"ramram49" <ramram49.2fc***@mail.webservertalk.com> wrote in message
news:ramram49.2fci8b@mail.webservertalk.com...
>
> Hi,
>
> I have setting up two intranet web sites (say Site_A and Site_B) on the
> same IIS 6 server.  Both serve internal staff only.
>
> For Site_A, I leave everything as default.
>
> For Site_B, I modified "Multiple identities for this Web site" as
> follows:
>
> IP Address: 130.20.1.20
> TCP port: 80
> Host Header Value: hkg-intranet
>
> Now, my problem:
> - if I "Enable anonymous access", then we can access both web.
> - if I disable anonymous access and enable "Integrated Winodws
> authentication", then both web sites prompt for username.  No matter
> which username I used (including domain admin), I cannot access the
> sites.
>
> I can access the site only if I enter the machine local admin username
> and password.
>
> In the web server security event log, we have:
>
> Event ID: 529
> Reason: Unknown user name or bad password
> Logon Type: 3
> Logon Process: Kerberos
> Authentication Package: Kerberos
>
> May I ask, is it not possible to have two web sites on the same server
> with "Integrated Windows authentication" enabled?
>
> Thanks in advance.
>
>
>
> --
> ramram49
> ------------------------------------------------------------------------
> Posted via http://www.webservertalk.com
> ------------------------------------------------------------------------
> View this thread: http://www.webservertalk.com/message1693270.html
>

"ramram49" <ramram49.2fe***@mail.webservertalk.com> wrote in message
news:ramram49.2fetke@mail.webservertalk.com...
>
> Hi Ken,
>
> Yes..I am logging on using domain\username format.
>
> On the DC, there is such system error logged:
>
> Source: Kerberos
> Event ID: 4
>
> Description: The kerberos client received a KRB_AP_ERR_MODIFIED error
> from the server host/hcl-intranet.mydomain.com.  The target name used
> was HTTP/hkg-intranet.mydomain.com.  This indicates that the password
> used to encrypt the kerberos service ticket is different that that on
> the target server.  Commonly, this is due to identically named machine
> accounts in the target realm (MYDOMAIN.COM), and the client realm.
> Please contact your system administrator.com
>
> Kindly give me some more hints..^^
>
> Ken Schaefer wrote:
>> [B]You can have as many sites as you want using IWA and domain based
>> credentials.
>>
>> Something else is wrong in your setup. Are you logging on using
>> Domain\Username?
>>
>> Cheers
>> Ken
>>
>>
>
>
>
> --
> ramram49
> ------------------------------------------------------------------------
> Posted via http://www.webservertalk.com
> ------------------------------------------------------------------------
> View this thread: http://www.webservertalk.com/message1693270.html
>

> [B]Hi,
>
> You have two options:
> a) Configure IIS to send NTLM only for that website - at the moment
> IIS is
> sending both Negotiate (Kerberos) and NTLM as available
> authentication
> mechanisms to the client, and the client is choosing Kerberos
>
> b) If you wisht to use Kerberos rather than NTLM, then you will need
> to
> register an SPN (Service Principal Name) for the FQDN of the website
> you are
> accessing. If the website is running in a web app pool that is
> running under
> LocalSystem/Network Service, then register the SPN under the IIS
> server's
> machine account. If the web app pool is running under a custom
> account, then
> register the SPN under the user account that is being used as the
> process
> identity for the web app pool.
>
> Cheers
> Ken
>
>