On windows 2003 using IIS 6, we are trying to set up Kerberos authentication. This is working to some extent. I have setup a separate application pool with a service account. When ever I use this application pool with the pplinfo service account the user will not authenticate with activate directory. Any help would be great.
Asked
Active
Viewed 892 times
3
-
Errors? Did you put the SPNs in properly? Are there multiple app pools with different identities trying to do Kerberos auth? – K. Brian Kelley Aug 12 '09 at 14:54
-
All the pools for this application are run under the same service account. Regarding the SPN's this was done by our IT department as far as we have been told. Which I have a feeling has not been done right. – Antony Delaney Aug 12 '09 at 15:00
1 Answers
2
You should probably check to see if the SPN is set correctly.
If you have the support tools installed, you can run this command:
Cscript "C:\Program Files\Support Tools\search.vbs" "LDAP://DC=Your,dc=Domain,dc=com" /C:"(serviceprincipalname=<YourSPNHere>)" /S:Subtree /P:DistinguishedName
Replace <YourSPNHere> with your SPN in the form http\YourURL and enter your domain in LDAP form.
If you don't find your SPN, that's the problem.
There's a SetSPN command that should work also:
SetSPN -L <Account>
But I never can get the -L parameter to work with an account object, only a computer object. That actually might be due to rights that our AD team imposes. YMMV...
Christopher_G_Lewis
- 3,647
- 21
- 27