RE: ASP.NET and IIS Security

Make sure that the domain account's "Trust this account to delegate
credentials" is checked. This option should be checked on the active
directory under users I suppose. Google for that and check it on your active
directory.

"Competitive Dad" wrote:

Hi,

Further information, I do not have this problem if the website is running in
an application pool using an account local to the server. It only happens
when I run the application pool under a domain account.

So there you go, a little bit more to the puzzle.

Thx,

CD

"Competitive Dad" wrote:

Hi Diffident,

I'm not sure I entirely follow that. If I go on the server and use setspn -L
to list the SPNs for the server there is an entry for the hostname. I'm not
aware that you can set an SPN for an IP adress.

One thing for sure is I cannot set anything on the client machine because I
cannot role anything out on the client machine, access to the system is via a
browser.

Thx,

CD

"Diffident" wrote:

You might not have an SPN for the host header while there might be an SPN for
the IP address.

"Competitive Dad" wrote:

I have a curious issue which is really causing me to scratch my head.

I have a site that has two virtual directories attached to it (same physical
folder). One virtual directory uses Windows Authentication, the other is
Anonymous. It is hosted on Windows 2003 server.

I have a Sign In button which when a user successfully enters credentials
they get directed from the anonymous site to the Windows authentication site.
There is something on a master page that checks for authentication and
directs accordingly.

The curious part is when I come to access the site via a browser from
another machine. If I access via IP address, I click Sign In, get a Windows
security challenge, enter a domain user that has access and everything is
fine.

If I access via the hostname (hostname is mapped via WINS) I get the
challenge as expected, but it never allows the user access, I get a 401 error.

Anyone any ideas as to why an IP address would be okay, but the hostname
wouldn't be?

Thanks,

Competitive Dad
.