pass credentials between two sites within one application pool

Hi,
I have an issue with a webserver and kerberos delegation.
I have 2 websites that run in the same application pool.  the application pool runs under the web_user (AD account).  The websites both have its own header like web1 and web2 whilst the server has the dns name SERVER1.  web1 and web2 are just aliases of SERVER1.

For kerberos to work I registered:
setspn -a http/SERVER1 domain\web_user
setspn -a http/server1.domain domain\web_user

For the webuser I said constraint delegation to an sql server and sharepoint portal server.

Now if I test website1 it works with kerberos.  I start kerbtray and I get a ticket to http\server1.
I also check the event log of the server and in the security log I also see my kerberos authentication.  on the sql server it's also working.

Website2 also works with kerberos.  but at some point website2 has to get data from website1 using a webservice.  but then we get an error "The request failed with HTTP status 401: Unauthorized".    So i have a kerberos ticket for the application pool and if it has to pass credentials between web1 and web2 is doesnt work.  

I have an other setup in our test environment and their the above works but not in production.

any advice ?  
Thanks

please note that I'm a server administrator and not a programmer.
BerekeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

changlinnCommented:
Firstly I would suggest seperate application pools to simplyfy things, this may actually fix it.
I would also suggest you don't run your application pools as domain users, as this is unnesecary and may give the application more access than intended, run them as local users then remove the anonymous login checkbox from the sites directory security and authentication and access control config, in the same spot tick basic auth (you may want to use SSL to encrypt this authentication unless the site is only internall accessable and the risk from the inside is small), and then grant a domain group access to the site.
Now your users will get a login prompt and basically access the site as their user on the domain.
0
BerekeAuthor Commented:
hello changlinn,

my problem is already solved.  I created seperate application pools for the site that have to work with kerberos authentication.  I created all host or A records for their sitename, eg website1, website2 and website3, before they were just aliases of the servername.
for kerberos you have to register the SPN.  so if i work with the aliasses I register it under the hostname and not the alias.  But other sites that just use integrated security (NTLM) would then also be affected and start using kerberos. I had that issue where the other sites with integrated security stopped working.
So to fix it, i created a seperate app pool for each site that uses kerberos.  i also created a seperate AD account for each app pool.  SPN are registered on the site referral (each as a host (A) record) under the respective AD user account.
So if i surf to WEBSITE1, i get a kerb ticket for website1 and the other sites that use the servername (or aliasses (CNAME)) or not affected.
to pass the credentials I set up delegation on my corresponding AD accounts and everything is working as a charme.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
younghvCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.