Problem accessing server after using SETSPN



I've got an IIS website which uses an AppPool with a network ID. In
order to access the site using IE, after disabling Anonymous access, I
discovered that I had to create SPNs for the network account. I did
and everything seemed okay. But now, when I try to open the web using
Visual Studio 2005, I get an authentication dialog appear - this
didn't previously happen. Entering my own creds returns the same
dialog. I've tried server creds and even domain admin and I get the
same response. I created a local ID on the server and made it a
member of Administrators and this worked. But I'm not happy about
this because it shouldn't need me to do this. And it suggests I'll
see other problems in the future.

Immediately after running SETSPN (which I did twice, one with the
plain server name and once with the server FQDN), and then rebooting
the server, there was a Kerberos error in the System log: (Event ID 4
- The kerberos client received a KRB_AP_ERR_MODIFIED error from the
server host/server-fqdn-removed. The target name used was HTTP/server-
fqdn-removed. This indicates that the password used to encrypt the
kerberos service ticket is different than that on the target server.
Commonly, this is due to identically named machine accounts in the
target realm (DOMAIN-DNS-NAME-REMOVED), and the client realm. Please
contact your system administrator. I tried another reboot and saw the
same error.) Then I ran SETSPN -R servername and later rebooted and
the Kerberos error went away. However, the problem remains.

In the server Security log, I see two events (Event ID 529 Logon
Failure - Unknown user name or bad password, logon type 3, logon
process Kerberos, Authentication Package Kerberos) after trying to
open the web and then again for each attempt to enter some
credentials. But I can remote desktop onto the server using a set of
creds which generates this error when I use them in the authentication
dialog. So, it appears the server can authenticate the creds when
used to login through mstsc but not when connecting using VS2005.

Anyone got any ideas?

.



Relevant Pages

  • Re: Cannot telnet some ports
    ... Some with remote administration feature I believe. ... POP3 Server 110 ... # Network services, Internet style ... kerberos 750/udp kdc # Kerberos udp ...
    (microsoft.public.windows.server.general)
  • Re: Cannot telnet some ports
    ... Some with remote administration feature I believe. ... >> From a Windows 2003 Server SP2 ... >> fromn the 2k3 serrver but can telnet into any other port. ... kerberos 750/udp kdc # Kerberos udp ...
    (microsoft.public.windows.server.general)
  • Re: Kerberos logon to Terminal Server prevents folder redirection
    ... Pass-through refers to the client browser passing through credentials to the Web Interface server; so you can still use Pass-through without enabling the option "Use Kerberos authentication to connect to servers". ...
    (microsoft.public.windows.server.security)
  • RE: Event ID 40960 and 40961
    ... Thank you for posting to Microsoft newsgroup. ... if a XP/2003 machine is pointed directly at a DNS server that doesn't ... support Kerberos, secure dynamic updates will generate 40960/40961 events. ... XP/2003 machine is pointed to a 2000/2003 DNS server, ...
    (microsoft.public.windows.server.migration)
  • Re: Cannot telnet some ports - OT
    ... why would any one still want to allow telnet into server? ... Some with remote administration feature I believe. ... fromn the 2k3 serrver but can telnet into any other port. ... kerberos 750/udp kdc # Kerberos udp ...
    (microsoft.public.windows.server.general)