Problem
I have been pulling my hair out trying to resolve get Kerberos and MOSS to work on IIS7. The problem that I have been having is that every time is I configure SPN's correctly i seem to be getting a Security audit log Error that says the below:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
The problem here is that one of the security changes in IIS 7.0 is that Windows Authentication is performed by default in the kernel. Because HTTP.sys is handling the authentication, it is by default done under the LocalSystem account regardless of the application pool identity. This means that the creation of an SPN is unnecessary because default SPNs are created when the server is joined to the domain. You can of course change the app pool identity without having to register a SPN, and the app pool account doesn't need to be a domain account. However, it trips up SharePoint as even on a single server SharePoint is currently considered a web farm (should use a domain account). Therefore you need to use the application pool identity for authentication. This is what caused the accounts to fail.
Solution
Make changes to the IIS7 applicationHost file which can be found in C:\Windows\System32\inetsrv\config\
and replace the following line
<windowsauthentication enabled="true">
with
<windowsauthentication enabled="true" useapppoolcredentials="true">
The application pool identity will now be used and the Kerberos issues will be fixed.
Thanks for letting everybody know
2 months ago
No comments:
Post a Comment