hidden hit counter
Help!

Problem accessing server after using SETSPN

  
  
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> Security RSS
Next:  Please help to disable password complexity...  
Author Message
ssg31415926
External


Since: Aug 02, 2007
Posts: 2
PostPosted: Thu Aug 02, 2007 10:16 am    Post subject: Problem accessing server after using SETSPN
Archived from groups: microsoft>public>win2000>security (more info?)
I've got an IIS website which uses an AppPool with a network ID. In
order to access the site using IE, after disabling Anonymous access, I
discovered that I had to create SPNs for the network account. I did
and everything seemed okay. But now, when I try to open the web using
Visual Studio 2005, I get an authentication dialog appear - this
didn't previously happen. Entering my own creds returns the same
dialog. I've tried server creds and even domain admin and I get the
same response. I created a local ID on the server and made it a
member of Administrators and this worked. But I'm not happy about
this because it shouldn't need me to do this. And it suggests I'll
see other problems in the future.

Immediately after running SETSPN (which I did twice, one with the
plain server name and once with the server FQDN), and then rebooting
the server, there was a Kerberos error in the System log: (Event ID 4
- The kerberos client received a KRB_AP_ERR_MODIFIED error from the
server host/server-fqdn-removed. The target name used was HTTP/server-
fqdn-removed. This indicates that the password used to encrypt the
kerberos service ticket is different than that on the target server.
Commonly, this is due to identically named machine accounts in the
target realm (DOMAIN-DNS-NAME-REMOVED), and the client realm. Please
contact your system administrator. I tried another reboot and saw the
same error.) Then I ran SETSPN -R servername and later rebooted and
the Kerberos error went away. However, the problem remains.

In the server Security log, I see two events (Event ID 529 Logon
Failure - Unknown user name or bad password, logon type 3, logon
process Kerberos, Authentication Package Kerberos) after trying to
open the web and then again for each attempt to enter some
credentials. But I can remote desktop onto the server using a set of
creds which generates this error when I use them in the authentication
dialog. So, it appears the server can authenticate the creds when
used to login through mstsc but not when connecting using VS2005.

Anyone got any ideas?
Back to top
Display posts from previous:   
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> Security All times are: Eastern Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You can edit your posts in this forum
You can delete your posts in this forum
You can vote in polls in this forum