[[Forwarded to microsoft.public.windows.server.security newsgroup via
crosspost.]]
ADAMEKPA wrote:
> Hello NG,
>
> i have got a strange behavior regarding Kerberos in my SharePoint
> environment. I don't know why it works but i am quite shure it should not.
> here is my confuguration. i got a DC (windows server 2008) that has also
> SQL
> Server 2008 on it (WSS01. Then additionally i have a Server Server (WSS02)
> Express as a Front End Server (WFE). i confugured CNAMEs in DNS (I Know i
> should use A records but read on) site01, site02, etc. for the "portal"
> sites. i disabled the Kernel Mode Authentication in IIS7 for the relevant
> Web Applications. the SharePoint sites all run under a spperate domain
> account.
>
> now here is the interesting thing. i enable Kerberos on the webapplication
> in SharePoint Central Administration. no HTTP SPN Confugured so far. not
> for
> wss02 nor for site01, etc.
>
> i try to connect via a client to the sharepoint site (webapplication) via
> site01 . the client asks DNS for the ip of site01 and gets wss02 as A
> record
> back. so the clients tries to access wss02 (HTTP GET) and gets back an
> unauthorized. so the client request ticket for wss02 at the KDC.
> interestingly the client is getting this ticket from the KDC. remember
> that
> i havent configured the SPN / what account is used for creating the
> ticket??? then when the client sends the ticket to the server, the server
> reports an KRB_AP_ERR_MODIFIED error. perhapes because the server tries to
> enrypt via the sites application pool account.
>
> but the story goes an. no i create a new domaun user. no special rights.
> all
> standard. i set the SPN HTTP/wss02 to this user account. i DONT configure
> it
> as an application pool account or something like that. and now: KERBEROS
> is
> working...
>
> i really dont understand this... the webserver should not have access to
> the
> new users credentials (nessessary for decrypting the ticket). so why is it
> working? any ideas?
>
> thank you very much for your support.
>
> Best Regards
> Patrick
|
Similar Threads
Linear Mode
