iis security: Hello,
I am trying to tighten up security on my web server. I have created a
new application pool with a domain user listed for the account. This
account has also be given the following rights:
a) put it into the IIS_WPG group on the server
b) grant it:
(i) Adjust memory quotas for a process
(ii) Replace a process level token

The virtiual directory I am using is running under the default
anonymous user account (IUSR_MACHINE). When I attempt to acess my
virtual directory I am prompted for credentials. I believe this is a
double hop issue but do not know how to get around the problem. No
matter what security I try in the prompt dialog I cannot get access.

If I log onto the server console and attempt to access the same page
from the console it works without prompting me.

If I change the anonymous account on the virtual directory to the same
domain account that I have set up for the app pool everything works as
it should, however I would like to use the default anonymous account
instead of the domain user for anon. access.

I have tried to use the Auth diagnostics tool and found this message:
Service principal name (SPN) for user 'domain\account' not found in
Active Directory. How can I fix this? Any help would be great. Just
as a note I do not have domani admin account privledges.

Thanks
-J

Hi,

When posting to multiple groups, please put all the groups into the To:
field. This means that everyone from all groups can see all responses.

Answered in inetserver.iis group

Cheers
Ken

--
IIS Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com


[quoted text, click to view]
: Hello,
: I am trying to tighten up security on my web server. I have created a
: new application pool with a domain user listed for the account. This
: account has also be given the following rights:
: a) put it into the IIS_WPG group on the server
: b) grant it:
: (i) Adjust memory quotas for a process
: (ii) Replace a process level token
:
: The virtiual directory I am using is running under the default
: anonymous user account (IUSR_MACHINE). When I attempt to acess my
: virtual directory I am prompted for credentials. I believe this is a
: double hop issue but do not know how to get around the problem. No
: matter what security I try in the prompt dialog I cannot get access.
:
: If I log onto the server console and attempt to access the same page
: from the console it works without prompting me.
:
: If I change the anonymous account on the virtual directory to the same
: domain account that I have set up for the app pool everything works as
: it should, however I would like to use the default anonymous account
: instead of the domain user for anon. access.
:
: I have tried to use the Auth diagnostics tool and found this message:
: Service principal name (SPN) for user 'domain\account' not found in
: Active Directory. How can I fix this? Any help would be great. Just
: as a note I do not have domani admin account privledges.
:
: Thanks
: -J
: