IIS integrated authentification file share permission problem

Discussion in 'ASP .Net Security' started by ng.w.purrer@lenzing.com, Aug 3, 2006.

  1. Guest

    I have one windows 2003 Server which is working as an ASP.net webserver
    in an active directory environment.

    Through this asp.net application I'd like to access files on a
    fileshare.

    The netbios - name from the webserver is "test1" with the ip adress
    192.168.0.1.
    but in the dns i have configured a second name test with the ip adress
    192.168.0.2

    (In the network configuration I added the second adress to the adapter
    of the first.)

    If i use the name test1 in the browser the access to the file through
    the asp.net applications work well,
    but if i use the name test i get an access denieded from the access to
    the share.

    the server "test1" is trusted for delegation (kerbos), the
    authentifcation mode is integrated authentification, in the webconfig
    file identity impersonate is true.

    I read the
    http://support.microsoft.com/default.aspx?scid=kb;en-us;Q207671 but it
    is for iis4 and ii5
    and http://support.microsoft.com/?id=832769 but this doesn't work but i
    heard something from spn (but in this topic it is used for the sql -
    server)

    So I tried
    setspn -A host/test test1 didn't work neither setspn -A http/test test1

    Do you have some suggestions?
    , Aug 3, 2006
    #1
    1. Advertising

  2. How is the second name "test" configured in DNS? Is it a CNAME or A record?
    My experience with Kerberos is that when using DNS-based names, it only
    forms SPNs based on A records. Thus, if your client specifies a name that
    is the CNAME, Kerberos will look that up in DNS, find the object with the A
    record name and build the SPN based on it. That may have something to do
    with what's going on.

    The best thing to do when troubleshooting delegation stuff is enable logon
    event auditing on all servers so that you can see when Kerberos is being
    used and what SPN was used and you can also see when Kerberos can't be
    negotiated and NTLM is attempted (which won't delegate).

    Network traces are also often helpful.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    <> wrote in message
    news:...
    >I have one windows 2003 Server which is working as an ASP.net webserver
    > in an active directory environment.
    >
    > Through this asp.net application I'd like to access files on a
    > fileshare.
    >
    > The netbios - name from the webserver is "test1" with the ip adress
    > 192.168.0.1.
    > but in the dns i have configured a second name test with the ip adress
    > 192.168.0.2
    >
    > (In the network configuration I added the second adress to the adapter
    > of the first.)
    >
    > If i use the name test1 in the browser the access to the file through
    > the asp.net applications work well,
    > but if i use the name test i get an access denieded from the access to
    > the share.
    >
    > the server "test1" is trusted for delegation (kerbos), the
    > authentifcation mode is integrated authentification, in the webconfig
    > file identity impersonate is true.
    >
    > I read the
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q207671 but it
    > is for iis4 and ii5
    > and http://support.microsoft.com/?id=832769 but this doesn't work but i
    > heard something from spn (but in this topic it is used for the sql -
    > server)
    >
    > So I tried
    > setspn -A host/test test1 didn't work neither setspn -A http/test test1
    >
    > Do you have some suggestions?
    >
    Joe Kaplan \(MVP - ADSI\), Aug 3, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?TmV3dG9u?=

    Authentification in IIS

    =?Utf-8?B?TmV3dG9u?=, Mar 30, 2005, in forum: ASP .Net
    Replies:
    7
    Views:
    796
    Nick Goloborodko
    Mar 31, 2005
  2. Mykle

    Problem with authentification

    Mykle, Jul 27, 2007, in forum: Python
    Replies:
    0
    Views:
    219
    Mykle
    Jul 27, 2007
  3. Miguel Beltran R.

    Problem with urllib2 and authentification

    Miguel Beltran R., Apr 22, 2008, in forum: Python
    Replies:
    0
    Views:
    255
    Miguel Beltran R.
    Apr 22, 2008
  4. Klaus Ballmann
    Replies:
    1
    Views:
    97
    Joe Kaplan \(MVP - ADSI\)
    May 3, 2005
  5. Saraswati lakki
    Replies:
    0
    Views:
    1,317
    Saraswati lakki
    Jan 6, 2012
Loading...

Share This Page