"Tony Holm" <Tony Holm@discussions.microsoft.com> wrote in message
news:055A66D8-2194-4DA3-8015-422731FFDC71@microsoft.com...
>I am trying to configure OWA with patch for KB 920209 to enable Smart Card
> login to OWA.
>
> Part of the KB is creating a KDC Service Account, which appears to require
> using "setspn". The examples leave LOTS to be desired.
>
> Do I run setspn on the OWA server or domain controller?
> One of the command line options is the "computername". Is this the OWA
> server or Domain Contoller name?

"Ken Schaefer" wrote:

> "Tony Holm" <Tony Holm@discussions.microsoft.com> wrote in message
> news:055A66D8-2194-4DA3-8015-422731FFDC71@microsoft.com...
> >I am trying to configure OWA with patch for KB 920209 to enable Smart Card
> > login to OWA.
> >
> > Part of the KB is creating a KDC Service Account, which appears to require
> > using "setspn". The examples leave LOTS to be desired.
> >
> > Do I run setspn on the OWA server or domain controller?
> > One of the command line options is the "computername". Is this the OWA
> > server or Domain Contoller name?
>
>
> SetSPN can be run on any computer. SetSPN makes changes to AD attributes for
> the specified computername (i.e. you run it anywhere, it connects to a DC,
> and makes the changes specified)
>
> When you use SetSPN, you specify the Service Principal Name you wish to
> register (whether that be under a computer account or user account).
>
> The following may help shed some light:
>
> IIS and Kerberos Part 1 - What is Kerberos and how does it work?
> http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/19/512.aspx
>
> IIS and Kerberos Part 2 - What are Service Principal Names?
> http://www.adopenstatic.com/cs/blogs/ken/archive/2006/11/19/606.aspx
>
> IIS and Kerberos. Part 3 - A simple scenario
> http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/16/1054.aspx
>
> IIS and Kerberos Part 4 - A simple delegation scenario
> http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/27/1282.aspx
>
>
> Cheers
> Ken
>
> --
> My IIS Blog: www.adOpenStatic.com/cs/blogs/ken

"Tony Holm" <TonyHolm@discussions.microsoft.com> wrote in message
news:37000925-9C66-43D0-B88D-28C8FEEC5EA2@microsoft.com...
>
>
> "Ken Schaefer" wrote:
>
>> "Tony Holm" <Tony Holm@discussions.microsoft.com> wrote in message
>> news:055A66D8-2194-4DA3-8015-422731FFDC71@microsoft.com...
>> >I am trying to configure OWA with patch for KB 920209 to enable Smart
>> >Card
>> > login to OWA.
>> >
>> > Part of the KB is creating a KDC Service Account, which appears to
>> > require
>> > using "setspn". The examples leave LOTS to be desired.
>> >
>> > Do I run setspn on the OWA server or domain controller?
>> > One of the command line options is the "computername". Is this the OWA
>> > server or Domain Contoller name?
>>
>>
>> SetSPN can be run on any computer. SetSPN makes changes to AD attributes
>> for
>> the specified computername (i.e. you run it anywhere, it connects to a
>> DC,
>> and makes the changes specified)
>>
>> When you use SetSPN, you specify the Service Principal Name you wish to
>> register (whether that be under a computer account or user account).
>>
>> The following may help shed some light:
>>
>> IIS and Kerberos Part 1 - What is Kerberos and how does it work?
>> http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/19/512.aspx
>>
>> IIS and Kerberos Part 2 - What are Service Principal Names?
>> http://www.adopenstatic.com/cs/blogs/ken/archive/2006/11/19/606.aspx
>>
>> IIS and Kerberos. Part 3 - A simple scenario
>> http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/16/1054.aspx
>>
>> IIS and Kerberos Part 4 - A simple delegation scenario
>> http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/27/1282.aspx
>>
>>
>> Cheers
>> Ken
>>
>> --
>> My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
>
> Ken,
> While your articles are very informative and written in low enough english
> for me to understand, I still can't get it to work.
>
> Situation:
> Domain is MYCOMPANY.COM (MYCOMPANY)
> Exchange server is CMAIL
> Exchange front-end server is FMAIL
> KDC service account is C.KDC
>
> Completed steps in MS KB 920209
> - Created user account C.KDC
> - In GPO set account for "Enable computers and user accounts to be trusted
> for delegation"
> - Set Exchange/IIS settings for Integrated Authentication
> - Added site to "Intranet Zone" and turned on Integrated Authentication in
> IE
>
> I tried the following SETSPN lines:
>
> SETSPN -A HTTP/FMAIL MYCOMPANY\C.KDC
> SETSPN -A HTTP/WEBMAIL.MYCOMPANY.COM MYCOMPANY\C.KDC
>
> Nothing works yet. FMAIL keeps prompting me for username and password.
> When I type them in it still doesn't work. After 3 tries it says "Error:
> Access is Denied"
>
> Tony