|
|
You're in the
iis security
group:IIS 6 und Kerberos
iis security:
I've a problem. I don't no it's my problem or a problem of IIS. The scenario: We have a member server with IIS in a W2K3 domain. There is only one website on it, one Applpool, only one default.htm (simple HTML, no script). Authentication isn't allowed anonym and Authentication methode is Window integriert. If I authenticate with NTLM all is fine, the site is shown. If I authenticate with Kerberos (Negotiate) a logon windows appears, I try it 3 times, then it appears "HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials ". The eventlog writes a security event 529 logon/logoff, Unkown username or wrong password, logontyp 3, Auth paket Kerberos. (Sorry I have a german system, here the original Event. the blanc points are so blanc) Ereignistyp: Fehlerüberw. Ereignisquelle: Security Ereigniskategorie: An-/Abmeldung Ereigniskennung: 529 Datum: 17.01.2008 Zeit: 15:40:40 Benutzer: NT-AUTORITÄT\SYSTEM Computer: TT-W2003-KERB Beschreibung: Fehlgeschlagene Anmeldung: Grund: Unbekannter Benutzername oder falsches Kennwort Benutzername: Domäne: Anmeldetyp: 3 Anmeldevorgang: Kerberos Authentifizierungspaket: Kerberos Name der Arbeitsstation: - Aufruferbenutzername: - Aufruferdomäne: - Aufruferanmeldekennung: - Aufruferprozesskennung: - Übertragene Dienste: - Quellnetzwerkadresse: x.y.z.w Quellport: 50449 All steps in http://support.microsoft.com/?id=871179 I made. I read many, I tried many - now I'm at a loss. Originally we configured the MOSS with SQL Server on other server for Kerberos. Because this doesn't work, the scenario above was built. Is there anywhere anyone being able to help? Please! Hopeful Tobia
Have you set a SPN? see: http://support.microsoft.com/kb/929650 or the whole
series in MSDN: http://msdn2.microsoft.com/en-us/library/ms998297.aspx [quoted text, click to view] "Tobia" wrote:
> Hi! > I've a problem. I don't no it's my problem or a problem of IIS. > The scenario: > We have a member server with IIS in a W2K3 domain. There is only one website > on it, one Applpool, only one default.htm (simple HTML, no script). > Authentication isn't allowed anonym and Authentication methode is Window > integriert. > If I authenticate with NTLM all is fine, the site is shown. > If I authenticate with Kerberos (Negotiate) a logon windows appears, I try > it 3 times, then it appears "HTTP Error 401.1 - Unauthorized: Access is > denied due to invalid credentials ". > The eventlog writes a security event 529 logon/logoff, Unkown username or > wrong password, logontyp 3, Auth paket Kerberos. (Sorry I have a german > system, here the original Event. the blanc points are so blanc) > Ereignistyp: Fehlerüberw. > Ereignisquelle: Security > Ereigniskategorie: An-/Abmeldung > Ereigniskennung: 529 > Datum: 17.01.2008 > Zeit: 15:40:40 > Benutzer: NT-AUTORITÄT\SYSTEM > Computer: TT-W2003-KERB > Beschreibung: > Fehlgeschlagene Anmeldung: > Grund: Unbekannter Benutzername oder falsches Kennwort > Benutzername: > Domäne: > Anmeldetyp: 3 > Anmeldevorgang: Kerberos > Authentifizierungspaket: Kerberos > Name der Arbeitsstation: - > Aufruferbenutzername: - > Aufruferdomäne: - > Aufruferanmeldekennung: - > Aufruferprozesskennung: - > Übertragene Dienste: - > Quellnetzwerkadresse: x.y.z.w > Quellport: 50449 > > > All steps in http://support.microsoft.com/?id=871179 I made. I read many, I > tried many - now I'm at a loss. > > Originally we configured the MOSS with SQL Server on other server for > Kerberos. Because this doesn't work, the scenario above was built. > > Is there anywhere anyone being able to help? Please! > Hopeful > Tobia > > > > >
I have a long series on configuring/using Kerberos with IIS. This is part
5 - it has links to the earlier parts. Read the bits you need configured, and then post if you are still having issues: http://www.adopenstatic.com/cs/blogs/ken/archive/2007/07/18/8460.aspx Cheers Ken [quoted text, click to view] "Tobia" <tobiat@gmx.de> wrote in message
news:OmknR%23RWIHA.5208@TK2MSFTNGP04.phx.gbl... > Hi! > I've a problem. I don't no it's my problem or a problem of IIS. > The scenario: > We have a member server with IIS in a W2K3 domain. There is only one > website on it, one Applpool, only one default.htm (simple HTML, no > script). > Authentication isn't allowed anonym and Authentication methode is Window > integriert. > If I authenticate with NTLM all is fine, the site is shown. > If I authenticate with Kerberos (Negotiate) a logon windows appears, I try > it 3 times, then it appears "HTTP Error 401.1 - Unauthorized: Access is > denied due to invalid credentials ". > The eventlog writes a security event 529 logon/logoff, Unkown username or > wrong password, logontyp 3, Auth paket Kerberos. (Sorry I have a german > system, here the original Event. the blanc points are so blanc) > Ereignistyp: Fehlerüberw. > Ereignisquelle: Security > Ereigniskategorie: An-/Abmeldung > Ereigniskennung: 529 > Datum: 17.01.2008 > Zeit: 15:40:40 > Benutzer: NT-AUTORITÄT\SYSTEM > Computer: TT-W2003-KERB > Beschreibung: > Fehlgeschlagene Anmeldung: > Grund: Unbekannter Benutzername oder falsches Kennwort > Benutzername: > Domäne: > Anmeldetyp: 3 > Anmeldevorgang: Kerberos > Authentifizierungspaket: Kerberos > Name der Arbeitsstation: - > Aufruferbenutzername: - > Aufruferdomäne: - > Aufruferanmeldekennung: - > Aufruferprozesskennung: - > Übertragene Dienste: - > Quellnetzwerkadresse: x.y.z.w > Quellport: 50449 > > > All steps in http://support.microsoft.com/?id=871179 I made. I read many, > I tried many - now I'm at a loss. > > Originally we configured the MOSS with SQL Server on other server for > Kerberos. Because this doesn't work, the scenario above was built. > > Is there anywhere anyone being able to help? Please! > Hopeful > Tobia > > > > >
[quoted text, click to view] > Have you set a SPN? see: http://support.microsoft.com/kb/929650 or the > whole > series in MSDN: http://msdn2.microsoft.com/en-us/library/ms998297.aspx Yes, of course I had set the SPNs. Tobia
Thanks. The blanc scenario in IIS works now. But the main problem (MOSS,SQL
Server-all on other machines in the same domain) continues to exist. I have checked everything once again. But I can't find the reason for the trouble. Great weekend Tobia
Is this the right group for problems with MOSS? If so, I send the
description of my scenario. Greating Tobia "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> schrieb im Newsbeitrag news:% [quoted text, click to view] > But at the moment, we don't have your configuration, or your settings or
> the errors that you are getting. > > So, it's impossible to help anymore. > > Cheers > Ken > >
[quoted text, click to view] "Tobia" <tobiat@gmx.de> wrote in message news:OsppwnOZIHA.984@TK2MSFTNGP06.phx.gbl... > Thanks. The blanc scenario in IIS works now. But the main problem > (MOSS,SQL Server-all on other machines in the same domain) continues to > exist. > I have checked everything once again. But I can't find the reason for the > trouble. Well, I know it works, so it's theoretically possible for this to be setup. If it's not working, then something is still misconfigured. As I mentioned, I wrote up five articles on this because there are a /lot/ of things that need to be checked and verified for your specific configuration. But at the moment, we don't have your configuration, or your settings or the errors that you are getting. So, it's impossible to help anymore. Cheers Ken
[quoted text, click to view]
> There are simply too many unknowns here. Following situation: We have a W2003 domain (2 DCs), a W2003 R2 Server with MOSS 2007 and a additional W2003 R2Server with MS SQL Server 2005. The MOSS installation is so, that the different services and functions use different user accounts, i.e. not all is running under administrator like the most sample installations. The virtual server on port 80 (sharepoint-80) is configured to use one web application with the identity SPadmin (domain account, member in local administrators group and admin in Sharepoint). The shared services for the Office Server virtual server run under SP_SSP (also a domain account). On SQL Server a named instance works for MOSS (db/MOSS), windows authentication is configured. The instance is running under a domain account (SQLMoss). The authentication on IIS is set to negotiate and NTLM for the virtual server (sharepoint-80). At the domain the user SPadmin has a SPN: HOST/MOSSserver and HOST/MOSSserver.dom.de and the user SQLMOsss has a SPN : MSSQLsvc/db:xyz and MSSQLsvc/db.dom.de:xyz. SQLMoss is allowed to write its own SPN, so the right port is set when the db instance starts. No other SPNs are registered for that services. The problem: The access to MOSS is working up to the authentication provider is changed to Negotiate. An Logon Window appears, after 3 trials it appears "HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials ". The MOSS sites are configured all to use local intranet zone in IE. Are you missing more information? Thanks for help! Tobia
We don't know if it's a MOSS issue.
It could be a client <-> server issue (is client authN via Kerberos to server?) It could be a protocol transition issue (client <-> server <-> SQL Server) It could be an IIS configuration (what app pools are your sites running in? What AuthN providers is IIS advertising to client) It could be an AD configuration issue (what SPNs do you have registered?) It could be some other issue (I still don't know your overall architecture - what servers do you have, and what FQDNs are they being accessed by?) etc etc etc There are simply too many unknowns here. Cheers Ken [quoted text, click to view] "Tobia" <tobiat@gmx.de> wrote in message
news:Oe4wNFwZIHA.2000@TK2MSFTNGP05.phx.gbl... > Is this the right group for problems with MOSS? If so, I send the > description of my scenario. > Greating > Tobia > > "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> schrieb im Newsbeitrag > news:% >> But at the moment, we don't have your configuration, or your settings or >> the errors that you are getting. >> >> So, it's impossible to help anymore. >> >> Cheers >> Ken >> >> >
Hello,
I've checked duplicate SPNs and I can't find any. I must correct my first statement: At the domain the user SPadmin has a SPN: HTTP/MOSSserver and HTTP/MOSSserver.dom.de. Is it a problem if the SPN HOST/MOSSserver and HOST/MOSSserver.dom.de is set for the machine account MOSSserver because HTTP is part of HOST? The user SPadmin is the user of the service (application pool for that sharepoint application)-. now I'll activate kerberos logging and I'll see more I hope. I read your blog, it's very helpfull. Thanks Tobia
Well, then it looks like Kerberos authN is failing. But you still haven't
provided all the necessary details to check things. Did you read my blog posts? The problem could be duplicate SPNs, or it could be that the user account that the service ticket is being generated for is not the user account you are using to host your service etc. What you can do is enable Kerberos logging on each box in question (http://support.microsoft.com/?id=262177). Then you will get some kind of error in your event logs. If you are getting KRB_AP_ERR_MODIFIED then it's probably a principal mismatch. Cheers Ken [quoted text, click to view] "Tobia" <tobiat@gmx.de> wrote in message
news:OH8b1C0ZIHA.5088@TK2MSFTNGP06.phx.gbl... >> There are simply too many unknowns here. > > > Following situation: > We have a W2003 domain (2 DCs), a W2003 R2 Server with MOSS 2007 and a > additional W2003 R2Server with MS SQL Server 2005. > The MOSS installation is so, that the different services and functions use > different user accounts, i.e. not all is running under administrator like > the most sample installations. > The virtual server on port 80 (sharepoint-80) is configured to use one web > application with the identity SPadmin (domain account, member in local > administrators group and admin in Sharepoint). The shared services for the > Office Server virtual server run under SP_SSP (also a domain account). > On SQL Server a named instance works for MOSS (db/MOSS), windows > authentication is configured. The instance is running under a domain > account (SQLMoss). > The authentication on IIS is set to negotiate and NTLM for the virtual > server (sharepoint-80). > At the domain the user SPadmin has a SPN: HOST/MOSSserver and > HOST/MOSSserver.dom.de > and the user SQLMOsss has a SPN : MSSQLsvc/db:xyz and > MSSQLsvc/db.dom.de:xyz. SQLMoss is allowed to write its own SPN, so the > right port is set when the db instance starts. > No other SPNs are registered for that services. > The problem: > The access to MOSS is working up to the authentication provider is changed > to Negotiate. An Logon Window appears, after 3 trials it appears "HTTP > Error 401.1 - Unauthorized: Access is > denied due to invalid credentials ". The MOSS sites are configured all to > use local intranet zone in IE. > Are you missing more information? > Thanks for help! > Tobia >
Hi,
I'm back after a few free days. My kerberos authentication works. I had deleted the SPNs HOST/MOSSserver and HOST/MOSSserver.dom.de for the machine account MOSSserver. I had understand that first is checked a explicit SPN für a special service in use. If no such SPN than the HOST is used. Like the facts say this understanding was wrong . Thanks for Your help! Cheers Tobia
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |