Jéjé
2006-02-07 04:49:28 UTC
Hi,
I'm back with a kerberos issue....
Some client received a KRB_AP_ERR_MODIFIED error. when I try to access my
web site. (direct access not through another web site)
Its a reportserver web site.
My server is an x64 server with SQL 2005 x64 installed.
My domain is a Win 2003 domain.
My IIS virtual server is setup to support both NTLM and Negotiate
The APP pool run under the network service account
I have executed these setspn commands:
setspn -a HTTP/<server>.<domain> <server>
setspn -a HTTP/<server> <server>
setspn -a HOST/<server>.<domain> <server>
setspn -a HOST/<server> <server>
I have double check my DNS names and there is no duplicate.
same for my WINS
I have removed the server from the domain and add it again.
There is no duplicated servicepricipalname entry:
ldifde -f SPNdump.txt -s myDC -t 3268 -l servicePrincipalName
External clients connected through a VPN can access my web site while
internal users cannot!!!
The system ask for a login/password; if I type the local administrator
account / pwd, then I can access the site. (local behavior only)
The kerbtray utility display my ticket:
HTTP/<server>.<domain>
with the right start time.
The kerberos error logged in the event log appear only at the client side,
nothing in the server himself.
on other servers similar configuration works fine.
now I'm out of ideas!!!
there is any DNS issue?
name resolution issue?
if yes, where??? how to identify it? and how to resolve it?
there is any issue between 32bits and x64 servers?
generally I have more problems with external users behind using a VPN due to
possible NAT and IP adress problems; but its the opposite here!!!
thanks for your help!!!
Jerome.
I'm back with a kerberos issue....
Some client received a KRB_AP_ERR_MODIFIED error. when I try to access my
web site. (direct access not through another web site)
Its a reportserver web site.
My server is an x64 server with SQL 2005 x64 installed.
My domain is a Win 2003 domain.
My IIS virtual server is setup to support both NTLM and Negotiate
The APP pool run under the network service account
I have executed these setspn commands:
setspn -a HTTP/<server>.<domain> <server>
setspn -a HTTP/<server> <server>
setspn -a HOST/<server>.<domain> <server>
setspn -a HOST/<server> <server>
I have double check my DNS names and there is no duplicate.
same for my WINS
I have removed the server from the domain and add it again.
There is no duplicated servicepricipalname entry:
ldifde -f SPNdump.txt -s myDC -t 3268 -l servicePrincipalName
External clients connected through a VPN can access my web site while
internal users cannot!!!
The system ask for a login/password; if I type the local administrator
account / pwd, then I can access the site. (local behavior only)
The kerbtray utility display my ticket:
HTTP/<server>.<domain>
with the right start time.
The kerberos error logged in the event log appear only at the client side,
nothing in the server himself.
on other servers similar configuration works fine.
now I'm out of ideas!!!
there is any DNS issue?
name resolution issue?
if yes, where??? how to identify it? and how to resolve it?
there is any issue between 32bits and x64 servers?
generally I have more problems with external users behind using a VPN due to
possible NAT and IP adress problems; but its the opposite here!!!
thanks for your help!!!
Jerome.