«

I've been involved in building an application in ASP.NET which has
utilised application pools in IIS6 to allow the site to run under the
credentials of a domain user and authenticate with SQL Server.

Having recently rolled this application out to a number of sites, we
have encountered a problem where Windows integrated authentication is
enabled, but users credentials are not accepted. I've figured out the
problem to be due to there being no Service Principal Name for the
domain account.

Having found some documentation from Microsoft about this issue, I've
tried to create the SPN, but it causes authentication to then fail with
the NETWORK SERVICE user.
http://msdn.microsoft.com/library/de...considerations

How can Windows be configured so both the NETWORK SERVICE and domain
users can be used to perform Windows authentication in IIS6 application
pools?

My experience has been that to have an SPN that belongs to the domain
service account that does not conflict with the SPNs already assigned to the
machine account, you need a new DNS name and a new A record in DNS for that
name. Then, if you give the machine account the SPN corresponding to the
new DNS name, should be ok.

Note that I've recently tried to do this with a CNAME record in DNS that
just aliases the A record associated with the machine account's DNS/SPN, but
Kerberos seems to be too clever and resolves the alias back to the A record
name before creating its SPN.

I feel your pain.

HTH,

Joe K.

"Tom McDonnell" <qirexrd_@_hotmail.com> wrote in message
news:...
> I've been involved in building an application in ASP.NET which has
> utilised application pools in IIS6 to allow the site to run under the
> credentials of a domain user and authenticate with SQL Server.
>
> Having recently rolled this application out to a number of sites, we have
> encountered a problem where Windows integrated authentication is enabled,
> but users credentials are not accepted. I've figured out the problem to be
> due to there being no Service Principal Name for the domain account.
>
> Having found some documentation from Microsoft about this issue, I've
> tried to create the SPN, but it causes authentication to then fail with
> the NETWORK SERVICE user.
> http://msdn.microsoft.com/library/de...considerations
>
> How can Windows be configured so both the NETWORK SERVICE and domain users
> can be used to perform Windows authentication in IIS6 application pools?

> Note that I've recently tried to do this with a CNAME record in DNS
> that just aliases the A record associated with the machine account's
> DNS/SPN, but Kerberos seems to be too clever and resolves the alias
> back to the A record name before creating its SPN.

wow.interesting.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> My experience has been that to have an SPN that belongs to the domain
> service account that does not conflict with the SPNs already assigned
> to the machine account, you need a new DNS name and a new A record in
> DNS for that name. Then, if you give the machine account the SPN
> corresponding to the new DNS name, should be ok.
>
> Note that I've recently tried to do this with a CNAME record in DNS
> that just aliases the A record associated with the machine account's
> DNS/SPN, but Kerberos seems to be too clever and resolves the alias
> back to the A record name before creating its SPN.
>
> I feel your pain.
>
> HTH,
>
> Joe K.
>
> "Tom McDonnell" <qirexrd_@_hotmail.com> wrote in message
> news:...
>
>> I've been involved in building an application in ASP.NET which has
>> utilised application pools in IIS6 to allow the site to run under the
>> credentials of a domain user and authenticate with SQL Server.
>>
>> Having recently rolled this application out to a number of sites, we
>> have encountered a problem where Windows integrated authentication is
>> enabled, but users credentials are not accepted. I've figured out the
>> problem to be due to there being no Service Principal Name for the
>> domain account.
>>
>> Having found some documentation from Microsoft about this issue, I've
>>
>> tried to create the SPN, but it causes authentication to then fail
>> with
>>
>> the NETWORK SERVICE user.
>>
>> http://msdn.microsoft.com/library/de...ary/en-us/dnpa
>> g2/html/paght000009.asp#paght000009_additionalconsideratio ns
>>
>> How can Windows be configured so both the NETWORK SERVICE and domain
>> users can be used to perform Windows authentication in IIS6
>> application pools?
>>

> My experience has been that to have an SPN that belongs to the domain
> service account that does not conflict with the SPNs already assigned to the
> machine account, you need a new DNS name and a new A record in DNS for that
> name. Then, if you give the machine account the SPN corresponding to the
> new DNS name, should be ok.

This is really out of my league, the documentation I have found is
purely technical, and nothing you can learn from. Well, it's back to
using .NET impersonation and recording static user credentials in the
registry...

> I feel your pain.

The problem is there is no way I can communicate this to Microsoft and
say HOY! the documentation doesn't go nearly far enough, how 'bout
improving it! I did sent them feedback for the article but I'm sure that
will just go off into oblivion.

Thanks Joe.

I'm a pretty big fan of the TechNet "kerberos troubleshooting" article. It
is the most thorough I've seen.

http://www.microsoft.com/technet/pro.../tkerberr.mspx

The other thing that is critical is enabling event logging for Logon/Logoff
requests (both success and failure) so that you can see what auth package is
being used and what SPNs. A lot of those details are recorded in the log
messages. Learning to use a packet sniffer like netmon or Ethereal can be
helpful too.

Unfortunately, there is still some black magic involved when trying to
figure out why sometimes Negotiate fails over to NTLM. I'm still trying to
find the magic tool that tells me why Kerberos isn't available when I think
it should be.

Best of luck.

Joe K.

"Tom McDonnell" <qirexrd_@_hotmail.com> wrote in message
news:...
>
> This is really out of my league, the documentation I have found is purely
> technical, and nothing you can learn from. Well, it's back to using .NET
> impersonation and recording static user credentials in the registry...
>
>> I feel your pain.
>
> The problem is there is no way I can communicate this to Microsoft and say
> HOY! the documentation doesn't go nearly far enough, how 'bout improving
> it! I did sent them feedback for the article but I'm sure that will just
> go off into oblivion.
>
> Thanks Joe.

Hi,

it is called ethereal (www.ethereal.com)

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> I'm a pretty big fan of the TechNet "kerberos troubleshooting"
> article. It is the most thorough I've seen.
>
> http://www.microsoft.com/technet/pro...er2003/technol
> ogies/security/tkerberr.mspx
>
> The other thing that is critical is enabling event logging for
> Logon/Logoff requests (both success and failure) so that you can see
> what auth package is being used and what SPNs. A lot of those details
> are recorded in the log messages. Learning to use a packet sniffer
> like netmon or Ethereal can be helpful too.
>
> Unfortunately, there is still some black magic involved when trying to
> figure out why sometimes Negotiate fails over to NTLM. I'm still
> trying to find the magic tool that tells me why Kerberos isn't
> available when I think it should be.
>
> Best of luck.
>
> Joe K.
>
> "Tom McDonnell" <qirexrd_@_hotmail.com> wrote in message
> news:...
>
>> This is really out of my league, the documentation I have found is
>> purely technical, and nothing you can learn from. Well, it's back to
>> using .NET impersonation and recording static user credentials in the
>> registry...
>>
>>> I feel your pain.
>>>
>> The problem is there is no way I can communicate this to Microsoft
>> and say HOY! the documentation doesn't go nearly far enough, how
>> 'bout improving it! I did sent them feedback for the article but I'm
>> sure that will just go off into oblivion.
>>
>> Thanks Joe.
>>

I was afraid you would say that.

However, the problem with it is that sometimes, no Kerberos traffic is
generated at all, so the reason for NTLM failover is unclear. I still want
the tool that tells me why.

I don't want to try to do my work with Ethereal though.

Joe K.

"Dominick Baier [DevelopMentor]" <>
wrote in message news:. com...
> Hi,
> it is called ethereal (www.ethereal.com)
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>

joe -

you should

tooling is "sub-optimal" i agree.

When i get back home i have to try the A vs CNAME thing - if there is magic
involved it must happen on the server - the TGS_REQ looks exactly the same
IMO.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> I was afraid you would say that.
>
> However, the problem with it is that sometimes, no Kerberos traffic is
> generated at all, so the reason for NTLM failover is unclear. I still
> want the tool that tells me why.
>
> I don't want to try to do my work with Ethereal though.
>
> Joe K.
>
> "Dominick Baier [DevelopMentor]"
> <> wrote in message
> news:. com...
>
>> Hi,
>> it is called ethereal (www.ethereal.com)
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com

Let me know what you find. Note that my issues seem to revolve around
protocol transition/constrained delegation too. I get different/better
results in some cases with straight Kerberos delegation. With PT, the SPN
of the delegating process seems to come into play.

Joe K.

"Dominick Baier [DevelopMentor]" <>
wrote in message news:. com...
> joe -
> you should
>
> tooling is "sub-optimal" i agree.
>
> When i get back home i have to try the A vs CNAME thing - if there is
> magic involved it must happen on the server - the TGS_REQ looks exactly
> the same IMO.
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>> I was afraid you would say that.
>>
>> However, the problem with it is that sometimes, no Kerberos traffic is
>> generated at all, so the reason for NTLM failover is unclear. I still
>> want the tool that tells me why.
>>
>> I don't want to try to do my work with Ethereal though.
>>
>> Joe K.
>>
>> "Dominick Baier [DevelopMentor]"
>> <> wrote in message
>> news:. com...
>>
>>> Hi,
>>> it is called ethereal (www.ethereal.com)
>>> ---------------------------------------
>>> Dominick Baier - DevelopMentor
>>> http://www.leastprivilege.com
>
>