views:

233

answers:

2

Hi Guys I have a requirement to have a website running as a service accout for IP reasons, I also want to be able to use AzMan for Auth/Auth of the users. For some reason I cant seeem to get these working together. I have set up a sample app to test the waters that basically spits out some user credentials. Other than Azman and the web config set up the app has no integration code (no logging/DB/Webserice interaction) its a one pager.

Running the app pool under the network service account with the Anon access denied i get:
Windows Identity Check - Name: 'NT AUTHORITY\NETWORK SERVICE'
Request.LogonUserIdentity.Name = 'CT\rhyc'
HttpContext.User.Identity.Name = 'CT\rhyc'
User.Identity.Name = 'CT\rhyc'
Is in UserRole = 'True'

..which is all good, everything is working, however the service account is network service not the service account i am supposed to be using. If I switch the account to the service account I get the pop up window asking for user credentials (which I dont want, it should be single sign on); however i was getting these credentials passed down in the previous set up (ct/rhyc)

There has been a setspn command run for the web site (apprently), but i dont really know what spn does, let alone know how to check it. Also if i allow anon access with the app pool running the service account the i get:
Windows Identity Check - Name: 'CT\SVC-PERAT2-T2DEV'
Request.LogonUserIdentity.Name = 'PERAT2NTAH3WD1\CVX_IUSR'
HttpContext.User.Identity.Name = ''
User.Identity.Name = ''
Is in UserRole = 'False'

Sorry guys, Im and IIS n00b, it is not normally something i would do, however our admins dont seem to know much about IIS so its left to me.. :(

Any help is much appreciated RhysC

+1  A: 

with SPN you are getting into the World of Kerberos. This is typically an area of the unknown.

There is a great whitepaper that walks through troubleshooting security around this: http://www.microsoft.com/DOWNLOADS/details.aspx?FamilyID=7dfeb015-6043-47db-8238-dc7af89c93f1&displaylang=en

It explains about how to turn on more logging to get to the root of the auth problem. Usually it is to do with delegation in Exchange not being setup to pass the credentials of a user on etc.

More here: http://support.microsoft.com/kb/262177

Jeremy Thake
A: 

OK so it looks like we were barking up the wrong tree. Kerbros was never required, some how it got slipped through chinese whispers. We have changed to just NTLM and all is well.

cmd below
cscript adsutil.vbs set w3svc/1152622725/root/NTAuthenticationProviders "NTLM"

where 1152622725 was the website id

Thanks for all the help guys, lesson learned: don't f__k with kerbros, because it bites back!

RhysC