IIS 6 und Kerberos

Hi!
I've a problem. I don't no it's my problem or a problem of IIS.
The scenario:
We have a member server with IIS in a W2K3 domain. There is only one website
on it, one Applpool, only one default.htm (simple HTML, no script).
Authentication isn't allowed anonym and Authentication methode is Window
integriert.
If I authenticate with NTLM all is fine, the site is shown.
If I authenticate with Kerberos (Negotiate) a logon windows appears, I try
it 3 times, then it appears "HTTP Error 401.1 - Unauthorized: Access is
denied due to invalid credentials ".
The eventlog writes a security event 529 logon/logoff, Unkown username or
wrong password, logontyp 3, Auth paket Kerberos. (Sorry I have a german
system, here the original Event. the blanc points are so blanc)
Ereignistyp: Fehlerüberw.
Ereignisquelle: Security
Ereigniskategorie: An-/Abmeldung
Ereigniskennung: 529
Datum: 17.01.2008
Zeit: 15:40:40
Benutzer: NT-AUTORITÄT\SYSTEM
Computer: TT-W2003-KERB
Beschreibung:
Fehlgeschlagene Anmeldung:
Grund: Unbekannter Benutzername oder falsches Kennwort
Benutzername:
Domäne:
Anmeldetyp: 3
Anmeldevorgang: Kerberos
Authentifizierungspaket: Kerberos
Name der Arbeitsstation: -
Aufruferbenutzername: -
Aufruferdomäne: -
Aufruferanmeldekennung: -
Aufruferprozesskennung: -
Übertragene Dienste: -
Quellnetzwerkadresse: x.y.z.w
Quellport: 50449


All steps in http://support.microsoft.com/?id=871179 I made. I read many, I
tried many - now I'm at a loss.

Originally we configured the MOSS with SQL Server on other server for
Kerberos. Because this doesn't work, the scenario above was built.

Is there anywhere anyone being able to help? Please!
Hopeful
Tobia

RE: IIS 6 und Kerberos

Have you set a SPN? see: http://support.microsoft.com/kb/929650 or the whole
series in MSDN: http://msdn2.microsoft.com/en-us/library/ms998297.aspx

"Tobia" wrote:

> Hi!
> I've a problem. I don't no it's my problem or a problem of IIS.
> The scenario:
> We have a member server with IIS in a W2K3 domain. There is only one website
> on it, one Applpool, only one default.htm (simple HTML, no script).
> Authentication isn't allowed anonym and Authentication methode is Window
> integriert.
> If I authenticate with NTLM all is fine, the site is shown.
> If I authenticate with Kerberos (Negotiate) a logon windows appears, I try
> it 3 times, then it appears "HTTP Error 401.1 - Unauthorized: Access is
> denied due to invalid credentials ".
> The eventlog writes a security event 529 logon/logoff, Unkown username or
> wrong password, logontyp 3, Auth paket Kerberos. (Sorry I have a german
> system, here the original Event. the blanc points are so blanc)
> Ereignistyp: Fehlerüberw.
> Ereignisquelle: Security
> Ereigniskategorie: An-/Abmeldung
> Ereigniskennung: 529
> Datum: 17.01.2008
> Zeit: 15:40:40
> Benutzer: NT-AUTORITÄT\SYSTEM
> Computer: TT-W2003-KERB
> Beschreibung:
> Fehlgeschlagene Anmeldung:
> Grund: Unbekannter Benutzername oder falsches Kennwort
> Benutzername:
> Domäne:
> Anmeldetyp: 3
> Anmeldevorgang: Kerberos
> Authentifizierungspaket: Kerberos
> Name der Arbeitsstation: -
> Aufruferbenutzername: -
> Aufruferdomäne: -
> Aufruferanmeldekennung: -
> Aufruferprozesskennung: -
> Übertragene Dienste: -
> Quellnetzwerkadresse: x.y.z.w
> Quellport: 50449
>
>
> All steps in http://support.microsoft.com/?id=871179 I made. I read many, I
> tried many - now I'm at a loss.
>
> Originally we configured the MOSS with SQL Server on other server for
> Kerberos. Because this doesn't work, the scenario above was built.
>
> Is there anywhere anyone being able to help? Please!
> Hopeful
> Tobia
>
>
>
>
>
>

Re: IIS 6 und Kerberos

I have a long series on configuring/using Kerberos with IIS. This is part
5 - it has links to the earlier parts. Read the bits you need configured,
and then post if you are still having issues:
http://www.adopenstatic.com/cs/blogs/ken/archive/2007/07/18/ 8460.aspx

Cheers
Ken

"Tobia" wrote in message
news:OmknR%23RWIHA.5208@TK2MSFTNGP04.phx.gbl...
> Hi!
> I've a problem. I don't no it's my problem or a problem of IIS.
> The scenario:
> We have a member server with IIS in a W2K3 domain. There is only one
> website on it, one Applpool, only one default.htm (simple HTML, no
> script).
> Authentication isn't allowed anonym and Authentication methode is Window
> integriert.
> If I authenticate with NTLM all is fine, the site is shown.
> If I authenticate with Kerberos (Negotiate) a logon windows appears, I try
> it 3 times, then it appears "HTTP Error 401.1 - Unauthorized: Access is
> denied due to invalid credentials ".
> The eventlog writes a security event 529 logon/logoff, Unkown username or
> wrong password, logontyp 3, Auth paket Kerberos. (Sorry I have a german
> system, here the original Event. the blanc points are so blanc)
> Ereignistyp: Fehlerüberw.
> Ereignisquelle: Security
> Ereigniskategorie: An-/Abmeldung
> Ereigniskennung: 529
> Datum: 17.01.2008
> Zeit: 15:40:40
> Benutzer: NT-AUTORITÄT\SYSTEM
> Computer: TT-W2003-KERB
> Beschreibung:
> Fehlgeschlagene Anmeldung:
> Grund: Unbekannter Benutzername oder falsches Kennwort
> Benutzername:
> Domäne:
> Anmeldetyp: 3
> Anmeldevorgang: Kerberos
> Authentifizierungspaket: Kerberos
> Name der Arbeitsstation: -
> Aufruferbenutzername: -
> Aufruferdomäne: -
> Aufruferanmeldekennung: -
> Aufruferprozesskennung: -
> Übertragene Dienste: -
> Quellnetzwerkadresse: x.y.z.w
> Quellport: 50449
>
>
> All steps in http://support.microsoft.com/?id=871179 I made. I read many,
> I tried many - now I'm at a loss.
>
> Originally we configured the MOSS with SQL Server on other server for
> Kerberos. Because this doesn't work, the scenario above was built.
>
> Is there anywhere anyone being able to help? Please!
> Hopeful
> Tobia
>
>
>
>
>

Re: IIS 6 und Kerberos

> Have you set a SPN? see: http://support.microsoft.com/kb/929650 or the
> whole
> series in MSDN: http://msdn2.microsoft.com/en-us/library/ms998297.aspx

Yes, of course I had set the SPNs.
Tobia

Re: IIS 6 und Kerberos

Thanks. The blanc scenario in IIS works now. But the main problem (MOSS,SQL
Server-all on other machines in the same domain) continues to exist.
I have checked everything once again. But I can't find the reason for the
trouble.
Great weekend
Tobia