We have several IIS hosted sites using windows authentication. Some of our users can logon in one of the sites, but getting never-ending authentication challenge in another (the second one is used in an iframe of first). We found out that users that can’t logon are using Kerberos authentication (others NTLM). All of the sites are using the same authorization settings (useAppPoolCredentials set to true). Thus users can access one site but can’t access the second one with the same settings. App pool identity user is in the administrator group and IIS_IUSRS group. I also tried to use the domain user account to logon to site from VM and got same never-ending authentication prompt because of Kerberos. I’ve read Chiranth Ramaswamy’s article about IIS authentication but unfortunately couldn’t find solution to problem. Is there any way to solve the problem?
EDIT: We also have 2nd server with the same sites and settings.
EDIT2: I found out that I can logon if I’m using same domain user account if I don’t write domain in login. Thus “UserName” works and “DomainName\UserName” doesn’t
Answer
Fair bit to troubleshoot there, and more detail would be helpful, including how you set Kerb up, what other sites are there, and URLs in use.
In short: I think Kerb’s broken. And that to make it work, you could potentially use an IP address instead of the name. (Kerb only works if you use a name, not an IP address).
I suspect you’re not decoding the tickets in the context of the App Pool Account (which, by the way, should almost never be an Administrator).
This could be because of a duplicate SPN, or some other aspect of Kerb being broken.
It’s also possible it’s a client-side browser setting like “Enable Integrated Windows Authentication” vs a PAC script and/or zone settings.
So! Shopping list:
-
Check the zone(s) the site is loading into if using IE.
-
Check the Enable Integrated Windows setting if using IE.
-
Reboot a broken client (or at the very least
klist purge) and then get a netmon or wireshark trace of a failed connection, from the client side. This might identify some KDC response issues, i.e. Kerberos errors being returned which provide a clue as to what might be breaking Kerb -
If you’re using useAppPoolCredentials, odds are you’ve used SetSPN. Check for duplicates of all SPNs involving the site name(s).
-
Finally, if you’re not using delegation, consider removing useAppPoolCredentials anyway, as by default, the System account will decode the tickets for all App Pools if there’s no SPN override in place.
Attribution
Source : Link , Question Author : eleven_zwolf , Answer Author : TristanK
