Previous Next

• 09-18-2006, 8:04 PM

  ianh999 Joined on 09-18-2006, 11:48 PM Posts 3

  Running multiple Application Pools with different domain user accounts, Kerberos & Integrated Windows Authentication Reply Contact I have a client that is running multiple application pools under different domain user accounts with Integrated Windows Authentication only. After upgrading the Domain to AD (from NT4) we received "HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials" referred to in MS Article http://support.microsoft.com/kb/871179/en-us To resolve the problem we forced NLM by running cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM" on each of the web servers (as suggested in the article). Is there an alternate solution where Kerberos authentication can be used? (in either of IIS6 or IIS7) Many thanks in advance Ian Hadley

• 09-19-2006, 8:30 AM

  In reply to

  tomkmvp Joined on 03-20-2003, 10:27 AM Lawrenceville, NJ Posts 4,081	Re: Running multiple Application Pools with different domain user accounts, Kerberos & Integrated Windows Authentication Reply Contact Doesn't that article also explain how you can use Kerberos (where it discusses SPN)? Tom Kaminski IIS MVP http://mvp.support.microsoft.com/ http://blogs.iis.net/tomkmvp/ http://www.linkedin.com/pub/8/690/408 http://www.bluesrepublic.org/

• 09-19-2006, 5:32 PM

  In reply to

  ianh999 Joined on 09-18-2006, 11:48 PM Posts 3

  Re: Running multiple Application Pools with different domain user accounts, Kerberos & Integrated Windows Authentication Reply Contact Hi Tom Thanks for your assistance with this. The article explains how to force IIS to use NTLM (as my client is running Multiple Application Pools, with multiple different Domain Credentials - in this scenario the article suggests using the WORKAROUND solution). I was looking for a solution using Kerberos rather than NTLM. Any suggestions greatly appreciated. Thanks again  Ian

• 09-20-2006, 8:48 AM

  In reply to

  tomkmvp Joined on 03-20-2003, 10:27 AM Lawrenceville, NJ Posts 4,081

  Re: Running multiple Application Pools with different domain user accounts, Kerberos & Integrated Windows Authentication Reply Contact That's not how I read the article ... "To use Kerberos authentication, a service must register its service principal name (SPN) ..." "Resolution If this behavior occurs when the application pool is running under a local account, follow the steps in the Workaround section. To resolve this behavior when the application pool is running under a domain user account, set up an HTTP SPN ..." Tom Kaminski IIS MVP http://mvp.support.microsoft.com/ http://blogs.iis.net/tomkmvp/ http://www.linkedin.com/pub/8/690/408 http://www.bluesrepublic.org/

• 09-22-2006, 10:30 PM

  In reply to

  ianh999 Joined on 09-18-2006, 11:48 PM Posts 3

  Re: Running multiple Application Pools with different domain user accounts, Kerberos & Integrated Windows Authentication Reply Contact Thanks Tom The article states, and our tesing demonstrates that.. "Important An SPN for a service can only be associated with one account. Therefore, if you use this suggested resolution, any other application pool that is running under a different domain user account cannot be used with Integrated Windows authentication only." My client has multiple application pools using different accounts with Integrated Windows Authentication only, hence we followed the advice given in the article.. "To work around this behavior if you have multiple application pools that run under different domain user accounts, you must force IIS to use NTLM as your authentication mechanism if you want to use Integrated Windows authentication only." I was hoping someone may know another workaround than the one recommended in the article. It is a very confusing situation but I am certain someone will have found a solution that doesnt force IIS to use NTLM. Many thanks your assistance. Ian Hadley

• 09-25-2006, 10:43 AM

  In reply to

  tomkmvp Joined on 03-20-2003, 10:27 AM Lawrenceville, NJ Posts 4,081

  Re: Running multiple Application Pools with different domain user accounts, Kerberos & Integrated Windows Authentication Reply Contact OK ... my bad, I wasn't clear on the multiple domain user accounts part ... Is there any way they can switch to just one account? Tom Kaminski IIS MVP http://mvp.support.microsoft.com/ http://blogs.iis.net/tomkmvp/ http://www.linkedin.com/pub/8/690/408 http://www.bluesrepublic.org/

• 02-06-2007, 7:49 PM

  In reply to

  pabloako Joined on 02-07-2007, 12:46 AM Posts 1

  Re: Running multiple Application Pools with different domain user accounts, Kerberos & Integrated Windows Authentication Reply Contact Did you ever get a solution to this problem as we have just encountered it and find it strange that we have to use NTLM when MS recommends Kerberos. If we were to use just one account, we would then need to have one user account accessing multiple databases, which is too insecure for us. We require multiple application pools running on one server, but each application pool running under its own domain user credentials.  Each of these pools / usernames will then have access to its own database only. Many thanks Paul

• 10-09-2008, 6:01 AM

  In reply to

  Fred182 Joined on 10-09-2008, 5:59 AM Posts 1	Re: Running multiple Application Pools with different domain user accounts, Kerberos & Integrated Windows Authentication Reply Contact Have you alread tried to use different fqdn, one for each application Pool ?   I have the same problem as you.