Mark Minasi's Reader Forum
Mark Minasi's Reader Forum
Home | Profile | Register | Active Topics | Active Polls | Members | Search | FAQ | Minasi Forum RSS Feed
Username:
 Password:
Save Password
Forgot your Password?

 All Forums
 HALP! Questions on Windows and Windows Server
 Internet Information Server
 Kerberos ticket		  New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

dynek
Welcome Newcomer

Switzerland
2 Posts
Status: offline
Posted - 06/30/2010 :  03:27:54 AM  Show Profile  Reply with Quote
Hello guys,

I developed a web application that uses impersonation to query the AD and connect to SMS/SCCM.
This application works fine on the server A on which it is currently hosted but we need to move it to a big infrastructure (server B).

When I say it works fine I mean impersonation works, wireshark shows that a Kerberos ticket is negociated and klist displays it as well. Server A is trusted for delegation in AD so no SPN was required.

Now on the second server (server B) the web app is throwing errors because impersonation doesn't work.
The server is not trusted for delegation in AD, the IIS App pool and website have been configured exactly the same as on server A (maybe there is an issue with NTAuthenticationProviders) but I don't see any Kerberos ticket negotiation.
On server B we set an SPN on a CNAME (the one of the website). After having seen Mark's Cracking Open Kerberos video, I understand it will not work. There is an SPN for both the hostname of the server and the FQDN though. That should help.

[edit1]
The website's authenticated access on server A and B is only set to Integrated Windows authentication.
[/edit1]

[edit2]
Using Wireshark shows that the first GET on server A doesn't say anything about NTLM or Kerberos, then server sends back WWW-Authenticate: Negotiate.
The first GET on server B shows NTLMSSP_NEGOTIATE in the header and packet from server says NTLM as well.
[/edit2]

Anyone has an idea ?

Thank you for your time, I appreciate it!
Edited by - dynek on 06/30/2010 08:38:34 AM

dynek
Welcome Newcomer

Switzerland
2 Posts
Status: offline
Posted - 07/07/2010 :  09:57:34 AM  Show Profile  Reply with Quote
Well the CNAME has been replaced by a A, we kept the SPN and it seems that fixed it!
Go to Top of Page

Curt
Moderator

USA
6652 Posts
Status: offline
Posted - 07/07/2010 :  3:11:38 PM  Show Profile  Visit Curt's Homepage  Reply with Quote
The SPN is important, because it's a attribute of the machine object.
Very good on the app.
Curt Spanburgh
Microsoft Certified Business Solution Specialist.
Dynamics CRM MVP
Contributing Editor, Windows IT Pro

He that is walking with wise persons will become wise, but he that is having dealings with the stupid ones will fare badly.
Proverbs 13:20


Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Mark Minasi's Reader Forum © 2002-2011 Mark Minasi Go To Top Of Page
This page was generated in 0.12 seconds. Snitz Forums 2000