I think you have an SPN problem. Is the application pool running under a
domain account? If so, make sure you have an spn registered for:
HTTP/foobar
HTTP/foobar.bar.com
HTTP/fooweb
HTTP/fooweb.bar.com
by running setspn -l domain\user. If anything is missing, correct this by
running:
setspn -A HTTP/foobar domain\user
setspn -A HTTP/foobar.bar.com domain\user
setspn -A HTTP/fooweb domain\user
setspn -A HTTP/fooweb.bar.com domain\user
If your app pool is running under a system account, make sure an spn is
registered for the DNS alias to the machine name by running setspn -l foobar.
The results should be:
HTTP/foobar
HTTP/foobar.bar.com
HTTP/fooweb
HTTP/fooweb.com
If anything is missing, the syntax is similiar as above:
setspn -A HTTP/fooweb foobar
setspn -A HTTP/fooweb.bar.com foobar
setspn -A HTTP/foobar foobar
setspn -A HTTP/foobar.bar.com foobar
Please let me know if this helps.
[quoted text, click to view] "Seth Petry-Johnson" wrote:
> Active Directory: BAR.COM
> Webserver: FOOWEB, IIS 6, single static IP address, running a single ASP.NET
> website. Contains a virtual directory (called "/protected") with Integrated
> Security as the only authentication option.
>
> When logged in locally to FOOWEB, pointing IE to
> http://fooweb/protected/default.aspx works. The user is authenticated
> automatically.
>
> From another machine [FOOBAT], same domain, same local network, same user
> account, browsing to http://fooweb/protected/default.aspx causes the
> username/password prompt to appear. THE USER CAN NOT AUTHENTICATE, even if he
> manually enters his credentials!
>
> On FOOBAT, the authentication DOES work if the user points IE at the fully
> qualified name
http://fooweb.bar.com/protected/default.aspx! [*.bar.com is
> registered for local intranet zone]
>
> Some observations:
> 1) The username prompt contains the FQN "fooweb.bar.com".
> 2) On FOOBAT, IE is in Intranet mode in both scenarios.
> 3) User is a domain admin and can access fileshares on FOOWEB, this is
> certainly an IE/IIS issue.
>
Just yesterday I received an email back from my customer saying they had
figured out the configuration. They say the solution was to configure the
domain account as (1) trusted for delegation, (2) a member of IIS_WPG group
on FOOWEB, and (3) has "Act as a part of OS" / "Impersonate a client after
authentication" privileges.
Windows security is a little out of my purview, so I'm not 100% sure why
this works. I'm just glad it does :)
For posterity, here's the pattern I observed:
FROM FOOWEB, BROWSING TO FOOWEB:
--------------------------------------------
Using machine name only [http://fooweb/ProtectedVDir]: OK
Using FQDN: [
http://fooweb.blah.com/ProtectedVDir]: FAIL
Using alias: [
http://MyAlias.blah.com/ProtectedVDir]: OK
FROM CLIENT MACHINE, BROWSING TO FOOWEB:
--------------------------------------------
Using machine name only [http://fooweb/ProtectedVDir]: FAIL
Using FQDN: [
http://fooweb.blah.com/ProtectedVDir]: OK
Using alias: [
http://MyAlias.blah.com/ProtectedVDir]: FAIL
I can't explain why the FQDN does NOT work when local to the webserver...
could this be related to the SPNs?
