Problem accessing server after using SETSPN
- From: ssg31415926 <newsjunkmail@xxxxxxxxx>
- Date: Thu, 02 Aug 2007 10:16:01 -0700
I've got an IIS website which uses an AppPool with a network ID. In
order to access the site using IE, after disabling Anonymous access, I
discovered that I had to create SPNs for the network account. I did
and everything seemed okay. But now, when I try to open the web using
Visual Studio 2005, I get an authentication dialog appear - this
didn't previously happen. Entering my own creds returns the same
dialog. I've tried server creds and even domain admin and I get the
same response. I created a local ID on the server and made it a
member of Administrators and this worked. But I'm not happy about
this because it shouldn't need me to do this. And it suggests I'll
see other problems in the future.
Immediately after running SETSPN (which I did twice, one with the
plain server name and once with the server FQDN), and then rebooting
the server, there was a Kerberos error in the System log: (Event ID 4
- The kerberos client received a KRB_AP_ERR_MODIFIED error from the
server host/server-fqdn-removed. The target name used was HTTP/server-
fqdn-removed. This indicates that the password used to encrypt the
kerberos service ticket is different than that on the target server.
Commonly, this is due to identically named machine accounts in the
target realm (DOMAIN-DNS-NAME-REMOVED), and the client realm. Please
contact your system administrator. I tried another reboot and saw the
same error.) Then I ran SETSPN -R servername and later rebooted and
the Kerberos error went away. However, the problem remains.
In the server Security log, I see two events (Event ID 529 Logon
Failure - Unknown user name or bad password, logon type 3, logon
process Kerberos, Authentication Package Kerberos) after trying to
open the web and then again for each attempt to enter some
credentials. But I can remote desktop onto the server using a set of
creds which generates this error when I use them in the authentication
dialog. So, it appears the server can authenticate the creds when
used to login through mstsc but not when connecting using VS2005.
Anyone got any ideas?
- Prev by Date: Re: Cannot Decrypt Files
- Next by Date: Re: Cannot Decrypt Files
- Previous by thread: Re: Cannot Decrypt Files
- Next by thread: Re: how to track the users...in the domain