IIS6.0 Integrated authentication w/multiple app pools

So I've been reading a lot of posts about running a couple web sites on an
IIS6.0 box where each web site has a separate application pool associated
with it. One of the web sites is using Integrated Authentication only on it.
When a user points their IE browser at the site, they get prompted to
authenticate. I, as a Domain Admin on the other hand do not. The app-pool
for this web site is setup to run as the predefined Network Service account.
Posts have pointed me to do the following which should fix the
authentication prompting problem:
1) setspn http/website.domain.com machinename
to register the website with the machine so that kerberos will work
2) cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"
since kerberos isn't working, try this...

Neither has fixed my problem. If the user authenticates in the login window
that pops up, the web site works just fine, so I know permissions are ok.

Anyone got any ideas? I even tried switching the website back to the
defaultapppool and that didn't solve the problem.

Re: IIS6.0 Integrated authentication w/multiple app pools

IE has switches in it to allow sending credentials automatically, or not.
Have you confirmed this is enabled on those browsers?

"Zarborg" wrote in message
news:B6C7C365-46A6-44EC-91CC-FEC2F3275D45@microsoft.com...
> So I've been reading a lot of posts about running a couple web sites on an
> IIS6.0 box where each web site has a separate application pool associated
> with it. One of the web sites is using Integrated Authentication only on
> it.
> When a user points their IE browser at the site, they get prompted to
> authenticate. I, as a Domain Admin on the other hand do not. The
> app-pool
> for this web site is setup to run as the predefined Network Service
> account.
> Posts have pointed me to do the following which should fix the
> authentication prompting problem:
> 1) setspn http/website.domain.com machinename
> to register the website with the machine so that kerberos will work
> 2) cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"
> since kerberos isn't working, try this...
>
> Neither has fixed my problem. If the user authenticates in the login
> window
> that pops up, the web site works just fine, so I know permissions are ok.
>
> Anyone got any ideas? I even tried switching the website back to the
> defaultapppool and that didn't solve the problem.
>
>

Re: IIS6.0 Integrated authentication w/multiple app pools

Yuppers! That was the first thing I checked.
"Enable Integrated Windows Authentication (requires restart)" has been
checked.

Like I mentioned, authentication works for me logged in as a domain admin,
but not for a test user on the same box with the same settings. I double
checked NTFS permissions on the sites files and Domain Users currently have
Read/Execute/List permissions on the files used for that website. Plus the
box was rebooted recently so I know the security settings have been updated
to the webserver.

Appreciate the "Is it plugged in question" and I wish it was that easy....

"Roger Abell [MVP]" wrote:

> IE has switches in it to allow sending credentials automatically, or not.
> Have you confirmed this is enabled on those browsers?

Re: IIS6.0 Integrated authentication w/multiple app pools

What URL are you using to access the site?
http://support.microsoft.com/?id=258063

(e.g. if you are using an FQDN, but have added the site manually or via GPO
to your Intranet zone, autologin kicks in, but the other user will be
prompted)

Cheers
Ken

"Zarborg" wrote in message
news:27B8CA73-40B8-4F6C-BBE2-7DC6BCA7088B@microsoft.com...
> Yuppers! That was the first thing I checked.
> "Enable Integrated Windows Authentication (requires restart)" has been
> checked.
>
> Like I mentioned, authentication works for me logged in as a domain admin,
> but not for a test user on the same box with the same settings. I double
> checked NTFS permissions on the sites files and Domain Users currently
> have
> Read/Execute/List permissions on the files used for that website. Plus
> the
> box was rebooted recently so I know the security settings have been
> updated
> to the webserver.
>
> Appreciate the "Is it plugged in question" and I wish it was that easy....
>
> "Roger Abell [MVP]" wrote:
>
>> IE has switches in it to allow sending credentials automatically, or not.
>> Have you confirmed this is enabled on those browsers?

Re: IIS6.0 Integrated authentication w/multiple app pools

Nifty! Thanks man. That's all it took. Just switched to a new job and used
to that being a part of all the images. Added to the Trusted site list and
boom.

Thanks again!

"Ken Schaefer" wrote:

> What URL are you using to access the site?
> http://support.microsoft.com/?id=258063
>
> (e.g. if you are using an FQDN, but have added the site manually or via GPO
> to your Intranet zone, autologin kicks in, but the other user will be
> prompted)
>
> Cheers
> Ken

Re: IIS6.0 Integrated authentication w/multiple app pools

"Zarborg" wrote in message
news:27B8CA73-40B8-4F6C-BBE2-7DC6BCA7088B@microsoft.com...
> Yuppers! That was the first thing I checked.
> "Enable Integrated Windows Authentication (requires restart)" has been
> checked.
>
> Like I mentioned, authentication works for me logged in as a domain admin,
> but not for a test user on the same box with the same settings. I double

Actually, you did not even say the other, test users, were from the same
box, let alone same settings. Good to see Ken got you fixed up.

> checked NTFS permissions on the sites files and Domain Users currently
> have
> Read/Execute/List permissions on the files used for that website. Plus
> the
> box was rebooted recently so I know the security settings have been
> updated
> to the webserver.
>
> Appreciate the "Is it plugged in question" and I wish it was that easy....
>
> "Roger Abell [MVP]" wrote:
>
>> IE has switches in it to allow sending credentials automatically, or not.
>> Have you confirmed this is enabled on those browsers?

Re: IIS6.0 Integrated authentication w/multiple app pools

Adding the site to the "Intranet" zone should be sufficient. "Trusted Sites"
will also work, but the security settings are more lax. Best practise would
call for you to limit the privileges of each site to just what is required.
If you can get away with Intranet, then use that.

Cheers
Ken

"Zarborg" wrote in message
news:9AA7458C-C6B8-4E22-9BC1-E1181A7049AD@microsoft.com...
> Nifty! Thanks man. That's all it took. Just switched to a new job and
> used
> to that being a part of all the images. Added to the Trusted site list
> and
> boom.
>
> Thanks again!
>
> "Ken Schaefer" wrote:
>
>> What URL are you using to access the site?
>> http://support.microsoft.com/?id=258063
>>
>> (e.g. if you are using an FQDN, but have added the site manually or via
>> GPO
>> to your Intranet zone, autologin kicks in, but the other user will be
>> prompted)
>>
>> Cheers
>> Ken
>