Re: Kerberos Problem with App Pool running as Domain Account

Yes. I talked to someone else yesterday and they suggested that since I have
SPNs registered for the DNS alias and the server name, that I should remove
the ones registered to the server name. Perhaps this is the "duplicates" that
Ken Schaefer was referring to. I'm going to try this today and reply to the
post.

"Consultant" wrote:

is the domain account it is running under "trusted for delegation"?

"VC" <VC@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3630E23B-1C39-48A9-BE3F-AB25507AE8A1@xxxxxxxxxxxxxxxx
Thank you for the response.

There are some authentication types of "Negotiate" however, there are no
duplicate SPNs, and as far as I can tell everything is setup as it should
be.
My only thought might be that the application pool is running under a
domain
account, perhaps IIS itself has to as well (instead of the IUSR_IISSERVER
account). But is this even supported, or likely to be the cause of the
problem?

Here is an error from the security log:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: 6/23/2008
Time: 10:36:56 AM
User: NT AUTHORITY\SYSTEM
Computer: IISSERVER
Description:
Logon Failure:
Reason: An error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: Authz
Authentication Package: Kerberos
Workstation Name: IISSERVER
Status code: 0xC000040A
Substatus code: 0x0
Caller User Name: IISSERVER$
Caller Domain: TIB
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1048
Transited Services: -
Source Network Address: -
Source Port: -

And here's the negotiate authentication which occurs after:

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 6/23/2008
Time: 10:36:56 AM
User: DOMAIN\USER
Computer: IISSERVER
Description:
Successful Logon:
User Name: user
Domain: DOMAIN
Logon ID: (0x0,0xA2489CC)
Logon Type: 4
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: IISSERVER
Logon GUID: {e241c991-82ad-2241-b533-510eff0f2c75}
Caller User Name: IISSERVER$
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 840
Transited Services: -
Source Network Address: -
Source Port: -

Any further help would be appreciated.

"Ken Schaefer" wrote:

a) you need to make sure that the browser is authenticating using
Kerberos
(and not NTLM). Check the Windows Event logs for this

b) you need to remove any duplicate SPNs you might have registered under
the
original computer account

http://adopenstatic.com/faq has a list of IIS and Kerberos articles that
explain everything you ened to do/check.

Cheers
Ken

"VC" <VC@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:394285B1-438C-42D7-8EA8-D35CFAF63CD5@xxxxxxxxxxxxxxxx
Good Morning,

I have multiple applications running with integrated security to
connect
to
a SQL back-end database. Everything works fine on our production
servers
which use the default system accounts for the Application Pool.
However,
I
had to change this to use a domain account because our DR server needed
to
work with the same DNS Alias which conflicted with the already
registered
SPNs.

As recommended, on our DR server, I began testing by changing the
Application Pool to run under a domain account. I then registered the
following SPNs:

setspn -A HTTP/iisserver domain\user
setspn -A HTTP/iisserver.domain.com domain\user
setspn -A MSSQLSvc/sqlserver:1433 domain\user

Additionally, I set the domain\user account to "Account is trusted for
delegation" and the iiserver computer account to "Trust computer for
delegation". Still, I receive the following error when connecting to
the
database:

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

This works fine on the live server, so I'm assuming this is related to
changing the Application Pool to run under a domain account. Any
suggestions
would be greatly appreciated.

Thank you





.

Relevant Pages

  • Re: Please help refresh my memory on AD DC
    ... When I boot my Laptop I reach the Logon screeen for XP Laptop and here ... admin account to be able to Login so I can control it from the DC. ... A domain user can by default logon to any domain computer, except Domain controllers. ... A Server has websites already hosted on it in a Workgroup and now I ...
    (microsoft.public.windows.server.active_directory)
  • Re: ISA SERVER NOT STARTING
    ... I delete the nat/basic firewall and stop and started the RRAS an tried to ... There were no critical events in the DNS Server Log in the last 24 hours. ... An error occurred during logon ... Caller User Name: - ...
    (microsoft.public.windows.server.sbs)
  • Re: Please help refresh my memory on AD DC
    ... When I boot my Laptop I reach the Logon screeen for XP Laptop and here I am ... administrator account. ... account to be able to Login so I can control it from the DC. ... A Server has websites already hosted on it in a Workgroup and now I join it ...
    (microsoft.public.windows.server.active_directory)
  • Re: Please help refresh my memory on AD DC
    ... "Meinolf Weber" wrote: ... They however cannot logon directly to the physical DC machine. ... NOT an admin account to be able to Login so I can control it from ... A Server has websites already hosted on it in a Workgroup and now ...
    (microsoft.public.windows.server.active_directory)
  • Re: Event ID 529
    ... First is a hardware firewall that sits on the perimeter of your network and requires that your users give user names and passwords, different from those for the network. ... Sometimes the Logon Type is different, also the User Name can be ... Computer: <SERVER NAME> ... Caller User Name: $ ...
    (microsoft.public.windows.server.sbs)