Win2k3/IIS Kerberos challenges
- From: "Jason Mondanaro" <jason_mondanaro@xxxxxxxxxxx>
- Date: Thu, 22 Dec 2005 13:42:04 -0500
Hello.
We have a Web application running on IIS under a Win2k3 server. The
application uses delegation to allow the users to access resources from
their remote browser. The users are in two domains. A TEST domain and a
PRODUCTION domain. The machines are in the TEST domain. The Application Pool
identity is a PRODUCTION domain user account configured for delegation and
has the SPNs setup. The Website is setup with Negotiate,NTLM. If the users
are logged in locally on the web machine both domain users can use the
application I would think this is expected. From a remote machine that is
still in the TEST domain, PRODUCTION users can use the application just fine
and they are impersonated correctly. If I try as a TEST user, I cannot go
into the application and the site challenges me for credentials and I get a
529 Logon Failure Audit event, Kerberos, 3, and the client IP Address. So I
don't know why these TEST domain users can't use the application (THere is a
one way trust between production and test I believe where PROD users are
trusted on the TEST resources) I don't know how to go about asking the right
questions at this point, could it be the Trust issue between the domains? I
wouldn't think so since both domain users can log into and use the TEST
environment. But I'm a bit lost.
Any help is appreciated.
Jason
.
- Follow-Ups:
- Re: Win2k3/IIS Kerberos challenges
- From: skrubbeltrang
- Re: Win2k3/IIS Kerberos challenges
- Prev by Date: Re: Security Log file full often
- Next by Date: Removing CA certificates.
- Previous by thread: Security Log file full often
- Next by thread: Re: Win2k3/IIS Kerberos challenges
- Index(es):
Relevant Pages
|
