|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
IIS 6.0 Kerberos authenticationI have AAA site (not default web site) in IIS 6 on Windows 2003 Server. The AAA site uses Windows Integrated authentication. I have a problem of accessing the AAA site using DNS or FQDN name from other Windows 2003 Servers in the same domain - i have been prompted to enter user and password and get error of wrong user or password (security log recieve authentication failure messages). I do succeed to access AAA site by using URL with IP address Using AuthDiag tool i see that i have a problem with Kerberos Authentication (SPN not set), but NTLM authentication succeeds (this is why URL with IP works) More than that - if i configure IIS to work in IIS 5 compatibility mode - i do not have any problem to access the AAA site using DNS name or FQDN. The Kerberos, NTLM settings and Security settings on all Windows 2003 servers seems to be correct. The IE settings of trusted sites & local sites does not resolve a problem. Could you help me to understand why the authentication fails and what to do in order to use Worker Process Isolation mode? Thanks -- Eduard Timchenko Business Technology Solutions Group Verint Systems Hi Eduard,
By default, IIS6 uses the worker process to serve the internet request, which is one process providing the service (we could find this from site properties->Home direcotry->Application Pool). We will need to specify one account as this process's identity. This Technet IIS article introduces the configuration of this identity for you: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/f 05a7c2b-36b0-4b6e-ac7c-662700081f25.mspx At your scenario, Kerberos will need to register the SPN name under this identity account in Active Directory. This kb article introduces more information for you with the resolution: 871179 You receive an "HTTP Error 401.1 - Unauthorized: Access is denied due to http://support.microsoft.com/?id=871179 Please feel free to let me know if you have any question. It is my pleasure to be of any assistance. Best Regards, Wei-Dong XU Microsoft Product Support Services This posting is provided "AS IS" with no warranties, and confers no rights. 
Other interesting topics
iis + win2k adv server problem
Classic ASP page gives 'The page cannot be found' in IIS6.0 Giving Inetrnet Guest account full access to folders Domain-based IUSR and IWAM accounts IIS/NTFS persmissions help IIS6 / W2K3 / Client Certificate - Urgent help required! setting web site permissions Force Browser to Cache Images under SSL? SSL HTTPS works at first, then very slow or stops after some time? How to call EXE from Batch File in Windows 2003 Server? |
|||||||||||||||||||||||
