We’ve spent this morning struggling with IIS, trying to get Integrated Authentication working. You would think that it’s just a matter of switching IIS Settings and making sure that the calling user has got permission to the folder and files that need to be called. If only life were that simple!!
It turns out that is your application pool is running under any other user besides “Network Service”, authenticating the user doesn’t work. The user will keep getting prompted with a login prompt regardless of whether correct credentials are supplied or not. At this point we downloaded and installed AuthDiag to
get a better idea what was going on. AuthDiag is a pretty slick tool that lets you troubleshoot authentication problems in IIS. It’s a definite must-have in any developer/infrastucture bod’s arsenal. AuthDiag came back with:
Service principal name (SPN) for user ‘<user>’ not found in Active Directory
which was the first time I’ve ever heard of an SPN. The reported user above was the user that the Application Pool was running under. (We had previously tried to make the AppPool user a Domain Admin and a Local Admin, but were still failing authentication.)
Anyway, some research on SPNs led to a couple of interesting articles:
- HOWTO: Troubleshoot Kerberos-Related Issues in IIS
- Service Logons Fail Due to Incorrectly Set SPNs
- Troubleshooting Kerberos Delegation
Turns out that an SPN is a unique identifier required for any service that makes use of Kerberos. The SPN is assigned to the account under which the service the SPN identifies is running. The problem is caused by the fact that IIS creates SPNs for itself on installation, but these only work for “Network Service” and “Local System”. In the end we had to create our own SPNs using the setspn command-line tool (under Support Tools)
Turns out there’s a KB Article that talks about this problem and it’s resolution (and a workaround -> turn off Kerberos): You receive an “HTTP Error 401.1 – Unauthorized: Access is denied due to invalid credentials”
error message when you try to access a Web site that is part of an IIS 6.0 application pool
I am right in the middle of this same problem and have been working on it for hours now. Can you post the setspn command line you used along with a legend of what each variable is? I’ve already added http SPN’s to the user that’s in the Identity tab of the App Pool, but this didn’t do it. I believe I have to add an SPN to the Server object in AD that somehow mentions the user in the Identity tab of the App Pool, but I’m struggling with trying to get the syntax right. It would even be helpful if you went into ASDI Edit and did a print screen of the SPN’s for your server. I can add them manually via ASDI Edit if I knew the syntax.
Thanks so much for posting this because I thought I was the only one! Leave it to Microsoft. They’ve always got us admins pulling our hair out!
Thanks, Owen.
Christine
Scratch my questions. I found my answers in the KB article you mentioned (871179). I am all set now and I am so grateful for your post!
Christine
ummm…turning off kerberos is a bad idea.