"Chris Hoare" <choare@nospam.nospam> wrote in message
news:E58BA53D-F64F-4AF3-B944-AD4152307F29@microsoft.com...
> Hello,
>
> I have a strange intermittant problem.
>
> There are two web servers configured to load ballance behind an F5 load
> ballancer. Each of the web servers has a .Net application running in IIS 6
> on
> Windows 2003. The site is setup to use integrated authentication only and
> domain users are allowed read access to the folder. We are getting
> sporadic
> in time and random on pages domain authentication popups on the client
> pc's.
> It is not with any obvious pattern and it is affecting more than one user.
> I
> cant turn the Integrated authentication off as we are using a single sign
> on
> through AD to access the software. The app pool for the application is
> only
> running the single application with this issue; its running as Network
> Service at the moment.
>
> Can anyone suggest how to work through this issue; i am loathe to demote
> the
> web servers down kerboros through setspn but the users are becoming
> frustrated by the popup box appearing so i am need of suggestions for a
> fix

"Tiago Halm" wrote:

> just some thoughts ....
>
> Check kerberos is correctly setup on all boxes:
> - DNS alias
> - SPN
> - AD account in AppPools
> - Bindings Host Header Name + Port + IP Address
> - VDirs and their AppPools (should all be the same as the WebSite)
>
> Also, enable all security auditings on both servers. When the issue happens,
> check for the username in the log and why the access was denied.
>
> Check for any W3SVC events for AppPool recycling.
> Check F5 rules and possible errors when redirecting.
>
> Tiago Halm
>
> "Chris Hoare" <choare@nospam.nospam> wrote in message
> news:E58BA53D-F64F-4AF3-B944-AD4152307F29@microsoft.com...
> > Hello,
> >
> > I have a strange intermittant problem.
> >
> > There are two web servers configured to load ballance behind an F5 load
> > ballancer. Each of the web servers has a .Net application running in IIS 6
> > on
> > Windows 2003. The site is setup to use integrated authentication only and
> > domain users are allowed read access to the folder. We are getting
> > sporadic
> > in time and random on pages domain authentication popups on the client
> > pc's.
> > It is not with any obvious pattern and it is affecting more than one user.
> > I
> > cant turn the Integrated authentication off as we are using a single sign
> > on
> > through AD to access the software. The app pool for the application is
> > only
> > running the single application with this issue; its running as Network
> > Service at the moment.
> >
> > Can anyone suggest how to work through this issue; i am loathe to demote
> > the
> > web servers down kerboros through setspn but the users are becoming
> > frustrated by the popup box appearing so i am need of suggestions for a
> > fix
>
>