Kerberos Authentication Errors

Tech-Archive recommends: Fix windows errors by optimizing your registry

We're having an issue with Kerberos authentication for an ASP.NET app.

The web server is Windows 2003 R2 SP1, running IIS 6.0. We have an
ASP.NET app set up to use Windows Authentication. The app pool is set
up to run under a domain account instead of NETWORK SERVICE. We had to
add SPNs for the server and domain account in AD in order to make
authentication work and everything did work fine.

Now we want to remove the domain user from the app pool and go back to
using NETWORK SERVICE but it's not working. We're getting the 401.1
error we got before we had set up the SPNs and we were trying to use
the domain account.

What's going on here? The Event log on the client contains messages
like this:

"The kerberos client received a KRB_AP_ERR_MODIFIED error from the
server host/ourserver.ourdomain. This indicates that the password
used to encrypt the kerberos service ticket is different than that on
the target server. Commonly, this is due to identically named machine
accounts in the target realm (ourdomain), and the client realm.
Please contact your system administrator."

Not sure what they mean by "identically named machine accounts", but
we're not seeing any duplication in AD. Also we tried resetting the
server's machine account password in AD and it didn't help.

The web server contains errors like this in the event viewer:

Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 1.2.3.4
Source Port: 2166

You'll notice that the user name and domain aren't being passed in.
Does anyone have any ideas about this? Is there some kind of cache
that needs to be cleared out?

Thanks,
Dave
.

Relevant Pages

  • Re: Standalone IIS Server prompts for authentication when using Domain Anon User Acct
    ... its just the> IIS server is not part of this domain. ... I know that it is using the> domain account because after authenticating through the Windows ... My problem is why does a Windows Authentication window come> up in the first place? ... > Since the AD user has no rights on the standalone machine,> How am I able to access this standalone web server without> authenticating to it first? ...
    (microsoft.public.inetserver.iis.security)
  • Re: "Access is Denied" when calling a vb.net queued components in Windows2003 from a Web a
    ... Make sure the client runs under a domain account. ... give "Access denied" error message even if Authentication is set to None ... > but when I install the Web Application on the Windows2003 Server ... > to None the Authentication Level for Calls, but the error is still here... ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Standalone IIS Server prompts for authentication when using Domain Anon User Acct
    ... when you try to access the filesvr, you are authentication yourself to the ... IIS will not know where to contact the DC, ... > What if I explicitly say user@domain.com and provide the correct> password for that Domain account? ... Can't it go off do a lookup on> domain.com find the IP addresses of the Active Directory servers> and then authenticate against those> servers? ...
    (microsoft.public.inetserver.iis.security)
  • RE: problem connecting to dbase from webservice with impersonation
    ... What's your server and the domain environment? ... I think the problem is likely due to the windows authentication ... specific to ether ther webserverand the domain account. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Security issues with Win2003 and ASPNet app
    ... Did you try logging in to the server with that domain account to be sure ... > The event log says that the identity of my app pool is invalid. ... >>Hello RichardF, ...
    (microsoft.public.dotnet.framework.aspnet.security)