integrated authentication

Hi,

I have a intranet asp application runing on IIS6. with data on SQL server
runing on an other computer (the two servers are member server of our active
directory domain). Access to the data are based on the user account who
connect to the IIS application.
The application is runing on the port 80 with a host header as
app.mydomain.com (others applications are runing on port 80 without
hostheader).
The application run in an application pool with a domain account from active
directory.
With basic authentication, the user can launch the application and have
access to the data. ( I use impersonate = true in the web.config file)
I try now to activate the integrated authentication .. but nothing is
runing, I always have a popup asking for user and password and the same user
account cant access the application
I had set using the documentation a SPN for the identity runing the
application pool with the tool setspn and the synthaxe setspn -A
HTTP/app.mydomain.com mydomain\myuserapp
I had set the NTAuthenticationProviders to "Negociate,NTLM" within the right
virtual directory and using the script adsutil.vbs
I had restart the iis server (iisreset)

using the authentication & diagnostique tools from microsoft on the web
server and verifying kerberos security I just see " Service principal name
(SPN) for user mydomain\myuserapp' not found in Active Directory" but with
adsiedit on the same account I have a SPN set .. It's the only one trace i
have to debug my authentication problem ..

Do you have some ideas

Re: integrated authentication

Have you configured the server as trusted for kerberos delegation ?
"Frédéric de Thysebaert" wrote in message
news:OcgmL0vfGHA.1520@TK2MSFTNGP03.phx.gbl...
> Hi,
>
> I have a intranet asp application runing on IIS6. with data on SQL server
> runing on an other computer (the two servers are member server of our
> active directory domain). Access to the data are based on the user account
> who connect to the IIS application.
> The application is runing on the port 80 with a host header as
> app.mydomain.com (others applications are runing on port 80 without
> hostheader).
> The application run in an application pool with a domain account from
> active directory.
> With basic authentication, the user can launch the application and have
> access to the data. ( I use impersonate = true in the web.config file)
> I try now to activate the integrated authentication .. but nothing is
> runing, I always have a popup asking for user and password and the same
> user account cant access the application
> I had set using the documentation a SPN for the identity runing the
> application pool with the tool setspn and the synthaxe setspn -A
> HTTP/app.mydomain.com mydomain\myuserapp
> I had set the NTAuthenticationProviders to "Negociate,NTLM" within the
> right virtual directory and using the script adsutil.vbs
> I had restart the iis server (iisreset)
>
> using the authentication & diagnostique tools from microsoft on the web
> server and verifying kerberos security I just see " Service principal name
> (SPN) for user mydomain\myuserapp' not found in Active Directory" but with
> adsiedit on the same account I have a SPN set .. It's the only one trace i
> have to debug my authentication problem ..
>
> Do you have some ideas
>
>
>

Re: integrated authentication

yes I think that's right for me, ..
To do this I have check the delegation check box on the general tab of
computer object in AD. Is it right ?
Thanks

"Robert Ginsburg" a écrit dans le message de
news: eNRxU2yfGHA.4900@TK2MSFTNGP02.phx.gbl...
> Have you configured the server as trusted for kerberos delegation ?
> "Frédéric de Thysebaert" wrote in message
> news:OcgmL0vfGHA.1520@TK2MSFTNGP03.phx.gbl...
>> Hi,
>>
>> I have a intranet asp application runing on IIS6. with data on SQL server
>> runing on an other computer (the two servers are member server of our
>> active directory domain). Access to the data are based on the user
>> account who connect to the IIS application.
>> The application is runing on the port 80 with a host header as
>> app.mydomain.com (others applications are runing on port 80 without
>> hostheader).
>> The application run in an application pool with a domain account from
>> active directory.
>> With basic authentication, the user can launch the application and have
>> access to the data. ( I use impersonate = true in the web.config file)
>> I try now to activate the integrated authentication .. but nothing is
>> runing, I always have a popup asking for user and password and the same
>> user account cant access the application
>> I had set using the documentation a SPN for the identity runing the
>> application pool with the tool setspn and the synthaxe setspn -A
>> HTTP/app.mydomain.com mydomain\myuserapp
>> I had set the NTAuthenticationProviders to "Negociate,NTLM" within the
>> right virtual directory and using the script adsutil.vbs
>> I had restart the iis server (iisreset)
>>
>> using the authentication & diagnostique tools from microsoft on the web
>> server and verifying kerberos security I just see " Service principal
>> name (SPN) for user mydomain\myuserapp' not found in Active Directory"
>> but with adsiedit on the same account I have a SPN set .. It's the only
>> one trace i have to debug my authentication problem ..
>>
>> Do you have some ideas
>>
>>
>>
>
>

Re: integrated authentication

Yes, thats all, so if you have done that and SQL auth is still not working,
try thie recomendations from this kb article
http://support.microsoft.com/?id=319723

"Frédéric de Thysebaert" wrote in message
news:uarDPFzfGHA.1456@TK2MSFTNGP04.phx.gbl...
> yes I think that's right for me, ..
> To do this I have check the delegation check box on the general tab of
> computer object in AD. Is it right ?
> Thanks
>
> "Robert Ginsburg" a écrit dans le message de
> news: eNRxU2yfGHA.4900@TK2MSFTNGP02.phx.gbl...
>> Have you configured the server as trusted for kerberos delegation ?
>> "Frédéric de Thysebaert" wrote in message
>> news:OcgmL0vfGHA.1520@TK2MSFTNGP03.phx.gbl...
>>> Hi,
>>>
>>> I have a intranet asp application runing on IIS6. with data on SQL
>>> server runing on an other computer (the two servers are member server of
>>> our active directory domain). Access to the data are based on the user
>>> account who connect to the IIS application.
>>> The application is runing on the port 80 with a host header as
>>> app.mydomain.com (others applications are runing on port 80 without
>>> hostheader).
>>> The application run in an application pool with a domain account from
>>> active directory.
>>> With basic authentication, the user can launch the application and have
>>> access to the data. ( I use impersonate = true in the web.config file)
>>> I try now to activate the integrated authentication .. but nothing is
>>> runing, I always have a popup asking for user and password and the same
>>> user account cant access the application
>>> I had set using the documentation a SPN for the identity runing the
>>> application pool with the tool setspn and the synthaxe setspn -A
>>> HTTP/app.mydomain.com mydomain\myuserapp
>>> I had set the NTAuthenticationProviders to "Negociate,NTLM" within the
>>> right virtual directory and using the script adsutil.vbs
>>> I had restart the iis server (iisreset)
>>>
>>> using the authentication & diagnostique tools from microsoft on the web
>>> server and verifying kerberos security I just see " Service principal
>>> name (SPN) for user mydomain\myuserapp' not found in Active Directory"
>>> but with adsiedit on the same account I have a SPN set .. It's the only
>>> one trace i have to debug my authentication problem ..
>>>
>>> Do you have some ideas
>>>
>>>
>>>
>>
>>
>
>

Re: integrated authentication

Hi,

a) in Internet Explorer, you will need to add app.mydomain.com to Internet
Explorer's local Intranet security zone. IE will not attempt Kerberos
authentication to websites in the Internet security zone

b) You will also need to ensure that all web applications underneath
app.mydomain.com are run in web app pools with the Domain\MyUserApp user
context

c) You will also need to check that the user accounts (for the users who are
authenticating) in question are not marked as "sensitive and non
delegatable" in Active Directory.

Cheers
Ken

"Frédéric de Thysebaert" wrote in message
news:uarDPFzfGHA.1456@TK2MSFTNGP04.phx.gbl...
> yes I think that's right for me, ..
> To do this I have check the delegation check box on the general tab of
> computer object in AD. Is it right ?
> Thanks
>
> "Robert Ginsburg" a écrit dans le message de
> news: eNRxU2yfGHA.4900@TK2MSFTNGP02.phx.gbl...
>> Have you configured the server as trusted for kerberos delegation ?
>> "Frédéric de Thysebaert" wrote in message
>> news:OcgmL0vfGHA.1520@TK2MSFTNGP03.phx.gbl...
>>> Hi,
>>>
>>> I have a intranet asp application runing on IIS6. with data on SQL
>>> server runing on an other computer (the two servers are member server of
>>> our active directory domain). Access to the data are based on the user
>>> account who connect to the IIS application.
>>> The application is runing on the port 80 with a host header as
>>> app.mydomain.com (others applications are runing on port 80 without
>>> hostheader).
>>> The application run in an application pool with a domain account from
>>> active directory.
>>> With basic authentication, the user can launch the application and have
>>> access to the data. ( I use impersonate = true in the web.config file)
>>> I try now to activate the integrated authentication .. but nothing is
>>> runing, I always have a popup asking for user and password and the same
>>> user account cant access the application
>>> I had set using the documentation a SPN for the identity runing the
>>> application pool with the tool setspn and the synthaxe setspn -A
>>> HTTP/app.mydomain.com mydomain\myuserapp
>>> I had set the NTAuthenticationProviders to "Negociate,NTLM" within the
>>> right virtual directory and using the script adsutil.vbs
>>> I had restart the iis server (iisreset)
>>>
>>> using the authentication & diagnostique tools from microsoft on the web
>>> server and verifying kerberos security I just see " Service principal
>>> name (SPN) for user mydomain\myuserapp' not found in Active Directory"
>>> but with adsiedit on the same account I have a SPN set .. It's the only
>>> one trace i have to debug my authentication problem ..
>>>
>>> Do you have some ideas
>>>
>>>
>>>
>>
>>
>
>

Re: integrated authentication

Hi

I have try all this but .. I think that this is IIS authentication who is
not functional.
When the client connetct to http://app.mydomain.com I have a popup asking
for user and password. With the only "basic authentication" the user can
connect with "mydomain\user" synthax, with only "integrated" authentication,
I also have the same popup but the same user with the same synthaxe of login
can not connect. I with my first problem is IIS delegation of
authentication...
How to track this ?

IIS run on a server and SQL on a other, this two servers as member of the
domain and the two server have "trust the computer for delagation" checked.
The account service for IIS application pool and the account service for SQL
service have an association with a SPN and also have the "account is trusted
for delegation" checked.

thanks

"Robert Ginsburg" a écrit dans le message de
news: OpwFGgzfGHA.2456@TK2MSFTNGP04.phx.gbl...
> Yes, thats all, so if you have done that and SQL auth is still not
> working, try thie recomendations from this kb article
> http://support.microsoft.com/?id=319723
>
> "Frédéric de Thysebaert" wrote in message
> news:uarDPFzfGHA.1456@TK2MSFTNGP04.phx.gbl...
>> yes I think that's right for me, ..
>> To do this I have check the delegation check box on the general tab of
>> computer object in AD. Is it right ?
>> Thanks
>>
>> "Robert Ginsburg" a écrit dans le message de
>> news: eNRxU2yfGHA.4900@TK2MSFTNGP02.phx.gbl...
>>> Have you configured the server as trusted for kerberos delegation ?
>>> "Frédéric de Thysebaert" wrote in message
>>> news:OcgmL0vfGHA.1520@TK2MSFTNGP03.phx.gbl...
>>>> Hi,
>>>>
>>>> I have a intranet asp application runing on IIS6. with data on SQL
>>>> server runing on an other computer (the two servers are member server
>>>> of our active directory domain). Access to the data are based on the
>>>> user account who connect to the IIS application.
>>>> The application is runing on the port 80 with a host header as
>>>> app.mydomain.com (others applications are runing on port 80 without
>>>> hostheader).
>>>> The application run in an application pool with a domain account from
>>>> active directory.
>>>> With basic authentication, the user can launch the application and have
>>>> access to the data. ( I use impersonate = true in the web.config file)
>>>> I try now to activate the integrated authentication .. but nothing is
>>>> runing, I always have a popup asking for user and password and the same
>>>> user account cant access the application
>>>> I had set using the documentation a SPN for the identity runing the
>>>> application pool with the tool setspn and the synthaxe setspn -A
>>>> HTTP/app.mydomain.com mydomain\myuserapp
>>>> I had set the NTAuthenticationProviders to "Negociate,NTLM" within the
>>>> right virtual directory and using the script adsutil.vbs
>>>> I had restart the iis server (iisreset)
>>>>
>>>> using the authentication & diagnostique tools from microsoft on the web
>>>> server and verifying kerberos security I just see " Service principal
>>>> name (SPN) for user mydomain\myuserapp' not found in Active Directory"
>>>> but with adsiedit on the same account I have a SPN set .. It's the only
>>>> one trace i have to debug my authentication problem ..
>>>>
>>>> Do you have some ideas
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>