Windows authentication breaks after configuring application pool identity

[Igor Dombrovan]

Hi group

I run IIS 6.0 on W2k3 being an Active Directory Controller in a test lab.
Create a virtual directory 'test' with Windows authentication on and
anonymous access off.
Create a static test.html file in the directory.
Open it in a browser and it's ok.
Now I configure a separate application pool for this virtual directory (ASP
1.1) with the default Netwok Service identity. It's ok, too.
Now I create a domain account, add it to IIS_WPG group and configure it to
be the application pool identity. This breaks Windows authentication and I
keep getting 401.1 errors from IIS.

The same works fine on another W2k3 not a domain member.

Any ideas where I can be wrong ?

Thanks

 

[Ken Schaefer]

I used to have a list of things to check, but don't seem to have it handy on
my current laptop.

Check this list here:
http://support.microsoft.com/?kbid=812614

Cheers
Ken


: Hi group
:
: I run IIS 6.0 on W2k3 being an Active Directory Controller in a test lab.
: Create a virtual directory 'test' with Windows authentication on and
: anonymous access off.
: Create a static test.html file in the directory.
: Open it in a browser and it's ok.
: Now I configure a separate application pool for this virtual directory
(ASP
: 1.1) with the default Netwok Service identity. It's ok, too.
: Now I create a domain account, add it to IIS_WPG group and configure it to
: be the application pool identity. This breaks Windows authentication and I
: keep getting 401.1 errors from IIS.
:
: The same works fine on another W2k3 not a domain member.
:
: Any ideas where I can be wrong ?
:
: Thanks
:
:

 

[Igor Dombrovan]

Hi

I cross-posted the question to IIS Security because it seems to be an IIS
authentication problem although everything breaks after I configure the
application pool's identity to a custom domain account. I check if it works
with a static html file.

Again,

Windows auth with app pool identity being Netwok Service authenticates
domain users ok.
Windows auth with app pool identity being a custom domain account included
in IIS_WPG doesn't authenticate domain users with event id 529 user name or
password unknown from Kerberos.
Anonymous works fine with any config.
Not that I'm stuck, just trying to understand how it works. Or to be
correct, doesn't work.

Thanks,
Igor

"Ken Schaefer" <[email protected]> ÓÏÏÂÝÉÌ/ÓÏÏÂÝÉÌÁ × ÎÏ×ÏÓÔÑÈ
ÓÌÅÄÕÀÝÅÅ: I used to have a list of things to check, but don't seem to have it handy on
my current laptop.

Check this list here:
http://support.microsoft.com/?kbid=812614

Cheers
Ken


: Hi group
:
: I run IIS 6.0 on W2k3 being an Active Directory Controller in a test lab.
: Create a virtual directory 'test' with Windows authentication on and
: anonymous access off.
: Create a static test.html file in the directory.
: Open it in a browser and it's ok.
: Now I configure a separate application pool for this virtual directory
(ASP
: 1.1) with the default Netwok Service identity. It's ok, too.
: Now I create a domain account, add it to IIS_WPG group and configure it to
: be the application pool identity. This breaks Windows authentication and I
: keep getting 401.1 errors from IIS.
:
: The same works fine on another W2k3 not a domain member.
:
: Any ideas where I can be wrong ?
:
: Thanks
:
: