0

I have a dns alias of MyWebServer, which points to the ip of a win 2008 r2 box running iis 7.5. I have the correct HTTP spn's set up for a domain user which has permissions to delegate to a nominated HTTP webservice using kerberos.
IIS is configured at the top level to use kernelmode auth and to useAppPoolCredentials.

The main application on the iis box is running under an app pool with the identity of my domain user. The application works as intended, correct kerberos tickets are issued and the app is able to delegate the windows users identity perfectly.

There are however other applications using the same IIS Website, but using different app pools which are running as network service. All the apps are set to only use windows authentication (Anonymous turned off).

Whenever i hit one of these applications in IE i get prompted to login. Entering correct domain credentials results in a 401 error after 3 login attempts. The webserver is recognised by IE as being in the Local Intranet zone, and IE is configured to login to servers in this zone automatically. I'm also being issued a valid kerberos ticket when hitting these apps even though they themselves will never need the ticket.

Now, when i set the application pool identity to the domain user for the other apps, and do an IISreset... The applications work as intended.

Now, my question is... Is this as expected/intended???
Am i not able to run a mixture of apps in an IIS Website that has been setup with a SPN that uses a domain user account? I've previously had a mixture of websites like this working using a HTTP/alias Machine spn, but so far have struggled with a HTTP/alias domain/user setup.

Edit: Brent's answer is correct. I found this Microsoft Article which elaborates slighty. http://support.microsoft.com/kb/871179

An SPN for a service can only be associated with one account. Therefore, if you use this suggested resolution, any other application pool that is running under a different domain user account cannot be used with Integrated Windows authentication only.

To work around this behavior if you have multiple application pools that run under different domain user accounts, you must force IIS to use NTLM as your authentication mechanism if you want to use Integrated Windows authentication only.

GordonB
  • 131
  • 1
  • 4
  • 14

1 Answers1

0

Sounds right, the Network Service account has no permission to your domain, therefore it cannot authenticate... at least that sounds like what it's doing.

Once you pop in the domain credentials the application pool now has the rights of the user when making calls against AD, in this case eventually to authenticate.

Brent Pabst
  • 6,059
  • 2
  • 23
  • 36
  • So whats the lesser of 2 evils. Separating the apps that need to run under a domain account to a new website & alias, or setting all of the app pools identities to be that of the domain user? – GordonB Jun 07 '12 at 12:16
  • Well by default when you create a new website in IIS 7.5+ it also creates a new application pool for you as well. For my AD integrated applications I typically look to creating a service account in AD for each application, depending on how sensitive it is and then just set the appPool to run as that user. It's a pretty normal setup. – Brent Pabst Jun 07 '12 at 12:18