"Ethem Azun" <EthemA***@discussions.microsoft.com> wrote in message
news:FB697828-46FE-4559-B067-ADE97E1FE52D@microsoft.com...
:
: Hi,
:
: I have IIS 6 on 2003 which is registered on the domain.
:
: To run an ASP.NET Application with a domain account, I set the SPNs as
: follows;
:
: setspn -A HTTP/servername domain\newaccountname
: setspn -A HTTP/servername.domain.com domain\newaccountname
: setspn -A HTTPS/servername domain\newaccountname
: setspn -A HTTPS/servername.domain.com domain\newaccountname
:
: After this, the application runs fine with kerberos. But the other apps
: which run under the Network Services account start showing up challange
: windows and don't authenticate. To my understanding, they all suddenly
: started requesting Kerberos auth instead of NTLM and since Network
Services
: does not have an SPN (is it really so?), it does not work.
:
: The question is; is there a way to make two web applications to run under
: the same site, one under a domain account and the other under the Network
: Services account? (Both apps are reached inside the domain only.)
:
: Thanks for any ideas, comments, corrections.
:
: Ethem

:
:
:
: "Ethem Azun" <EthemA***@discussions.microsoft.com> wrote in message
: news:FB697828-46FE-4559-B067-ADE97E1FE52D@microsoft.com...
::
:: Hi,
::
:: I have IIS 6 on 2003 which is registered on the domain.
::
:: To run an ASP.NET Application with a domain account, I set the SPNs as
:: follows;
::
:: setspn -A HTTP/servername domain\newaccountname
:: setspn -A HTTP/servername.domain.com domain\newaccountname
:: setspn -A HTTPS/servername domain\newaccountname
:: setspn -A HTTPS/servername.domain.com domain\newaccountname
::
:: After this, the application runs fine with kerberos. But the other apps
:: which run under the Network Services account start showing up challange
:: windows and don't authenticate. To my understanding, they all suddenly
:: started requesting Kerberos auth instead of NTLM and since Network
: Services
:: does not have an SPN (is it really so?), it does not work.
::
:: The question is; is there a way to make two web applications to run under
:: the same site, one under a domain account and the other under the Network
:: Services account? (Both apps are reached inside the domain only.)
::
:: Thanks for any ideas, comments, corrections.
::
:: Ethem
:
:

"Ken Schaefer" wrote:

> "Ken Schaefer" <kenREM***@THISadOpenStatic.com> wrote in message
> news:ujRTPQCYFHA.252@TK2MSFTNGP12.phx.gbl...
> :: The question is; is there a way to make two web applications to run under
> :: the same site, one under a domain account and the other under the Network
> :: Services account? (Both apps are reached inside the domain only.)
> :
> : I don't think this is possible. The SPN is registered by host name (e.g.
> : "servername" or "server.domain.com"), and you need to tie a single
> identity
> : to that host name. You can't use two different identities to a single
> : hostname.
>
>
> Should clarify that. I don't think you can use two identities with a single
> hostname /and/ the same service (HTTP). Obviously you can use different
> identities for different services...
>
> Cheers
> Ken
>
>
>
> :
> :
> :
> : "Ethem Azun" <EthemA***@discussions.microsoft.com> wrote in message
> : news:FB697828-46FE-4559-B067-ADE97E1FE52D@microsoft.com...
> ::
> :: Hi,
> ::
> :: I have IIS 6 on 2003 which is registered on the domain.
> ::
> :: To run an ASP.NET Application with a domain account, I set the SPNs as
> :: follows;
> ::
> :: setspn -A HTTP/servername domain\newaccountname
> :: setspn -A HTTP/servername.domain.com domain\newaccountname
> :: setspn -A HTTPS/servername domain\newaccountname
> :: setspn -A HTTPS/servername.domain.com domain\newaccountname
> ::
> :: After this, the application runs fine with kerberos. But the other apps
> :: which run under the Network Services account start showing up challange
> :: windows and don't authenticate. To my understanding, they all suddenly
> :: started requesting Kerberos auth instead of NTLM and since Network
> : Services
> :: does not have an SPN (is it really so?), it does not work.
> ::
> :: The question is; is there a way to make two web applications to run under
> :: the same site, one under a domain account and the other under the Network
> :: Services account? (Both apps are reached inside the domain only.)
> ::
> :: Thanks for any ideas, comments, corrections.
> ::
> :: Ethem
> :
> :
>
>
>

: I think something is not fitting in this picture, or I'm overseeing
: something.
:
: Thanks,
:
: Ethem
:
:
: "Ken Schaefer" wrote:
:
: > "Ken Schaefer" <kenREM***@THISadOpenStatic.com> wrote in message
: > news:ujRTPQCYFHA.252@TK2MSFTNGP12.phx.gbl...
: > :: The question is; is there a way to make two web applications to run
under
: > :: the same site, one under a domain account and the other under the
Network
: > :: Services account? (Both apps are reached inside the domain only.)
: > :
: > : I don't think this is possible. The SPN is registered by host name
(e.g.
: > : "servername" or "server.domain.com"), and you need to tie a single
: > identity
: > : to that host name. You can't use two different identities to a single
: > : hostname.
: >
: >
: > Should clarify that. I don't think you can use two identities with a
single
: > hostname /and/ the same service (HTTP). Obviously you can use different
: > identities for different services...
: >
: > Cheers
: > Ken
: >
: >
: >
: > :
: > :
: > :
: > : "Ethem Azun" <EthemA***@discussions.microsoft.com> wrote in message
: > : news:FB697828-46FE-4559-B067-ADE97E1FE52D@microsoft.com...
: > ::
: > :: Hi,
: > ::
: > :: I have IIS 6 on 2003 which is registered on the domain.
: > ::
: > :: To run an ASP.NET Application with a domain account, I set the SPNs
as
: > :: follows;
: > ::
: > :: setspn -A HTTP/servername domain\newaccountname
: > :: setspn -A HTTP/servername.domain.com domain\newaccountname
: > :: setspn -A HTTPS/servername domain\newaccountname
: > :: setspn -A HTTPS/servername.domain.com domain\newaccountname
: > ::
: > :: After this, the application runs fine with kerberos. But the other
apps
: > :: which run under the Network Services account start showing up
challange
: > :: windows and don't authenticate. To my understanding, they all
suddenly
: > :: started requesting Kerberos auth instead of NTLM and since Network
: > : Services
: > :: does not have an SPN (is it really so?), it does not work.
: > ::
: > :: The question is; is there a way to make two web applications to run
under
: > :: the same site, one under a domain account and the other under the
Network
: > :: Services account? (Both apps are reached inside the domain only.)
: > ::
: > :: Thanks for any ideas, comments, corrections.
: > ::
: > :: Ethem
: > :
: > :
: >
: >
: >

"Ken Schaefer" wrote:

> "Ethem Azun" <EthemA***@discussions.microsoft.com> wrote in message
> news:AE55C4FB-FCAB-4CB0-8470-1A3D6188F11E@microsoft.com...
> :
> : Hi Ken,
> :
> : Thanks for the reply.
> :
> : I might be mixed up about two things, please correct me if I'm wrong.
> :
> : 1) Is it a "must" to register an SPN for the server, if we want to run the
> : application under a domain identity? (keeping every setting default, such
> : as using kerberos etc.)
>
> If you want to use delegation, you need to register an SPN. When IIS is
> installed an SPN is registed for the default identity (Network Service)
>
>
> : 2) If that is so, and if what you suggested before (running different apps
> : with different accounts on the same site is not possible, if one of the
> : accounts is a domain account) is also true, then isn't this a very big
> : constraint? Then the concept of application pools is not very helpful at
> : all.
>
> Web App Pools are very useful for isolating web applications from each other
> (for security purposes, for stability purposes, and for scalability
> purposes).
>
> If you want to use different identities for each web app, then give them
> different FQDN. You can then register an SPN for each FQDN (with a different
> identity for each FQDN)
>
> : I believe it's a very normal request to be able to decide on this on the
> : application level (at least the pool level), and not on the server level.
>
> You can allocate different apps to different app pools, and run each app
> pool under a different identity. You can do all of this without registering
> an SPN. You only need to register an SPN if you want to configure
> delegation.
>
>
> : It
> : comes to the point that the only way to do such a thing is to force IIS to
> : use NTLM or running in IIS5 Compatibility mode. But this is not a good
> : practice.
>
> NTLM is not delegatable. IIS Compatibility mode doesn't solve the delegation
> issue. You will have the same proble,,
>
>
> : I think something is not fitting in this picture, or I'm overseeing
> : something.
> :
> : Thanks,
> :
> : Ethem
> :
> :
> : "Ken Schaefer" wrote:
> :
> : > "Ken Schaefer" <kenREM***@THISadOpenStatic.com> wrote in message
> : > news:ujRTPQCYFHA.252@TK2MSFTNGP12.phx.gbl...
> : > :: The question is; is there a way to make two web applications to run
> under
> : > :: the same site, one under a domain account and the other under the
> Network
> : > :: Services account? (Both apps are reached inside the domain only.)
> : > :
> : > : I don't think this is possible. The SPN is registered by host name
> (e.g.
> : > : "servername" or "server.domain.com"), and you need to tie a single
> : > identity
> : > : to that host name. You can't use two different identities to a single
> : > : hostname.
> : >
> : >
> : > Should clarify that. I don't think you can use two identities with a
> single
> : > hostname /and/ the same service (HTTP). Obviously you can use different
> : > identities for different services...
> : >
> : > Cheers
> : > Ken
> : >
> : >
> : >
> : > :
> : > :
> : > :
> : > : "Ethem Azun" <EthemA***@discussions.microsoft.com> wrote in message
> : > : news:FB697828-46FE-4559-B067-ADE97E1FE52D@microsoft.com...
> : > ::
> : > :: Hi,
> : > ::
> : > :: I have IIS 6 on 2003 which is registered on the domain.
> : > ::
> : > :: To run an ASP.NET Application with a domain account, I set the SPNs
> as
> : > :: follows;
> : > ::
> : > :: setspn -A HTTP/servername domain\newaccountname
> : > :: setspn -A HTTP/servername.domain.com domain\newaccountname
> : > :: setspn -A HTTPS/servername domain\newaccountname
> : > :: setspn -A HTTPS/servername.domain.com domain\newaccountname
> : > ::
> : > :: After this, the application runs fine with kerberos. But the other
> apps
> : > :: which run under the Network Services account start showing up
> challange
> : > :: windows and don't authenticate. To my understanding, they all
> suddenly
> : > :: started requesting Kerberos auth instead of NTLM and since Network
> : > : Services
> : > :: does not have an SPN (is it really so?), it does not work.
> : > ::
> : > :: The question is; is there a way to make two web applications to run
> under
> : > :: the same site, one under a domain account and the other under the
> Network
> : > :: Services account? (Both apps are reached inside the domain only.)
> : > ::
> : > :: Thanks for any ideas, comments, corrections.
> : > ::
> : > :: Ethem
> : > :
> : > :
> : >
> : >
> : >
>
>
>
>

"Ethem Azun" <EthemA***@discussions.microsoft.com> wrote in message
news:46F52559-03C2-4F2A-9331-D9A56B52651C@microsoft.com...
:
: Hi Ken,
:
: I'm now totally mixed up :)
:
: My experience is as follows;
:
: 1) An IIS 6 with Win2003 on a domain. Users use domain accounts to access
to
: it.
: 2) Installed an ASP.NET Application that does NOT use impersonation.
(hence
: no delegation?)
: 3) The application uses Windows Integrated Security. (all other options
are
: cleared out.)
: 4) I first put it under the default pool, run it and access it, everything
: works fine.
: 5) I change the application to work on an app pool that is running under a
: domain account.
: 6) The domain account is a user of the IIS_WPG group.
: 7) I try to reach the index page (which is more or less a static page) and
: pops up a challange window. (such as http://servername/appname/index.aspx
or
: http://fqdnofserver/appname/index.aspx)
: 8) I try to login with domain accounts, local accounts etc, no luck. I
check
: the event log and see that the username field goes empty and auth type is
: kerberos.
: 9) I register the SPNs with server name and domain account name, the
: challange window suddenly dissapears, everything works fine.
:
: To my understanding, there's no delegation here. According to what I
: understand from what you said, the above should have worked without 9.
:
: Have I missed something?
:
: Thanks,
:
: Ethem
:
:
:
:
: "Ken Schaefer" wrote:
:
: > "Ethem Azun" <EthemA***@discussions.microsoft.com> wrote in message
: > news:AE55C4FB-FCAB-4CB0-8470-1A3D6188F11E@microsoft.com...
: > :
: > : Hi Ken,
: > :
: > : Thanks for the reply.
: > :
: > : I might be mixed up about two things, please correct me if I'm wrong.
: > :
: > : 1) Is it a "must" to register an SPN for the server, if we want to run
the
: > : application under a domain identity? (keeping every setting default,
such
: > : as using kerberos etc.)
: >
: > If you want to use delegation, you need to register an SPN. When IIS is
: > installed an SPN is registed for the default identity (Network Service)
: >
: >
: > : 2) If that is so, and if what you suggested before (running different
apps
: > : with different accounts on the same site is not possible, if one of
the
: > : accounts is a domain account) is also true, then isn't this a very big
: > : constraint? Then the concept of application pools is not very helpful
at
: > : all.
: >
: > Web App Pools are very useful for isolating web applications from each
other
: > (for security purposes, for stability purposes, and for scalability
: > purposes).
: >
: > If you want to use different identities for each web app, then give them
: > different FQDN. You can then register an SPN for each FQDN (with a
different
: > identity for each FQDN)
: >
: > : I believe it's a very normal request to be able to decide on this on
the
: > : application level (at least the pool level), and not on the server
level.
: >
: > You can allocate different apps to different app pools, and run each app
: > pool under a different identity. You can do all of this without
registering
: > an SPN. You only need to register an SPN if you want to configure
: > delegation.
: >
: >
: > : It
: > : comes to the point that the only way to do such a thing is to force
IIS to
: > : use NTLM or running in IIS5 Compatibility mode. But this is not a good
: > : practice.
: >
: > NTLM is not delegatable. IIS Compatibility mode doesn't solve the
delegation
: > issue. You will have the same proble,,
: >
: >
: > : I think something is not fitting in this picture, or I'm overseeing
: > : something.
: > :
: > : Thanks,
: > :
: > : Ethem
: > :
: > :
: > : "Ken Schaefer" wrote:
: > :
: > : > "Ken Schaefer" <kenREM***@THISadOpenStatic.com> wrote in message
: > : > news:ujRTPQCYFHA.252@TK2MSFTNGP12.phx.gbl...
: > : > :: The question is; is there a way to make two web applications to
run
: > under
: > : > :: the same site, one under a domain account and the other under the
: > Network
: > : > :: Services account? (Both apps are reached inside the domain only.)
: > : > :
: > : > : I don't think this is possible. The SPN is registered by host name
: > (e.g.
: > : > : "servername" or "server.domain.com"), and you need to tie a single
: > : > identity
: > : > : to that host name. You can't use two different identities to a
single
: > : > : hostname.
: > : >
: > : >
: > : > Should clarify that. I don't think you can use two identities with a
: > single
: > : > hostname /and/ the same service (HTTP). Obviously you can use
different
: > : > identities for different services...
: > : >
: > : > Cheers
: > : > Ken
: > : >
: > : >
: > : >
: > : > :
: > : > :
: > : > :
: > : > : "Ethem Azun" <EthemA***@discussions.microsoft.com> wrote in
message
: > : > : news:FB697828-46FE-4559-B067-ADE97E1FE52D@microsoft.com...
: > : > ::
: > : > :: Hi,
: > : > ::
: > : > :: I have IIS 6 on 2003 which is registered on the domain.
: > : > ::
: > : > :: To run an ASP.NET Application with a domain account, I set the
SPNs
: > as
: > : > :: follows;
: > : > ::
: > : > :: setspn -A HTTP/servername domain\newaccountname
: > : > :: setspn -A HTTP/servername.domain.com domain\newaccountname
: > : > :: setspn -A HTTPS/servername domain\newaccountname
: > : > :: setspn -A HTTPS/servername.domain.com domain\newaccountname
: > : > ::
: > : > :: After this, the application runs fine with kerberos. But the
other
: > apps
: > : > :: which run under the Network Services account start showing up
: > challange
: > : > :: windows and don't authenticate. To my understanding, they all
: > suddenly
: > : > :: started requesting Kerberos auth instead of NTLM and since
Network
: > : > : Services
: > : > :: does not have an SPN (is it really so?), it does not work.
: > : > ::
: > : > :: The question is; is there a way to make two web applications to
run
: > under
: > : > :: the same site, one under a domain account and the other under the
: > Network
: > : > :: Services account? (Both apps are reached inside the domain only.)
: > : > ::
: > : > :: Thanks for any ideas, comments, corrections.
: > : > ::
: > : > :: Ethem
: > : > :
: > : > :
: > : >
: > : >
: > : >
: >
: >
: >
: >

"Ken Schaefer" wrote:

> In the normal course of events - you shoudn't be seeing what you are seeing.
>
> Of the top of my head, I would have to ask:  Is the index.aspx page that is
> being requested located locally on the IIS server? Or is it located on some
> remote server?
>
> Cheers
> Ken
>
> --
> Blog: www.adopenstatic.com/cs/blogs/ken/
> Web: www.adopenstatic.com
>
>
>
> "Ethem Azun" <EthemA***@discussions.microsoft.com> wrote in message
> news:46F52559-03C2-4F2A-9331-D9A56B52651C@microsoft.com...
> :
> : Hi Ken,
> :
> : I'm now totally mixed up :)
> :
> : My experience is as follows;
> :
> : 1) An IIS 6 with Win2003 on a domain. Users use domain accounts to access
> to
> : it.
> : 2) Installed an ASP.NET Application that does NOT use impersonation.
> (hence
> : no delegation?)
> : 3) The application uses Windows Integrated Security. (all other options
> are
> : cleared out.)
> : 4) I first put it under the default pool, run it and access it, everything
> : works fine.
> : 5) I change the application to work on an app pool that is running under a
> : domain account.
> : 6) The domain account is a user of the IIS_WPG group.
> : 7) I try to reach the index page (which is more or less a static page) and
> : pops up a challange window. (such as http://servername/appname/index.aspx
> or
> : http://fqdnofserver/appname/index.aspx)
> : 8) I try to login with domain accounts, local accounts etc, no luck. I
> check
> : the event log and see that the username field goes empty and auth type is
> : kerberos.
> : 9) I register the SPNs with server name and domain account name, the
> : challange window suddenly dissapears, everything works fine.
> :
> : To my understanding, there's no delegation here. According to what I
> : understand from what you said, the above should have worked without 9.
> :
> : Have I missed something?
> :
> : Thanks,
> :
> : Ethem
> :
> :
> :
> :
> : "Ken Schaefer" wrote:
> :
> : > "Ethem Azun" <EthemA***@discussions.microsoft.com> wrote in message
> : > news:AE55C4FB-FCAB-4CB0-8470-1A3D6188F11E@microsoft.com...
> : > :
> : > : Hi Ken,
> : > :
> : > : Thanks for the reply.
> : > :
> : > : I might be mixed up about two things, please correct me if I'm wrong.
> : > :
> : > : 1) Is it a "must" to register an SPN for the server, if we want to run
> the
> : > : application under a domain identity? (keeping every setting default,
> such
> : > : as using kerberos etc.)
> : >
> : > If you want to use delegation, you need to register an SPN. When IIS is
> : > installed an SPN is registed for the default identity (Network Service)
> : >
> : >
> : > : 2) If that is so, and if what you suggested before (running different
> apps
> : > : with different accounts on the same site is not possible, if one of
> the
> : > : accounts is a domain account) is also true, then isn't this a very big
> : > : constraint? Then the concept of application pools is not very helpful
> at
> : > : all.
> : >
> : > Web App Pools are very useful for isolating web applications from each
> other
> : > (for security purposes, for stability purposes, and for scalability
> : > purposes).
> : >
> : > If you want to use different identities for each web app, then give them
> : > different FQDN. You can then register an SPN for each FQDN (with a
> different
> : > identity for each FQDN)
> : >
> : > : I believe it's a very normal request to be able to decide on this on
> the
> : > : application level (at least the pool level), and not on the server
> level.
> : >
> : > You can allocate different apps to different app pools, and run each app
> : > pool under a different identity. You can do all of this without
> registering
> : > an SPN. You only need to register an SPN if you want to configure
> : > delegation.
> : >
> : >
> : > : It
> : > : comes to the point that the only way to do such a thing is to force
> IIS to
> : > : use NTLM or running in IIS5 Compatibility mode. But this is not a good
> : > : practice.
> : >
> : > NTLM is not delegatable. IIS Compatibility mode doesn't solve the
> delegation
> : > issue. You will have the same proble,,
> : >
> : >
> : > : I think something is not fitting in this picture, or I'm overseeing
> : > : something.
> : > :
> : > : Thanks,
> : > :
> : > : Ethem
> : > :
> : > :
> : > : "Ken Schaefer" wrote:
> : > :
> : > : > "Ken Schaefer" <kenREM***@THISadOpenStatic.com> wrote in message
> : > : > news:ujRTPQCYFHA.252@TK2MSFTNGP12.phx.gbl...
> : > : > :: The question is; is there a way to make two web applications to
> run
> : > under
> : > : > :: the same site, one under a domain account and the other under the
> : > Network
> : > : > :: Services account? (Both apps are reached inside the domain only.)
> : > : > :
> : > : > : I don't think this is possible. The SPN is registered by host name
> : > (e.g.
> : > : > : "servername" or "server.domain.com"), and you need to tie a single
> : > : > identity
> : > : > : to that host name. You can't use two different identities to a
> single
> : > : > : hostname.
> : > : >
> : > : >
> : > : > Should clarify that. I don't think you can use two identities with a
> : > single
> : > : > hostname /and/ the same service (HTTP). Obviously you can use
> different
> : > : > identities for different services...
> : > : >
> : > : > Cheers
> : > : > Ken
> : > : >
> : > : >
> : > : >
> : > : > :
> : > : > :
> : > : > :
> : > : > : "Ethem Azun" <EthemA***@discussions.microsoft.com> wrote in
> message
> : > : > : news:FB697828-46FE-4559-B067-ADE97E1FE52D@microsoft.com...
> : > : > ::
> : > : > :: Hi,
> : > : > ::
> : > : > :: I have IIS 6 on 2003 which is registered on the domain.
> : > : > ::
> : > : > :: To run an ASP.NET Application with a domain account, I set the
> SPNs
> : > as
> : > : > :: follows;
> : > : > ::
> : > : > :: setspn -A HTTP/servername domain\newaccountname
> : > : > :: setspn -A HTTP/servername.domain.com domain\newaccountname
> : > : > :: setspn -A HTTPS/servername domain\newaccountname
> : > : > :: setspn -A HTTPS/servername.domain.com domain\newaccountname
> : > : > ::
> : > : > :: After this, the application runs fine with kerberos. But the
> other
> : > apps
> : > : > :: which run under the Network Services account start showing up
> : > challange
> : > : > :: windows and don't authenticate. To my understanding, they all
> : > suddenly
> : > : > :: started requesting Kerberos auth instead of NTLM and since
> Network
> : > : > : Services
> : > : > :: does not have an SPN (is it really so?), it does not work.
> : > : > ::
> : > : > :: The question is; is there a way to make two web applications to
> run
> : > under
> : > : > :: the same site, one under a domain account and the other under the
> : > Network
> : > : > :: Services account? (Both apps are reached inside the domain only.)
> : > : > ::
> : > : > :: Thanks for any ideas, comments, corrections.
> : > : > ::
> : > : > :: Ethem
> : > : > :
> : > : > :
> : > : >
> : > : >
> : > : >
> : >
> : >
> : >
> : >
>
>
>