Application Pools, Domain User Accounts and Service Principal Names

[Tom McDonnell]

I've been involved in building an application in ASP.NET which has
utilised application pools in IIS6 to allow the site to run under the
credentials of a domain user and authenticate with SQL Server.

Having recently rolled this application out to a number of sites, we
have encountered a problem where Windows integrated authentication is
enabled, but users credentials are not accepted. I've figured out the
problem to be due to there being no Service Principal Name for the
domain account.

Having found some documentation from Microsoft about this issue, I've
tried to create the SPN, but it causes authentication to then fail with
the NETWORK SERVICE user.
http://msdn.microsoft.com/library/d...0009.asp#paght000009_additionalconsiderations

How can Windows be configured so both the NETWORK SERVICE and domain
users can be used to perform Windows authentication in IIS6 application
pools?

 

[Joe Kaplan \(MVP - ADSI\)]

My experience has been that to have an SPN that belongs to the domain
service account that does not conflict with the SPNs already assigned to the
machine account, you need a new DNS name and a new A record in DNS for that
name. Then, if you give the machine account the SPN corresponding to the
new DNS name, should be ok.

Note that I've recently tried to do this with a CNAME record in DNS that
just aliases the A record associated with the machine account's DNS/SPN, but
Kerberos seems to be too clever and resolves the alias back to the A record
name before creating its SPN.

I feel your pain.

HTH,

Joe K.

 

[Dominick Baier [DevelopMentor]]

Note that I've recently tried to do this with a CNAME record in DNS

that just aliases the A record associated with the machine account's
DNS/SPN, but Kerberos seems to be too clever and resolves the alias
back to the A record name before creating its SPN.

wow.interesting.

 

[Tom McDonnell]

My experience has been that to have an SPN that belongs to the domain

service account that does not conflict with the SPNs already assigned to the
machine account, you need a new DNS name and a new A record in DNS for that
name. Then, if you give the machine account the SPN corresponding to the
new DNS name, should be ok.

This is really out of my league, the documentation I have found is
purely technical, and nothing you can learn from. Well, it's back to
using .NET impersonation and recording static user credentials in the
registry...

I feel your pain.

The problem is there is no way I can communicate this to Microsoft and
say HOY! the documentation doesn't go nearly far enough, how 'bout
improving it! I did sent them feedback for the article but I'm sure that
will just go off into oblivion.

Thanks Joe.

 

[Joe Kaplan \(MVP - ADSI\)]

I'm a pretty big fan of the TechNet "kerberos troubleshooting" article. It
is the most thorough I've seen.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx

The other thing that is critical is enabling event logging for Logon/Logoff
requests (both success and failure) so that you can see what auth package is
being used and what SPNs. A lot of those details are recorded in the log
messages. Learning to use a packet sniffer like netmon or Ethereal can be
helpful too.

Unfortunately, there is still some black magic involved when trying to
figure out why sometimes Negotiate fails over to NTLM. I'm still trying to
find the magic tool that tells me why Kerberos isn't available when I think
it should be.

Best of luck.

Joe K.

 

[Dominick Baier [DevelopMentor]]

Hi,

it is called ethereal (www.ethereal.com)

 

[Joe Kaplan \(MVP - ADSI\)]

I was afraid you would say that.

However, the problem with it is that sometimes, no Kerberos traffic is
generated at all, so the reason for NTLM failover is unclear. I still want
the tool that tells me why.

I don't want to try to do my work with Ethereal though.

Joe K.

 

[Dominick Baier [DevelopMentor]]

joe -

you should

tooling is "sub-optimal" i agree.

When i get back home i have to try the A vs CNAME thing - if there is magic
involved it must happen on the server - the TGS_REQ looks exactly the same
IMO.

 

[Joe Kaplan \(MVP - ADSI\)]

Let me know what you find. Note that my issues seem to revolve around
protocol transition/constrained delegation too. I get different/better
results in some cases with straight Kerberos delegation. With PT, the SPN
of the delegating process seems to come into play.

Joe K.