IIS integrated authentification file share permission problem

[ng.w.purrer]

I have one windows 2003 Server which is working as an ASP.net webserver
in an active directory environment.

Through this asp.net application I'd like to access files on a
fileshare.

The netbios - name from the webserver is "test1" with the ip adress
192.168.0.1.
but in the dns i have configured a second name test with the ip adress
192.168.0.2

(In the network configuration I added the second adress to the adapter
of the first.)

If i use the name test1 in the browser the access to the file through
the asp.net applications work well,
but if i use the name test i get an access denieded from the access to
the share.

the server "test1" is trusted for delegation (kerbos), the
authentifcation mode is integrated authentification, in the webconfig
file identity impersonate is true.

I read the
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q207671 but it
is for iis4 and ii5
and http://support.microsoft.com/?id=832769 but this doesn't work but i
heard something from spn (but in this topic it is used for the sql -
server)

So I tried
setspn -A host/test test1 didn't work neither setspn -A http/test test1

Do you have some suggestions?

 

[Joe Kaplan \(MVP - ADSI\)]

How is the second name "test" configured in DNS? Is it a CNAME or A record?
My experience with Kerberos is that when using DNS-based names, it only
forms SPNs based on A records. Thus, if your client specifies a name that
is the CNAME, Kerberos will look that up in DNS, find the object with the A
record name and build the SPN based on it. That may have something to do
with what's going on.

The best thing to do when troubleshooting delegation stuff is enable logon
event auditing on all servers so that you can see when Kerberos is being
used and what SPN was used and you can also see when Kerberos can't be
negotiated and NTLM is attempted (which won't delegate).

Network traces are also often helpful.

Joe K.