Solved

pass credentials between two sites within one application pool

Posted on 2010-08-16
4
694 Views
Last Modified: 2013-11-16
Hi,
I have an issue with a webserver and kerberos delegation.
I have 2 websites that run in the same application pool.  the application pool runs under the web_user (AD account).  The websites both have its own header like web1 and web2 whilst the server has the dns name SERVER1.  web1 and web2 are just aliases of SERVER1.

For kerberos to work I registered:
setspn -a http/SERVER1 domain\web_user
setspn -a http/server1.domain domain\web_user

For the webuser I said constraint delegation to an sql server and sharepoint portal server.

Now if I test website1 it works with kerberos.  I start kerbtray and I get a ticket to http\server1.
I also check the event log of the server and in the security log I also see my kerberos authentication.  on the sql server it's also working.

Website2 also works with kerberos.  but at some point website2 has to get data from website1 using a webservice.  but then we get an error "The request failed with HTTP status 401: Unauthorized".    So i have a kerberos ticket for the application pool and if it has to pass credentials between web1 and web2 is doesnt work.  

I have an other setup in our test environment and their the above works but not in production.

any advice ?  
Thanks

please note that I'm a server administrator and not a programmer.
0
Comment
Question by:Bereke
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 2

Expert Comment

by:changlinn
ID: 33452224
Firstly I would suggest seperate application pools to simplyfy things, this may actually fix it.
I would also suggest you don't run your application pools as domain users, as this is unnesecary and may give the application more access than intended, run them as local users then remove the anonymous login checkbox from the sites directory security and authentication and access control config, in the same spot tick basic auth (you may want to use SSL to encrypt this authentication unless the site is only internall accessable and the risk from the inside is small), and then grant a domain group access to the site.
Now your users will get a login prompt and basically access the site as their user on the domain.
0
 

Accepted Solution

by:
Bereke earned 0 total points
ID: 33472917
hello changlinn,

my problem is already solved.  I created seperate application pools for the site that have to work with kerberos authentication.  I created all host or A records for their sitename, eg website1, website2 and website3, before they were just aliases of the servername.
for kerberos you have to register the SPN.  so if i work with the aliasses I register it under the hostname and not the alias.  But other sites that just use integrated security (NTLM) would then also be affected and start using kerberos. I had that issue where the other sites with integrated security stopped working.
So to fix it, i created a seperate app pool for each site that uses kerberos.  i also created a seperate AD account for each app pool.  SPN are registered on the site referral (each as a host (A) record) under the respective AD user account.
So if i surf to WEBSITE1, i get a kerb ticket for website1 and the other sites that use the servername (or aliasses (CNAME)) or not affected.
to pass the credentials I set up delegation on my corresponding AD accounts and everything is working as a charme.
0
 
LVL 38

Expert Comment

by:younghv
ID: 34580875
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These instructions are based on installing Owncloud on your new raspberry pi connected with a usb HDD. What do you need Part A? A Raspberry Pi, model B. A boot SD card for the Raspberry Pi. A usb HDD An Ethernet cable to connect to the lo…
If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
The purpose of this video is to demonstrate how to set up the WordPress backend so that each page automatically generates a Mailchimp signup form in the sidebar. This will be demonstrated using a Windows 8 PC. Tools Used are Photoshop, Awesome…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question