Re: Kerberos Problem with App Pool running as Domain Account

---

• From: "Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx>
• Date: Mon, 23 Jun 2008 12:59:56 +1000

---

a) you need to make sure that the browser is authenticating using Kerberos (and not NTLM). Check the Windows Event logs for this

b) you need to remove any duplicate SPNs you might have registered under the original computer account

http://adopenstatic.com/faq has a list of IIS and Kerberos articles that explain everything you ened to do/check.

Cheers
Ken

"VC" <VC@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:394285B1-438C-42D7-8EA8-D35CFAF63CD5@xxxxxxxxxxxxxxxx

Good Morning,

I have multiple applications running with integrated security to connect to
a SQL back-end database. Everything works fine on our production servers
which use the default system accounts for the Application Pool. However, I
had to change this to use a domain account because our DR server needed to
work with the same DNS Alias which conflicted with the already registered
SPNs.

As recommended, on our DR server, I began testing by changing the
Application Pool to run under a domain account. I then registered the
following SPNs:

setspn –A HTTP/iisserver domain\user
setspn –A HTTP/iisserver.domain.com domain\user
setspn –A MSSQLSvc/sqlserver:1433 domain\user

Additionally, I set the domain\user account to "Account is trusted for
delegation" and the iiserver computer account to "Trust computer for
delegation". Still, I receive the following error when connecting to the
database:

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

This works fine on the live server, so I'm assuming this is related to
changing the Application Pool to run under a domain account. Any suggestions
would be greatly appreciated.

Thank you

.

---

• Follow-Ups:
  • Re: Kerberos Problem with App Pool running as Domain Account
    • From: VC

• References:
  • Kerberos Problem with App Pool running as Domain Account
    • From: VC

• Prev by Date: Re: IIS7: CreateProcessWithLogonW access denied
• Next by Date: FTP access issues
• Previous by thread: Kerberos Problem with App Pool running as Domain Account
• Next by thread: Re: Kerberos Problem with App Pool running as Domain Account
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Authenticating Windows 2003 users to a central LDAP ... We have two KDC servers with realm nyu.edu. ... of those kerberos servers. ... Thus a user account in the AD will be associated with a Kerberos ... We are running a Windows 2003 R2 server whose domain ... (comp.protocols.kerberos) RE: Excel Calculation Services ... \par Have you tried to use the Kerberos to delegate the credentials? ... If the sharepoint application pool is a domain account, then you must register an SPN for it, e.g. ... \par As for accessing data sources using delegation from excel services, ... (microsoft.public.sharepoint.portalserver.development) Re: Re-Post - "the trust relationship between this workstation and the ... "the trust relationship between this workstation and the primary domain ... only problem is adding a new user account on the station. ... Client computer must use STRICTLY the INTERNAL DNS server which can ... Attr: subschemaSubentry ... (microsoft.public.windows.server.active_directory) Re: Same question, still no answer!!! ... Sounds then like we are all paying for a feature set only large companies ... The "proxy server" pc is actually an older box stuffed ... Expectation #1) keep the ethernet more or less as is. ... The kids account would be ... (microsoft.public.windowsxp.basics) Re: Re-Post - "the trust relationship between this workstation and the ... "the trust relationship between this workstation and the primary domain ... only problem is adding a new user account on the station. ... This would be on the DNS server 172.20.100.2 ... Attr: subschemaSubentry ... (microsoft.public.windows.server.active_directory)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)