AcceptSecurityContext (Kerberos) returns SEC_E_LOGON_DENIED

Question

Hi,

I am trying to write a simple application that performs Kerberos authentication (no mutual authentication for now).

The operating system is Windows server 2003, standard edition. I have setup Active directory and created an SPN using setspn tool.

AcquireCredentialsHandle returns SEC_E_OK both on client and on server.

InitializeSecurityContext on client side returns SEC_E_OK.

AcceptSecurityContext on server side returns SEC_E_LOGON_DENIED.

I am sure there's nothing wrong in my code since the same behaviour I see when using the sample application from the following MSDN article: http://msdn.microsoft.com/en-us/magazine/dvdarchive/bb985043.aspx

So I guess there is something wrong in my setup. But I can't find out what. Maybe I have missed something in SPN setup? Any help is appreciated.

Regards, David.

Answer 1

Did you find any solution, even I have similar situtation, please let me know if you have any solution.

Answer 2

Yes, the problem was the following: Say, your computer name is COMP, domain NetBios name is DOMAIN, the SPN you want to register is MyService/COMP. "setspn -A MyService/COMP COMP" command registers the SPN for SYSTEM account! And when your process which belongs to another account (say Administrator) wants to act as a server for that SPN, it understandabaly fails. You may either run your server as SYSTEM (google for how to do it) or (which is better) register the SPN for administrator (or any other) account using the following command: setspn -A MyService/COMP DOMAIN\Administrator

Regards, David.