|
|
You're in the
iis security
group:IIS Kerberos/SPN Help
iis security:
netbios/dns name is webserver nad I can connect through a browser to this address and authenticate using Kerberos OK. However I have set up an dns alias intranet.theforwardgroup.com to point to this server but it fails to authenticate. I have followed instruction in KB 326985 Troubleshooting Kerberos_Related Issues in IIS and set up an SPN etc, but still doesn't work. Any ideas? Thanks Craig
Did you add the FQDN to IE's Intranet security zone?
Cheers Ken [quoted text, click to view] "Craig Taylor" <craig.taylor@theforwardgroup.com> wrote in message : We have an IIS Webserver running on Windows 2000 as part of our domain. news:BF867311.73BA%craig.taylor@theforwardgroup.com... Its : netbios/dns name is webserver nad I can connect through a browser to this : address and authenticate using Kerberos OK. : However I have set up an dns alias intranet.theforwardgroup.com to point to : this server but it fails to authenticate. I have followed instruction in KB : 326985 Troubleshooting Kerberos_Related Issues in IIS and set up an SPN etc, : but still doesn't work. : : Any ideas? : : Thanks : Craig :
Sorry forgot to mention, this is using Safari on OSX which doesn't have
equivalent setiings On 27/10/05 1:55 pm, in article OLH1EXv2FHA.3272@TK2MSFTNGP09.phx.gbl, "Ken [quoted text, click to view] Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote: > Did you add the FQDN to IE's Intranet security zone? > > Cheers > Ken > > > "Craig Taylor" <craig.taylor@theforwardgroup.com> wrote in message > news:BF867311.73BA%craig.taylor@theforwardgroup.com... > : We have an IIS Webserver running on Windows 2000 as part of our domain. > Its > : netbios/dns name is webserver nad I can connect through a browser to this > : address and authenticate using Kerberos OK. > : However I have set up an dns alias intranet.theforwardgroup.com to point > to > : this server but it fails to authenticate. I have followed instruction in > KB > : 326985 Troubleshooting Kerberos_Related Issues in IIS and set up an SPN > etc, > : but still doesn't work. > : > : Any ideas? > : > : Thanks > : Craig > : > >
What tickets does the client have? (I'm not sure what the equivalent to
kerbtray is on MacOSX) Cheers Ken [quoted text, click to view] "Craig Taylor" <craig.taylor@theforwardgroup.com> wrote in message : Sorry forgot to mention, this is using Safari on OSX which doesn't havenews:BF868F8A.73E6%craig.taylor@theforwardgroup.com... : equivalent setiings : : : : On 27/10/05 1:55 pm, in article OLH1EXv2FHA.3272@TK2MSFTNGP09.phx.gbl, "Ken [quoted text, click to view] : Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote: :: > Did you add the FQDN to IE's Intranet security zone? : > : > Cheers : > Ken : > : > [quoted text, click to view] : > "Craig Taylor" <craig.taylor@theforwardgroup.com> wrote in message : > : We have an IIS Webserver running on Windows 2000 as part of our : > news:BF867311.73BA%craig.taylor@theforwardgroup.com... domain. : > Its : > : netbios/dns name is webserver nad I can connect through a browser to this : > : address and authenticate using Kerberos OK. : > : However I have set up an dns alias intranet.theforwardgroup.com to point : > to : > : this server but it fails to authenticate. I have followed instruction in : > KB : > : 326985 Troubleshooting Kerberos_Related Issues in IIS and set up an SPN : > etc, : > : but still doesn't work. : > : : > : Any ideas? : > : : > : Thanks : > : Craig : > : : > : > : :
The client gets the ticket for webserver@theforwardgroup.com which is the
netbios/dns name, but it doesn't get a ticket against any alias set up as SPNs Thanks Craig On 28/10/05 2:28 am, in article e3Sced22FHA.268@TK2MSFTNGP10.phx.gbl, "Ken [quoted text, click to view] Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote: > What tickets does the client have? (I'm not sure what the equivalent to > kerbtray is on MacOSX) > > Cheers > Ken > > > "Craig Taylor" <craig.taylor@theforwardgroup.com> wrote in message > news:BF868F8A.73E6%craig.taylor@theforwardgroup.com... > : Sorry forgot to mention, this is using Safari on OSX which doesn't have > : equivalent setiings > : > : > : > : On 27/10/05 1:55 pm, in article OLH1EXv2FHA.3272@TK2MSFTNGP09.phx.gbl, > "Ken > : Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote: > : > : > Did you add the FQDN to IE's Intranet security zone? > : > > : > Cheers > : > Ken > : > > : > > : > "Craig Taylor" <craig.taylor@theforwardgroup.com> wrote in message > : > news:BF867311.73BA%craig.taylor@theforwardgroup.com... > : > : We have an IIS Webserver running on Windows 2000 as part of our > domain. > : > Its > : > : netbios/dns name is webserver nad I can connect through a browser to > this > : > : address and authenticate using Kerberos OK. > : > : However I have set up an dns alias intranet.theforwardgroup.com to > point > : > to > : > : this server but it fails to authenticate. I have followed instruction > in > : > KB > : > : 326985 Troubleshooting Kerberos_Related Issues in IIS and set up an > SPN > : > etc, > : > : but still doesn't work. > : > : > : > : Any ideas? > : > : > : > : Thanks > : > : Craig > : > : > : > > : > > : > : > >
Hi,
Can i get some more configuration information please? Is the DNS alias that you created pointing to an existing site (i.e. a site that can be accessed via http://servername)? or to a separate site? The web app pool that the site is running under - is it Localsystem or Network Service? or a custom user account that you've created? Lastly, what's the output when you list the SPNs for the machine account? Thanks Cheers Ken [quoted text, click to view] "Craig Taylor" <craig.taylor@theforwardgroup.com> wrote in message : The client gets the ticket for webserver@theforwardgroup.com which is thenews:BF8BB8E0.7561%craig.taylor@theforwardgroup.com... : netbios/dns name, but it doesn't get a ticket against any alias set up as : SPNs : : Thanks : Craig : : : On 28/10/05 2:28 am, in article e3Sced22FHA.268@TK2MSFTNGP10.phx.gbl, "Ken [quoted text, click to view] : Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote: :: > What tickets does the client have? (I'm not sure what the equivalent to : > kerbtray is on MacOSX) : > : > Cheers : > Ken : > : > [quoted text, click to view] : > "Craig Taylor" <craig.taylor@theforwardgroup.com> wrote in message : > : Sorry forgot to mention, this is using Safari on OSX which doesn't : > news:BF868F8A.73E6%craig.taylor@theforwardgroup.com... have : > : equivalent setiings : > : : > : : > : : > : On 27/10/05 1:55 pm, in article OLH1EXv2FHA.3272@TK2MSFTNGP09.phx.gbl, : > "Ken [quoted text, click to view] : > : Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote: : > :: > : > Did you add the FQDN to IE's Intranet security zone? : > : > : > : > Cheers : > : > Ken : > : > : > : > [quoted text, click to view] : > : > "Craig Taylor" <craig.taylor@theforwardgroup.com> wrote in message : > : > : We have an IIS Webserver running on Windows 2000 as part of our: > : > news:BF867311.73BA%craig.taylor@theforwardgroup.com... : > domain. : > : > Its : > : > : netbios/dns name is webserver nad I can connect through a browser to : > this : > : > : address and authenticate using Kerberos OK. : > : > : However I have set up an dns alias intranet.theforwardgroup.com to : > point : > : > to : > : > : this server but it fails to authenticate. I have followed instruction : > in : > : > KB : > : > : 326985 Troubleshooting Kerberos_Related Issues in IIS and set up an : > SPN : > : > etc, : > : > : but still doesn't work. : > : > : : > : > : Any ideas? : > : > : : > : > : Thanks : > : > : Craig : > : > : : > : > : > : > : > : : > : : > : > : :
Hi Ken
I have 3 separate sites that I am trying to set up: webserver.theforwardgroup.com which points to a site called internal dev.theforwardgroup.com which points to a site called external testintranet.theforwardgroup.com which points to a site called testintranet Only webserver site works because this is the dns/netbios name of server. The other two are aliases pointing to separate sites. IIS is running as Localsystem Here is the setspn output C:\Program Files\Resource Kit>setspn -l webserver Registered ServicePrincipalNames for CN=WEBSERVER,OU=Servers,DC=theforwardgroup, DC=com: HOST/testintranet HOST/dev HOST/dev.theforwardgroup.com HOST/testintranet.theforwardgroup.com SMTPSVC/WEBSERVER SMTPSVC/webserver.theforwardgroup.com HOST/WEBSERVER HOST/webserver.theforwardgroup.com Thanks for your help Craig On 1/11/05 1:47 am, in article ue#$GZo3FHA.268@TK2MSFTNGP10.phx.gbl, "Ken [quoted text, click to view] Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote: > Hi, > > Can i get some more configuration information please? > > Is the DNS alias that you created pointing to an existing site (i.e. a site > that can be accessed via http://servername)? or to a separate site? > > The web app pool that the site is running under - is it Localsystem or > Network Service? or a custom user account that you've created? > > Lastly, what's the output when you list the SPNs for the machine account? > > Thanks > > Cheers > Ken > > > "Craig Taylor" <craig.taylor@theforwardgroup.com> wrote in message > news:BF8BB8E0.7561%craig.taylor@theforwardgroup.com... > : The client gets the ticket for webserver@theforwardgroup.com which is the > : netbios/dns name, but it doesn't get a ticket against any alias set up as > : SPNs > : > : Thanks > : Craig > : > : > : On 28/10/05 2:28 am, in article e3Sced22FHA.268@TK2MSFTNGP10.phx.gbl, "Ken > : Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote: > : > : > What tickets does the client have? (I'm not sure what the equivalent to > : > kerbtray is on MacOSX) > : > > : > Cheers > : > Ken > : > > : > > : > "Craig Taylor" <craig.taylor@theforwardgroup.com> wrote in message > : > news:BF868F8A.73E6%craig.taylor@theforwardgroup.com... > : > : Sorry forgot to mention, this is using Safari on OSX which doesn't > have > : > : equivalent setiings > : > : > : > : > : > : > : > : On 27/10/05 1:55 pm, in article OLH1EXv2FHA.3272@TK2MSFTNGP09.phx.gbl, > : > "Ken > : > : Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote: > : > : > : > : > Did you add the FQDN to IE's Intranet security zone? > : > : > > : > : > Cheers > : > : > Ken > : > : > > : > : > > : > : > "Craig Taylor" <craig.taylor@theforwardgroup.com> wrote in message > : > : > news:BF867311.73BA%craig.taylor@theforwardgroup.com... > : > : > : We have an IIS Webserver running on Windows 2000 as part of our > : > domain. > : > : > Its > : > : > : netbios/dns name is webserver nad I can connect through a browser > to > : > this > : > : > : address and authenticate using Kerberos OK. > : > : > : However I have set up an dns alias intranet.theforwardgroup.com to > : > point > : > : > to > : > : > : this server but it fails to authenticate. I have followed > instruction > : > in > : > : > KB > : > : > : 326985 Troubleshooting Kerberos_Related Issues in IIS and set up > an > : > SPN > : > : > etc, > : > : > : but still doesn't work. > : > : > : > : > : > : Any ideas? > : > : > : > : > : > : Thanks > : > : > : Craig > : > : > : > : > : > > : > : > > : > : > : > : > : > > : > > : > : > >
Hi there,
IIS is running as LocalSystem, but the actual web application pools that your websites are hosted in - what are they running under? The SPNs need to be registered under the correct machine or user account in AD. And this needs to be the account assigned to the web application pool. Since all these machines are in the same domain, I'm going to assume that the MacOSX knows where to go to get the tickets from... Cheers Ken [quoted text, click to view] "Craig Taylor" <craig.taylor@theforwardgroup.com> wrote in message : Hi Kennews:BF8CF90D.75DD%craig.taylor@theforwardgroup.com... : I have 3 separate sites that I am trying to set up: : webserver.theforwardgroup.com which points to a site called internal : dev.theforwardgroup.com which points to a site called external : testintranet.theforwardgroup.com which points to a site called testintranet : : Only webserver site works because this is the dns/netbios name of server. : The other two are aliases pointing to separate sites. IIS is running as : Localsystem : : Here is the setspn output : C:\Program Files\Resource Kit>setspn -l webserver : : Registered ServicePrincipalNames for : CN=WEBSERVER,OU=Servers,DC=theforwardgroup, : : DC=com: : : HOST/testintranet : : HOST/dev : : HOST/dev.theforwardgroup.com : : HOST/testintranet.theforwardgroup.com : : SMTPSVC/WEBSERVER : : SMTPSVC/webserver.theforwardgroup.com : : HOST/WEBSERVER : : HOST/webserver.theforwardgroup.com : : Thanks for your help : Craig : : : : : : On 1/11/05 1:47 am, in article ue#$GZo3FHA.268@TK2MSFTNGP10.phx.gbl, "Ken [quoted text, click to view] : Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote: :: > Hi, : > : > Can i get some more configuration information please? : > : > Is the DNS alias that you created pointing to an existing site (i.e. a site : > that can be accessed via http://servername)? or to a separate site? : > : > The web app pool that the site is running under - is it Localsystem or : > Network Service? or a custom user account that you've created? : > : > Lastly, what's the output when you list the SPNs for the machine account? : > : > Thanks : > : > Cheers : > Ken : > : > [quoted text, click to view] : > "Craig Taylor" <craig.taylor@theforwardgroup.com> wrote in message : > : The client gets the ticket for webserver@theforwardgroup.com which is : > news:BF8BB8E0.7561%craig.taylor@theforwardgroup.com... the : > : netbios/dns name, but it doesn't get a ticket against any alias set up as : > : SPNs : > : : > : Thanks : > : Craig : > : : > : : > : On 28/10/05 2:28 am, in article e3Sced22FHA.268@TK2MSFTNGP10.phx.gbl, "Ken [quoted text, click to view] : > : Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote: : > :: > : > What tickets does the client have? (I'm not sure what the equivalent to : > : > kerbtray is on MacOSX) : > : > : > : > Cheers : > : > Ken : > : > : > : > [quoted text, click to view] : > : > "Craig Taylor" <craig.taylor@theforwardgroup.com> wrote in message : > : > : Sorry forgot to mention, this is using Safari on OSX which doesn't: > : > news:BF868F8A.73E6%craig.taylor@theforwardgroup.com... : > have : > : > : equivalent setiings : > : > : : > : > : : > : > : : > : > : On 27/10/05 1:55 pm, in article OLH1EXv2FHA.3272@TK2MSFTNGP09.phx.gbl, : > : > "Ken [quoted text, click to view] : > : > : Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote: : > : > :: > : > : > Did you add the FQDN to IE's Intranet security zone? : > : > : > : > : > : > Cheers : > : > : > Ken : > : > : > : > : > : > : > : > : > "Craig Taylor" <craig.taylor@theforwardgroup.com> wrote in message : > : > : > news:BF867311.73BA%craig.taylor@theforwardgroup.com... : > : > : > : We have an IIS Webserver running on Windows 2000 as part of our : > : > domain. : > : > : > Its : > : > : > : netbios/dns name is webserver nad I can connect through a browser : > to : > : > this : > : > : > : address and authenticate using Kerberos OK. : > : > : > : However I have set up an dns alias intranet.theforwardgroup.com to : > : > point : > : > : > to : > : > : > : this server but it fails to authenticate. I have followed : > instruction : > : > in : > : > : > KB : > : > : > : 326985 Troubleshooting Kerberos_Related Issues in IIS and set up : > an : > : > SPN : > : > : > etc, : > : > : > : but still doesn't work. : > : > : > : : > : > : > : Any ideas? : > : > : > : : > : > : > : Thanks : > : > : > : Craig : > : > : > : : > : > : > : > : > : > : > : > : : > : > : : > : > : > : > : > : : > : : > : > : :
Hi Ken
Sorry you have lost me there, how do I find out what and how the web application pools are running under? Cheers Craig On 2/11/05 11:06 am, in article O77tJ253FHA.3400@tk2msftngp13.phx.gbl, "Ken [quoted text, click to view] Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote:
> Hi there, > > IIS is running as LocalSystem, but the actual web application pools that > your websites are hosted in - what are they running under? The SPNs need to > be registered under the correct machine or user account in AD. And this > needs to be the account assigned to the web application pool. > > Since all these machines are in the same domain, I'm going to assume that > the MacOSX knows where to go to get the tickets from... > > Cheers > Ken
Sorry to take s long to get back to you, but in case this is still an open
issue: In the IIS Manager in the Web App Pools node. For each web app pool there is a place to configure an "identity" for the web app pool. This is the user account used to run the w3wp.exe process. Cheers Ken [quoted text, click to view] "Craig Taylor" <craig.taylor@theforwardgroup.com> wrote in message : Hi Kennews:BF8FC939.78A8%craig.taylor@theforwardgroup.com... : Sorry you have lost me there, how do I find out what and how the web : application pools are running under? : : Cheers : Craig : : On 2/11/05 11:06 am, in article O77tJ253FHA.3400@tk2msftngp13.phx.gbl, "Ken [quoted text, click to view] : Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote: :: > Hi there, : > : > IIS is running as LocalSystem, but the actual web application pools that : > your websites are hosted in - what are they running under? The SPNs need to : > be registered under the correct machine or user account in AD. And this : > needs to be the account assigned to the web application pool. : > : > Since all these machines are in the same domain, I'm going to assume that : > the MacOSX knows where to go to get the tickets from... : > : > Cheers : > Ken :
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |