RE: Integrated Security fails using machine name, succeeds using FQN

From: VC <VC@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 19 Jun 2008 05:43:00 -0700

I think you have an SPN problem. Is the application pool running under a
domain account? If so, make sure you have an spn registered for:

HTTP/foobar
HTTP/foobar.bar.com
HTTP/fooweb
HTTP/fooweb.bar.com

by running setspn -l domain\user. If anything is missing, correct this by
running:

setspn -A HTTP/foobar domain\user
setspn -A HTTP/foobar.bar.com domain\user
setspn -A HTTP/fooweb domain\user
setspn -A HTTP/fooweb.bar.com domain\user

If your app pool is running under a system account, make sure an spn is
registered for the DNS alias to the machine name by running setspn -l foobar.
The results should be:

HTTP/foobar
HTTP/foobar.bar.com
HTTP/fooweb
HTTP/fooweb.com

If anything is missing, the syntax is similiar as above:

setspn -A HTTP/fooweb foobar
setspn -A HTTP/fooweb.bar.com foobar
setspn -A HTTP/foobar foobar
setspn -A HTTP/foobar.bar.com foobar

Please let me know if this helps.

"Seth Petry-Johnson" wrote:

Active Directory: BAR.COM
Webserver: FOOWEB, IIS 6, single static IP address, running a single ASP.NET
website. Contains a virtual directory (called "/protected") with Integrated
Security as the only authentication option.

When logged in locally to FOOWEB, pointing IE to
http://fooweb/protected/default.aspx works. The user is authenticated
automatically.

From another machine [FOOBAT], same domain, same local network, same user
account, browsing to http://fooweb/protected/default.aspx causes the
username/password prompt to appear. THE USER CAN NOT AUTHENTICATE, even if he
manually enters his credentials!

On FOOBAT, the authentication DOES work if the user points IE at the fully
qualified name http://fooweb.bar.com/protected/default.aspx! [*.bar.com is
registered for local intranet zone]

Some observations:
1) The username prompt contains the FQN "fooweb.bar.com".
2) On FOOBAT, IE is in Intranet mode in both scenarios.
3) User is a domain admin and can access fileshares on FOOWEB, this is
certainly an IE/IIS issue.

I'm lost... any suggestions?

References:
- Integrated Security fails using machine name, succeeds using FQN
  - From: Seth Petry-Johnson

Prev by Date: Re: no access to a sharepoint website
Next by Date: RE: Kerberos and ASP NET application
Previous by thread: Re: Integrated Security fails using machine name, succeeds using FQN
Next by thread: Re: How to renew ssl certificate
Index(es):
- Date
- Thread

Relevant Pages

Re: "Account is trusted for delegation" is not shown
... Did you install the support tools to run setspn? ... Where SPN is the servicename/computername ... account with the Setspn utility in the support tools on your CD. ... It should be caused by raising functional level to windows 2003. ...
(microsoft.public.windows.server.general)
Re: "Account is trusted for delegation" is not shown
... Did you install the support tools to run setspn? ... Where SPN is the servicename/computername (MESSENGER/SERVERNAME for ... account with the Setspn utility in the support tools on your CD. ... It should be caused by raising functional level to windows 2003. ...
(microsoft.public.windows.server.general)
SETSPN breaks access to IIS web site
... I used SETSPN to create a servicePrincipalName for the account I'm ... To confirm that SETSPN was the problem, I deleted the SPN using SETSPN ... IIS server, which was a member of Administrators on the server, could ...
(microsoft.public.win2000.security)
Re: SETSPN website doesnt work
... I try to register one of my IIS webseite with a special account. ... I can't see the SPN with the SETSPN -L server1 ...
(microsoft.public.windows.server.active_directory)
Re: KDC Service Account
... Part of the KB is creating a KDC Service Account, ... Do I run setspn on the OWA server or domain controller? ... IIS and Kerberos Part 1 - What is Kerberos and how does it work? ...
(microsoft.public.inetserver.iis.security)