[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 720
  • Last Modified:

Kerberos Delegation Issues

ok, going to try and cover it all.  
Have a website under IIS 6.0 running under a service account on port 8080. Integrated authentication is turned on. SPN's are as follows.

These are located on the user service account
http/servername (netbios)

www/servername (netbios)

Do I need the ports in the SPN?

These are located on the machine account for the server

SQL and SMTPsvc as well, although i notice that the SQL FQDN entry has port 1433 specified

The website is trying to read info from AD. Basic user info, company dept etc.  When I do this under basic (enter username and password) it returns the data fine.  As soon as I try to get it to do it via integrated it stops returning any data.

I have checked the metabase for the website, it's set to "Negotiate, NTLM"

Anything else i need to look at or any good ways to troubleshoot? Thanks, I've been working on this for weeks now.


1 Solution
I've had this exact same problem.... and had a similar lack of success :-(

I read a million web pages, followed MS's instructions to the letter etc - but no go.

You don't describe the setup of your domain but in my case the IIS box was a member server in the domain and not used as a domain controller.

In the end I solved the problem by making the IIS box a domain controller. That way a copy of the AD is stored on the IIS box and your web app has no delegation issues to contend with because the AD data is available directly on the IIS box.

Of course, this only solves delegation issues related to AD access. If you also want to access, for example, an SQL Server or Exchange server on other physical machines whilst using Integrated Authentication then you'll either have to try and configure these services for delegation (good luck!!) or - as was the case for me - have these services running on the same physical box as IIS.

I like Integrated Authentication for many reasons but delegation issues have eaten up many many hours for me over the years. I've never been able to make things work to my satisfaction and usually end up running everything on a single physical machine. ASP.NET has much more elegant impersonation and delegation mechanisms but these are simply not an option with old-skool ASP.

If you manage to sort out your problem then I'd be very interested to hear how you did it.
gherzogAuthor Commented:
yeah my setup is the same. i knew i'd miss something :)  It's a member server in the domain and there is NO WAY they will let me make it a domain controller.  Just not happening.  I'm a vbscript guy, not an ASP guy, so this is my first foray into trying to run my scripts off a web server.  I have no idea what the difference is between ASP and ASP.NET.  Just finally got my head around server side vs client side script.  So anyone else actually make this work with the above scenario?

PAQed with points refunded (500)

Community Support Moderator

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now