Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

pass credentials between two sites within one application pool

Posted on 2010-08-16
4
Medium Priority
?
695 Views
Last Modified: 2013-11-16
Hi,
I have an issue with a webserver and kerberos delegation.
I have 2 websites that run in the same application pool.  the application pool runs under the web_user (AD account).  The websites both have its own header like web1 and web2 whilst the server has the dns name SERVER1.  web1 and web2 are just aliases of SERVER1.

For kerberos to work I registered:
setspn -a http/SERVER1 domain\web_user
setspn -a http/server1.domain domain\web_user

For the webuser I said constraint delegation to an sql server and sharepoint portal server.

Now if I test website1 it works with kerberos.  I start kerbtray and I get a ticket to http\server1.
I also check the event log of the server and in the security log I also see my kerberos authentication.  on the sql server it's also working.

Website2 also works with kerberos.  but at some point website2 has to get data from website1 using a webservice.  but then we get an error "The request failed with HTTP status 401: Unauthorized".    So i have a kerberos ticket for the application pool and if it has to pass credentials between web1 and web2 is doesnt work.  

I have an other setup in our test environment and their the above works but not in production.

any advice ?  
Thanks

please note that I'm a server administrator and not a programmer.
0
Comment
Question by:Bereke
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 2

Expert Comment

by:changlinn
ID: 33452224
Firstly I would suggest seperate application pools to simplyfy things, this may actually fix it.
I would also suggest you don't run your application pools as domain users, as this is unnesecary and may give the application more access than intended, run them as local users then remove the anonymous login checkbox from the sites directory security and authentication and access control config, in the same spot tick basic auth (you may want to use SSL to encrypt this authentication unless the site is only internall accessable and the risk from the inside is small), and then grant a domain group access to the site.
Now your users will get a login prompt and basically access the site as their user on the domain.
0
 

Accepted Solution

by:
Bereke earned 0 total points
ID: 33472917
hello changlinn,

my problem is already solved.  I created seperate application pools for the site that have to work with kerberos authentication.  I created all host or A records for their sitename, eg website1, website2 and website3, before they were just aliases of the servername.
for kerberos you have to register the SPN.  so if i work with the aliasses I register it under the hostname and not the alias.  But other sites that just use integrated security (NTLM) would then also be affected and start using kerberos. I had that issue where the other sites with integrated security stopped working.
So to fix it, i created a seperate app pool for each site that uses kerberos.  i also created a seperate AD account for each app pool.  SPN are registered on the site referral (each as a host (A) record) under the respective AD user account.
So if i surf to WEBSITE1, i get a kerb ticket for website1 and the other sites that use the servername (or aliasses (CNAME)) or not affected.
to pass the credentials I set up delegation on my corresponding AD accounts and everything is working as a charme.
0
 
LVL 38

Expert Comment

by:younghv
ID: 34580875
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
The purpose of this video is to demonstrate how to set up the WordPress backend so that each page automatically generates a Mailchimp signup form in the sidebar. This will be demonstrated using a Windows 8 PC. Tools Used are Photoshop, Awesome…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question