Kerberos Delegation Issues

ok, going to try and cover it all.  
Have a website under IIS 6.0 running under a service account on port 8080. Integrated authentication is turned on. SPN's are as follows.

These are located on the user service account
http/servername (netbios)
http/servername.fqdn

www/servername (netbios)
www/servername.fqdn

Do I need the ports in the SPN?

These are located on the machine account for the server
host/servername
host/servername.fqdn
http/servername
http/servername.fqdn

SQL and SMTPsvc as well, although i notice that the SQL FQDN entry has port 1433 specified

The website is trying to read info from AD. Basic user info, company dept etc.  When I do this under basic (enter username and password) it returns the data fine.  As soon as I try to get it to do it via integrated it stops returning any data.

I have checked the metabase for the website, it's set to "Negotiate, NTLM"

Anything else i need to look at or any good ways to troubleshoot? Thanks, I've been working on this for weeks now.

Greg



LVL 1
gherzogAsked:
Who is Participating?
 
CetusMODCommented:
PAQed with points refunded (500)

CetusMOD
Community Support Moderator
0
 
deighcCommented:
I've had this exact same problem.... and had a similar lack of success :-(

I read a million web pages, followed MS's instructions to the letter etc - but no go.

You don't describe the setup of your domain but in my case the IIS box was a member server in the domain and not used as a domain controller.

In the end I solved the problem by making the IIS box a domain controller. That way a copy of the AD is stored on the IIS box and your web app has no delegation issues to contend with because the AD data is available directly on the IIS box.

Of course, this only solves delegation issues related to AD access. If you also want to access, for example, an SQL Server or Exchange server on other physical machines whilst using Integrated Authentication then you'll either have to try and configure these services for delegation (good luck!!) or - as was the case for me - have these services running on the same physical box as IIS.

I like Integrated Authentication for many reasons but delegation issues have eaten up many many hours for me over the years. I've never been able to make things work to my satisfaction and usually end up running everything on a single physical machine. ASP.NET has much more elegant impersonation and delegation mechanisms but these are simply not an option with old-skool ASP.

If you manage to sort out your problem then I'd be very interested to hear how you did it.
0
 
gherzogAuthor Commented:
yeah my setup is the same. i knew i'd miss something :)  It's a member server in the domain and there is NO WAY they will let me make it a domain controller.  Just not happening.  I'm a vbscript guy, not an ASP guy, so this is my first foray into trying to run my scripts off a web server.  I have no idea what the difference is between ASP and ASP.NET.  Just finally got my head around server side vs client side script.  So anyone else actually make this work with the above scenario?

Greg
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.