Multiple websites in one IIS with Integrated Windows Authentication

Hi,

I have setting up two intranet web sites (say Site_A and Site_B) on the
same IIS 6 server. Both serve internal staff only.

For Site_A, I leave everything as default.

For Site_B, I modified "Multiple identities for this Web site" as
follows:

IP Address: 130.20.1.20
TCP port: 80
Host Header Value: hkg-intranet

Now, my problem:
- if I "Enable anonymous access", then we can access both web.
- if I disable anonymous access and enable "Integrated Winodws
authentication", then both web sites prompt for username. No matter
which username I used (including domain admin), I cannot access the
sites.

I can access the site only if I enter the machine local admin username
and password.

In the web server security event log, we have:

Event ID: 529
Reason: Unknown user name or bad password
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos

May I ask, is it not possible to have two web sites on the same server
with "Integrated Windows authentication" enabled?

Thanks in advance.



--
ramram49
------------------------------------------------------------ ------------
Posted via http://www.webservertalk.com
------------------------------------------------------------ ------------
View this thread: http://www.webservertalk.com/message1693270.html

Re: Multiple websites in one IIS with Integrated Windows Authentication

You can have as many sites as you want using IWA and domain based
credentials.

Something else is wrong in your setup. Are you logging on using
Domain\Username?

Cheers
Ken

"ramram49" wrote in message
news:ramram49.2fci8b@mail.webservertalk.com...
>
> Hi,
>
> I have setting up two intranet web sites (say Site_A and Site_B) on the
> same IIS 6 server. Both serve internal staff only.
>
> For Site_A, I leave everything as default.
>
> For Site_B, I modified "Multiple identities for this Web site" as
> follows:
>
> IP Address: 130.20.1.20
> TCP port: 80
> Host Header Value: hkg-intranet
>
> Now, my problem:
> - if I "Enable anonymous access", then we can access both web.
> - if I disable anonymous access and enable "Integrated Winodws
> authentication", then both web sites prompt for username. No matter
> which username I used (including domain admin), I cannot access the
> sites.
>
> I can access the site only if I enter the machine local admin username
> and password.
>
> In the web server security event log, we have:
>
> Event ID: 529
> Reason: Unknown user name or bad password
> Logon Type: 3
> Logon Process: Kerberos
> Authentication Package: Kerberos
>
> May I ask, is it not possible to have two web sites on the same server
> with "Integrated Windows authentication" enabled?
>
> Thanks in advance.
>
>
>
> --
> ramram49
> ------------------------------------------------------------ ------------
> Posted via http://www.webservertalk.com
> ------------------------------------------------------------ ------------
> View this thread: http://www.webservertalk.com/message1693270.html
>

Re: Multiple websites in one IIS with Integrated Windows Authentication

Hi Ken,

Yes..I am logging on using domain\username format.

On the DC, there is such system error logged:

Source: Kerberos
Event ID: 4

Description: The kerberos client received a KRB_AP_ERR_MODIFIED error
from the server host/hcl-intranet.mydomain.com. The target name used
was HTTP/hkg-intranet.mydomain.com. This indicates that the password
used to encrypt the kerberos service ticket is different that that on
the target server. Commonly, this is due to identically named machine
accounts in the target realm (MYDOMAIN.COM), and the client realm.
Please contact your system administrator.com

Kindly give me some more hints..^^

Ken Schaefer wrote:
> [B]You can have as many sites as you want using IWA and domain based
> credentials.
>
> Something else is wrong in your setup. Are you logging on using
> Domain\Username?
>
> Cheers
> Ken
>
>



--
ramram49
------------------------------------------------------------ ------------
Posted via http://www.webservertalk.com
------------------------------------------------------------ ------------
View this thread: http://www.webservertalk.com/message1693270.html

Re: Multiple websites in one IIS with Integrated Windows Authentication

Hi,

You have two options:
a) Configure IIS to send NTLM only for that website - at the moment IIS is
sending both Negotiate (Kerberos) and NTLM as available authentication
mechanisms to the client, and the client is choosing Kerberos

b) If you wisht to use Kerberos rather than NTLM, then you will need to
register an SPN (Service Principal Name) for the FQDN of the website you are
accessing. If the website is running in a web app pool that is running under
LocalSystem/Network Service, then register the SPN under the IIS server's
machine account. If the web app pool is running under a custom account, then
register the SPN under the user account that is being used as the process
identity for the web app pool.

Cheers
Ken


"ramram49" wrote in message
news:ramram49.2fetke@mail.webservertalk.com...
>
> Hi Ken,
>
> Yes..I am logging on using domain\username format.
>
> On the DC, there is such system error logged:
>
> Source: Kerberos
> Event ID: 4
>
> Description: The kerberos client received a KRB_AP_ERR_MODIFIED error
> from the server host/hcl-intranet.mydomain.com. The target name used
> was HTTP/hkg-intranet.mydomain.com. This indicates that the password
> used to encrypt the kerberos service ticket is different that that on
> the target server. Commonly, this is due to identically named machine
> accounts in the target realm (MYDOMAIN.COM), and the client realm.
> Please contact your system administrator.com
>
> Kindly give me some more hints..^^
>
> Ken Schaefer wrote:
>> [B]You can have as many sites as you want using IWA and domain based
>> credentials.
>>
>> Something else is wrong in your setup. Are you logging on using
>> Domain\Username?
>>
>> Cheers
>> Ken
>>
>>
>
>
>
> --
> ramram49
> ------------------------------------------------------------ ------------
> Posted via http://www.webservertalk.com
> ------------------------------------------------------------ ------------
> View this thread: http://www.webservertalk.com/message1693270.html
>

Re: Multiple websites in one IIS with Integrated Windows Authentication

Hi Ken,

Thanks. I have register an SPN for the "extra" web site and it works.


Ram

Ken Schaefer wrote:
> [B]Hi,
>
> You have two options:
> a) Configure IIS to send NTLM only for that website - at the moment
> IIS is
> sending both Negotiate (Kerberos) and NTLM as available
> authentication
> mechanisms to the client, and the client is choosing Kerberos
>
> b) If you wisht to use Kerberos rather than NTLM, then you will need
> to
> register an SPN (Service Principal Name) for the FQDN of the website
> you are
> accessing. If the website is running in a web app pool that is
> running under
> LocalSystem/Network Service, then register the SPN under the IIS
> server's
> machine account. If the web app pool is running under a custom
> account, then
> register the SPN under the user account that is being used as the
> process
> identity for the web app pool.
>
> Cheers
> Ken
>
>



--
ramram49
------------------------------------------------------------ ------------
Posted via http://www.webservertalk.com
------------------------------------------------------------ ------------
View this thread: http://www.webservertalk.com/message1693270.html