Solved

pass credentials between two sites within one application pool

Posted on 2010-08-16
4
685 Views
Last Modified: 2013-11-16
Hi,
I have an issue with a webserver and kerberos delegation.
I have 2 websites that run in the same application pool.  the application pool runs under the web_user (AD account).  The websites both have its own header like web1 and web2 whilst the server has the dns name SERVER1.  web1 and web2 are just aliases of SERVER1.

For kerberos to work I registered:
setspn -a http/SERVER1 domain\web_user
setspn -a http/server1.domain domain\web_user

For the webuser I said constraint delegation to an sql server and sharepoint portal server.

Now if I test website1 it works with kerberos.  I start kerbtray and I get a ticket to http\server1.
I also check the event log of the server and in the security log I also see my kerberos authentication.  on the sql server it's also working.

Website2 also works with kerberos.  but at some point website2 has to get data from website1 using a webservice.  but then we get an error "The request failed with HTTP status 401: Unauthorized".    So i have a kerberos ticket for the application pool and if it has to pass credentials between web1 and web2 is doesnt work.  

I have an other setup in our test environment and their the above works but not in production.

any advice ?  
Thanks

please note that I'm a server administrator and not a programmer.
0
Comment
Question by:Bereke
4 Comments
 
LVL 2

Expert Comment

by:changlinn
ID: 33452224
Firstly I would suggest seperate application pools to simplyfy things, this may actually fix it.
I would also suggest you don't run your application pools as domain users, as this is unnesecary and may give the application more access than intended, run them as local users then remove the anonymous login checkbox from the sites directory security and authentication and access control config, in the same spot tick basic auth (you may want to use SSL to encrypt this authentication unless the site is only internall accessable and the risk from the inside is small), and then grant a domain group access to the site.
Now your users will get a login prompt and basically access the site as their user on the domain.
0
 

Accepted Solution

by:
Bereke earned 0 total points
ID: 33472917
hello changlinn,

my problem is already solved.  I created seperate application pools for the site that have to work with kerberos authentication.  I created all host or A records for their sitename, eg website1, website2 and website3, before they were just aliases of the servername.
for kerberos you have to register the SPN.  so if i work with the aliasses I register it under the hostname and not the alias.  But other sites that just use integrated security (NTLM) would then also be affected and start using kerberos. I had that issue where the other sites with integrated security stopped working.
So to fix it, i created a seperate app pool for each site that uses kerberos.  i also created a seperate AD account for each app pool.  SPN are registered on the site referral (each as a host (A) record) under the respective AD user account.
So if i surf to WEBSITE1, i get a kerb ticket for website1 and the other sites that use the servername (or aliasses (CNAME)) or not affected.
to pass the credentials I set up delegation on my corresponding AD accounts and everything is working as a charme.
0
 
LVL 38

Expert Comment

by:younghv
ID: 34580875
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
New Relic recently released its Synthetics product that allows for the creation of performance monitors that periodically test a site's performance. If you wish to test an interactive workflow New Relic employs Selenium WebDriverJS to run those test…
The purpose of this video is to demonstrate how to set up the WordPress backend so that each page automatically generates a Mailchimp signup form in the sidebar. This will be demonstrated using a Windows 8 PC. Tools Used are Photoshop, Awesome…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now