Kerberos Delegation Issues

Posted on 2006-05-01
Last Modified: 2012-05-05
ok, going to try and cover it all.  
Have a website under IIS 6.0 running under a service account on port 8080. Integrated authentication is turned on. SPN's are as follows.

These are located on the user service account
http/servername (netbios)

www/servername (netbios)

Do I need the ports in the SPN?

These are located on the machine account for the server

SQL and SMTPsvc as well, although i notice that the SQL FQDN entry has port 1433 specified

The website is trying to read info from AD. Basic user info, company dept etc.  When I do this under basic (enter username and password) it returns the data fine.  As soon as I try to get it to do it via integrated it stops returning any data.

I have checked the metabase for the website, it's set to "Negotiate, NTLM"

Anything else i need to look at or any good ways to troubleshoot? Thanks, I've been working on this for weeks now.


Question by:gherzog
    LVL 15

    Expert Comment

    I've had this exact same problem.... and had a similar lack of success :-(

    I read a million web pages, followed MS's instructions to the letter etc - but no go.

    You don't describe the setup of your domain but in my case the IIS box was a member server in the domain and not used as a domain controller.

    In the end I solved the problem by making the IIS box a domain controller. That way a copy of the AD is stored on the IIS box and your web app has no delegation issues to contend with because the AD data is available directly on the IIS box.

    Of course, this only solves delegation issues related to AD access. If you also want to access, for example, an SQL Server or Exchange server on other physical machines whilst using Integrated Authentication then you'll either have to try and configure these services for delegation (good luck!!) or - as was the case for me - have these services running on the same physical box as IIS.

    I like Integrated Authentication for many reasons but delegation issues have eaten up many many hours for me over the years. I've never been able to make things work to my satisfaction and usually end up running everything on a single physical machine. ASP.NET has much more elegant impersonation and delegation mechanisms but these are simply not an option with old-skool ASP.

    If you manage to sort out your problem then I'd be very interested to hear how you did it.
    LVL 1

    Author Comment

    yeah my setup is the same. i knew i'd miss something :)  It's a member server in the domain and there is NO WAY they will let me make it a domain controller.  Just not happening.  I'm a vbscript guy, not an ASP guy, so this is my first foray into trying to run my scripts off a web server.  I have no idea what the difference is between ASP and ASP.NET.  Just finally got my head around server side vs client side script.  So anyone else actually make this work with the above scenario?


    Accepted Solution

    PAQed with points refunded (500)

    Community Support Moderator

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Have you ever needed to get an ASP script to wait for a while? I have, just to let something else happen. Or in my case, to allow other stuff to happen while I was murdering my MySQL database with an update. The Original Issue This was written…
    I was asked about the differences between classic ASP and ASP.NET, so let me put them down here, for reference: Let's make the introductions... Classic ASP was launched by Microsoft in 1998 and dynamically generate web pages upon user interact…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now