Re: Service Principal Name in Kerberos
- From: "Andrei Zakharov" <zandr@xxxxxxxxxxxxxxxx>
- Date: Mon, 22 Oct 2007 14:12:13 +0400
Hi Jeffrey,
Apart from that, can you be more specific about how the apps are being
accessed?
User logins on the PC, runs a fat front-end GUI application, that
application connects to the service that runs on a different PC under a
specific account with enabled 'Account is trusted for delegation', then
this service impersonates the user, which calls the service, and under that
user account connects to SQL.
--
Andrei.
""Jeffrey Tan[MSFT]"" <jetan@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:FQRDDpHFIHA.4200@xxxxxxxxxxxxxxxxxxxxxxxxx
Hi Andrei,App
SPN's are registered on the accounts in the format SERVICE\hostname[:port]
and are not entered during logon. Setspn ¨Cl <account> should show you
whether the correct SPN has been registered on each service account.
Apart from that, can you be more specific about how the apps are being
accessed? Are you talking about a user on a workstation that logs on,
opens IE and accesses the Client App on IIS that then accesses the Server
App on another IIS which then talks to SQL (i.e. 3-tier)¡or something
completely different?
If IE is involved, you need to make sure that the Client App and Server
is offering Kerberos and the browser is choosing it. A network trace fromdoes
the client and appservers while accessing the App should show this.
You also need to make sure the Apps are considered being in the correct
security Zone within IE (Trusted site or Local Internet).
Otherwise, recycling electrons:
908209 Internet Explorer 6 cannot use the Kerberos authentication protocol
to connect to a Web site that uses a non-standard port on Windows XP,
Windows Server 2003 or Windows Vista
http://support.microsoft.com/default.aspx?scid=kb;EN-US;908209
NOTE: the KB article talks about IE 6.? IE 7 has the same problem, but
not require the hotfix, but does require the registry key change.http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
899900 Windows HTTP Services does not let you append a port number to the
service principal name in a program or service when you use Kerberos
authentication on a Windows Server 2003 SP1-based computer?
http://support.microsoft.com/kb/899900/
Hope this helps.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
ications.rights.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no
.
- Follow-Ups:
- Re: Service Principal Name in Kerberos
- From: "Jeffrey Tan[MSFT]"
- Re: Service Principal Name in Kerberos
- References:
- Service Principal Name in Kerberos
- From: Andrei Zakharov
- RE: Service Principal Name in Kerberos
- From: "Jeffrey Tan[MSFT]"
- Service Principal Name in Kerberos
- Prev by Date: RE: SEC_WINNT_AUTH_IDENTITY_EX domain member question
- Next by Date: CryptAcquireContext failed for non-interactive user
- Previous by thread: RE: Service Principal Name in Kerberos
- Next by thread: Re: Service Principal Name in Kerberos
- Index(es):
Relevant Pages
|
