Pulling what little hair I have left over getting Kerberos authentication working. There are so many variables at play but I know that one piece of the jigsaw that I have to get working is proving problematic.
I have a web app that authentiicates users via forms authentication. They are then validated with an active directory membership provider (they proovide a domain qualified windows user id as the forms login)
and I use impersonation and delegation to access external resources such as other web apps.
Since the web app (IIS7) runs under the service account I have set up for its app pool, my understanding is that I have to set up an SPN against the app pool account. The web app url is in the form <server>/<appname> so I should set an SPN of HTTP/server/appname against the user. I can do this with setSPN utility but the ticket doesn't appear in Kerbtray for that user and various diagnostic tools tell me It's invalid.
I think I've followed all the rules for naming conventions so there must be something im missing.
Any help would be greatly appreciated.
I have a web app that authentiicates users via forms authentication. They are then validated with an active directory membership provider (they proovide a domain qualified windows user id as the forms login)
and I use impersonation and delegation to access external resources such as other web apps.
Since the web app (IIS7) runs under the service account I have set up for its app pool, my understanding is that I have to set up an SPN against the app pool account. The web app url is in the form <server>/<appname> so I should set an SPN of HTTP/server/appname against the user. I can do this with setSPN utility but the ticket doesn't appear in Kerbtray for that user and various diagnostic tools tell me It's invalid.
I think I've followed all the rules for naming conventions so there must be something im missing.
Any help would be greatly appreciated.
Comment