"Pom" <Pom@discussions.microsoft.com> wrote in message
news:CB158A8D-4579-4236-9AEA-B941BDEB3806@microsoft.com...
> I'am running asp.net 2.0 on a 2003 serveur using a a domain service
> account
> for my application pool. I'm trying to connect to a serveur that have my
> webservices. My chalenge is that server have 3 IP address, one for each
> web
> site I need. The web services I try to access will be on the second web
> site
> (but there is also a copy on the first web site) . So I defined a
> different
> host name in DNS for each web site and I also assign it to each web site
> as a
> host heade. My challenge is in the ADUC it only allow usto add a computer
> name as a "trust this user for delegation to specified services only".
> When I
> called my web services with the "server name" kerberos authenfication work
> but when I use the host name, it fall over NTLM. So could we delegate to a
> host name different from a server name?

"Pom" <Pom@discussions.microsoft.com> wrote in message
news:CB158A8D-4579-4236-9AEA-B941BDEB3806@microsoft.com...
> I'am running asp.net 2.0 on a 2003 serveur using a a domain service
> account
> for my application pool. I'm trying to connect to a serveur that have my
> webservices. My chalenge is that server have 3 IP address, one for each
> web
> site I need. The web services I try to access will be on the second web
> site
> (but there is also a copy on the first web site) . So I defined a
> different
> host name in DNS for each web site and I also assign it to each web site
> as a
> host heade. My challenge is in the ADUC it only allow usto add a computer
> name as a "trust this user for delegation to specified services only".
> When I
> called my web services with the "server name" kerberos authenfication work
> but when I use the host name, it fall over NTLM. So could we delegate to a
> host name different from a server name?

"Joe Kaplan" wrote:

> You need to create additional servicePrincipalName values for the additional
> services with the alternate hostnames. Then you can delegate to them.
>
> For example, if the alternate website is called althost1.domain.com, then
> add an SPN to the account that runs its app pool (the machine account if you
> run as the default "network service") with the value
> HTTP/althost1.domain.com. Once you have an appropriate SPN for the
> additional service, you will be able to do Kerb auth and then delegation is
> also possible as well.
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"
> http://www.directoryprogramming.net
> --
> "Pom" <Pom@discussions.microsoft.com> wrote in message
> news:CB158A8D-4579-4236-9AEA-B941BDEB3806@microsoft.com...
> > I'am running asp.net 2.0 on a 2003 serveur using a a domain service
> > account
> > for my application pool. I'm trying to connect to a serveur that have my
> > webservices. My chalenge is that server have 3 IP address, one for each
> > web
> > site I need. The web services I try to access will be on the second web
> > site
> > (but there is also a copy on the first web site) . So I defined a
> > different
> > host name in DNS for each web site and I also assign it to each web site
> > as a
> > host heade. My challenge is in the ADUC it only allow usto add a computer
> > name as a "trust this user for delegation to specified services only".
> > When I
> > called my web services with the "server name" kerberos authenfication work
> > but when I use the host name, it fall over NTLM. So could we delegate to a
> > host name different from a server name?
>
>