
- Re: Kerberos
- From: CK
- Re: Kerberos
- From: Ken Schaefer
- Re: Kerberos
- From: CK
- Kerberos
- Prev by Date: Re: Kerberos
- Next by Date: Re: Kerberos
- Previous by thread: Re: Kerberos
- Next by thread: Re: Kerberos
- Index(es):
Relevant Pages
|
