Archive for the ‘IIS 6’ Category
Running ASP.NET application pool under a user domain account & windows authentication
When deploying an ASP.NET application which is using windows authentication, I was able to login using firefox, whereas internet explorer it returned a 401 response code.
Environment:
- Server is Win 2k3 with IIS 6 and is in the domain
- Application pool is running under a domain user identity.
- Windows authentication is the only way to authenticate to the application
- Users log in using their domain account (same domain as the appPool identity user)
Problem:
Not able to login using IE whereas it works with Firefox. In fact, IE is trying to use the Kerberos authentication where as Firefox falls back to NTLM authentication.
Solution:
When you want to run an Application Pool under a domain user identity you have to execute the following steps:
- Assign asp.net permission for this user using:
aspnet_regiis -ga MachineName\AccountName
- Set the application pool identity to this user.
- Create an SPN for a domain account using:
setspn -A HTTP/webservername domain\customAccountName setspn -A HTTP/webservername.fullyqualifieddomainname domain\customAccountName
If you do not execute the last step, the Kerberos authentication will fail. So if the domain administrator does not want to run it, your only savor will be to force the NTLM authentication on IIS 6.
To disable force the NTLM authentication on IIS 6, use the following command:
Change current directory to C:\InetSrv\adminscripts\ (where adsutil.vbs is)
cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"
Resources:
Running Application Pool under domain user identity.
http://msdn.microsoft.com/en-us/library/ff649309.aspx
Disable kerberos
http://support.microsoft.com/kb/215383/en-us
Kerberos vs NTLM
http://msdn.microsoft.com/en-us/library/aa480475.aspx
Ludovic Beauquel 