IIS6: Application Pool with dedicated service-user identity causes integrated authentication to fail

Question

I'm on IIS6 and asp.net 3.5 SP1.

I decided that my asp.net web application should have a dedicated application pool and a dedicated identity, because this identity is granted access to a sensitive file share that the web application uses. The web application uses integrated windows authentication for the incoming users, and my problem is that when the application pool is set to a dedicated identity, all incoming users fail to authenticate, i.e. the login box (from internet explorer) re-appears after the user submits his password. This problem does not occur when the application pool is set to the NETWORK SERVICE identity.

The dedicated identity has been granted access to the machine's IIS_WPG group and I have tried the following command:

aspnet_regiis.exe -GA myDomain\myDedicatedIdentity

But still no luck. Any suggestions? Any privileges that I forgot to grant to this identity?

score 2 · Accepted Answer · answered Sep 02 '09 at 12:40

2

I found the solution to my problem: set up an HTTP SPN with the NetBIOS name and the fully qualified domain name (FQDN) of the domain user account that the application pool is running under. Here's the article: http://support.microsoft.com/kb/871179

answered Sep 02 '09 at 12:40

Gudmundur Orn

145
1
8

score 1 · Answer 2 · answered Aug 25 '09 at 20:52

Probably a kerberos issue.

I'd initally try:

cscript adsutil.vbs set w3svc/1/root/NTAuthenticationProviders "NTLM"

Where the 1 is the web site.

Once you've determined if it is Kerberos, you can either continue on NTLM only, or set the SPN's for your site/URL on the Service Account.

IIS6: Application Pool with dedicated service-user identity causes integrated authentication to fail

2 Answers2