Solved

pass credentials between two sites within one application pool

Posted on 2010-08-16
4
683 Views
Last Modified: 2013-11-16
Hi,
I have an issue with a webserver and kerberos delegation.
I have 2 websites that run in the same application pool.  the application pool runs under the web_user (AD account).  The websites both have its own header like web1 and web2 whilst the server has the dns name SERVER1.  web1 and web2 are just aliases of SERVER1.

For kerberos to work I registered:
setspn -a http/SERVER1 domain\web_user
setspn -a http/server1.domain domain\web_user

For the webuser I said constraint delegation to an sql server and sharepoint portal server.

Now if I test website1 it works with kerberos.  I start kerbtray and I get a ticket to http\server1.
I also check the event log of the server and in the security log I also see my kerberos authentication.  on the sql server it's also working.

Website2 also works with kerberos.  but at some point website2 has to get data from website1 using a webservice.  but then we get an error "The request failed with HTTP status 401: Unauthorized".    So i have a kerberos ticket for the application pool and if it has to pass credentials between web1 and web2 is doesnt work.  

I have an other setup in our test environment and their the above works but not in production.

any advice ?  
Thanks

please note that I'm a server administrator and not a programmer.
0
Comment
Question by:Bereke
4 Comments
 
LVL 2

Expert Comment

by:changlinn
ID: 33452224
Firstly I would suggest seperate application pools to simplyfy things, this may actually fix it.
I would also suggest you don't run your application pools as domain users, as this is unnesecary and may give the application more access than intended, run them as local users then remove the anonymous login checkbox from the sites directory security and authentication and access control config, in the same spot tick basic auth (you may want to use SSL to encrypt this authentication unless the site is only internall accessable and the risk from the inside is small), and then grant a domain group access to the site.
Now your users will get a login prompt and basically access the site as their user on the domain.
0
 

Accepted Solution

by:
Bereke earned 0 total points
ID: 33472917
hello changlinn,

my problem is already solved.  I created seperate application pools for the site that have to work with kerberos authentication.  I created all host or A records for their sitename, eg website1, website2 and website3, before they were just aliases of the servername.
for kerberos you have to register the SPN.  so if i work with the aliasses I register it under the hostname and not the alias.  But other sites that just use integrated security (NTLM) would then also be affected and start using kerberos. I had that issue where the other sites with integrated security stopped working.
So to fix it, i created a seperate app pool for each site that uses kerberos.  i also created a seperate AD account for each app pool.  SPN are registered on the site referral (each as a host (A) record) under the respective AD user account.
So if i surf to WEBSITE1, i get a kerb ticket for website1 and the other sites that use the servername (or aliasses (CNAME)) or not affected.
to pass the credentials I set up delegation on my corresponding AD accounts and everything is working as a charme.
0
 
LVL 38

Expert Comment

by:younghv
ID: 34580875
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

For those of you actively in the Malware fightling business, we now have available an amazing new tool in the malware wars (first recommended to me by rpggamergirl (http://www.experts-exchange.com/M_3598771.html), the Zone Advisor for the Virus and …
Lync server 2013 Backup Service Error ID 4049 – After File Share Migration
The purpose of this video is to demonstrate how to set up the WordPress backend so that each page automatically generates a Mailchimp signup form in the sidebar. This will be demonstrated using a Windows 8 PC. Tools Used are Photoshop, Awesome…
This video discusses moving either the default database or any database to a new volume.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now