-1

I'm struggling around and hope you can help me.

Scenario: I wrote a web application on a test server and all works fine. I moved the finished application to the live system and I receive a HTTP 401 error if windows authentication is enabled on IIS. I solved this problem by setting an SPN on server name e.g.

setspn -a http/contoso contoso

But it needs to work with my service account. I set spn for service account like:

setspn -a http/contoso.com mydomain\serviceaccount setspn -a http/contoso mydomain\serviceaccount

Application pool is running as mydomain\serviceaccount. The Kerberos Delegation is set for this account in Active Directory. But still get a 401 error. For testing purposes, the service account has the Administrator role on this server.

John R Smith
  • 848
  • 7
  • 18
Andre Heinze
  • 1
  • 1
  • 2
  • The IIS is stupid and will still return 401 even when you are correctly authenticated if you are not authorized to access the resource. I wasted hours for this. Is that your case maybe? – Michael-O Jan 30 '18 at 16:17
  • I'm administrator on this server like service account. I found some additional tutorials how to solve this problem, but IT-Administrator will not allow this steps on his Domain, cause we don't now if this possible solutions will solve our problem. On development-system all works fine. This problem exist only on production-system. The SPN is now set directly on server and all works fine. – Andre Heinze Feb 01 '18 at 08:47
  • Turn on Wireshark and see wether your tickets are fine and check Windows event logs. – Michael-O Feb 01 '18 at 10:55

1 Answers1

0

This looks like a duplicate SPN issue. I believe you have done all the right things by adding SPN's for service account but there is one more step in IIS that you need to take to ensure that the application pool credentials are actually being used.

Click on the website and in the center panel, click on configuration editor. Navigate to "system.webServer/security/authentication/windowsAuthentication" and here set "useAppPoolCredentials" to true and "UsekernelMode" to false.

Follow this article for more info - https://blogs.msdn.microsoft.com/chiranth/2014/04/17/setting-up-kerberos-authentication-for-a-website-in-iis/

Parvez Mulla
  • 526
  • 4
  • 7