1

we are using Virtual PCs for some testing mockup. One VPC is running as Domain Controller with AD configured on it. The domain name is testing.local. We have another VPC in domain running web application (configured as web site listening at port 198) using Integrated Windows Authentication and basic authentication (to send login id/pwd). Now the problem is that some users created in AD can access this application (http://testsystem:198/) and some cannot. IIS gives 401.2 error even after entering right login id/pwd combination.

I tried to search web and was directed to AuthDiag tool. I installed it and ran Active Directory (Kerberos Key Distribution Center) Information. It shows following error many times (there are many web sites running in this VPC):

Service principal name (SPN) for machine 'testsystem' not found in Active Directory

Please help we are stuck and cannot test application.

Murali Suriar
  • 10,166
  • 8
  • 40
  • 62
TheVillageIdiot
  • 161
  • 1
  • 9

2 Answers2

1

It's some problem with the Kerberos authentication, possibly connected to the account you're running the website under - take a look at this:

http://blogs.technet.com/askds/archive/2008/06/11/kerberos-authentication-problems-service-principal-name-spn-issues-part-3.aspx

If that isn't the exact problem the debugging steps listed there should allow you to add more details to your question that should help people to come up with a correct answer.

Whisk
  • 1,883
  • 1
  • 16
  • 21
0

If you aren't using any delegation, set IIS to use NTLM only to eliminate kerberos.

For the default web site, use

cscript adsutil.vbs set w3svc/1/root/NTAuthenticationProviders "NTLM"
Christopher_G_Lewis
  • 3,647
  • 21
  • 27