Andy Опубликовано: 29 августа 2022 Поделиться Опубликовано: 29 августа 2022 Scenarios result in KRB_AP_ERR_MODIFIED Wrong Configuration Scenario 1 Kernel Mode Authentication Enabled(default) useAppPoolCredentials False(default) Application Pool Identity Service Account like (domain\contosoService) Web Site Binding To IIS server’s NetBIOS Name. Access like this way: http(s)://IIS_Server_NetBIOS_Name http(s)://IIS_Server_FQDN SPN HTTP/ SPN registered on service account Comments For this scenario, the Kerberos ticket is encrypted by service account, and is decrypted by IIS server’s computer account. Wrong Configuration Scenario 2 Kernel Mode Authentication Enabled(default) useAppPoolCredentials False(default) Application Pool Identity Service Account like (domain\contosoService) Web Site Binding To A customized host header. Access like this way: http(s)://Contoso SPN HTTP/ SPN registered on service account Comments For this scenario, the Kerberos ticket is encrypted by service account, and decrypted by IIS server’s computer account. Wrong Configuration Scenario 3 Kernel Mode Authentication Enabled(default) useAppPoolCredentials True Application Pool Identity Service Account like (domain\contosoService) Web Site Binding To IIS server’s NetBIOS Name. Access like this way: http(s)://IIS_Server_NetBIOS_Name http(s)://IIS_Server_FQDN SPN HTTP/ IIS_Server_NetBIOS_Name doesn’t registered on any account Or, registered on IIS server’s computer account Comments For this scenario, the Kerberos ticket is encrypted by IIS server’s computer account, and decrypted by service account. SPN and IIS configuration reference Scenario 1 Kernel Mode Authentication Enabled(default) useAppPoolCredentials False(default) Application Pool Identity No Matter URL used to access web site http(s)://IIS_Server_NetBIOS_Name http(s)://IIS_Server_FQDN SPN requirement No HTTP/ SPN required. By default, the HOST/ IIS_Server_NetBIOS_Name will be used. If you want, you can register HTTP/ IIS_Server_NetBIOS_Name on the server name. Comments This is the default scenario for IIS 7+ when using IIS server’s computer name to access the web application. Scenario 2 Kernel Mode Authentication Enabled(default) useAppPoolCredentials False(default) Application Pool Identity No Matter URL used to access web site http(s)://Customer_Host_Name SPN requirement Need register SPN on IIS server’s computer account, like: SetSPN -a HTTP/Customer_Host_NAME IIS_SRV_NetBIOS Comments Some application requires this when they need special permission for application pool identity. Scenario 3 Kernel Mode Authentication Enabled(default) useAppPoolCredentials True Application Pool Identity Service Account like (domain\contosoService) URL used to access web site http(s)://Customer_Host_Name SPN requirement Need register SPN on service account, like: SetSPN -a HTTP/Customer_Host_NAME domain\contosoService Comments 1. This is a typical requirement for NLB environment. 2. Some complex products consisted by couple services/applications like SharePoint. They require set the SPN on a domain account, and run the all the services/applications using this domain account. Scenario 4 Kernel Mode Authentication Enabled(default) useAppPoolCredentials True Application Pool Identity Service Account like (domain\contosoService) URL used to access web site http(s)://IIS_Server_NetBIOS_Name http(s)://IIS_Server_FQDN SPN requirement Need register SPN on service account, like: SetSPN -a HTTP/IIS_SERVER_FQDN domain\contosoService Comments You need select this scenario if you want web site binding to IIS server’s computer name and running the site with a domain account. Scenario 5 Kernel Mode Authentication Disabled useAppPoolCredentials No Matter Application Pool Identity Service Account like (domain\contosoService) URL used to access web site http(s)://Customer_Host_Name SPN requirement Need register SPN on service account, like: SetSPN -a HTTP/Customer_Host_NAME domain\contosoService Comments This is same for IIS 6 scenario. Scenario 6 Kernel Mode Authentication Disabled useAppPoolCredentials No Matter Application Pool Identity Service Account like (domain\contosoService) URL used to access web site http(s)://IIS_SERVER_NetBIOS_NAME SPN requirement Need register SPN on service account, like: SetSPN -a HTTP/ IIS_SERVER_NetBIOS_NAME domain\contosoService Comments This is same for IIS 6 scenario. Scenario 7 Kernel Mode Authentication Disabled useAppPoolCredentials No Matter Application Pool Identity Machine Account URL used to access web site http(s)://Customer_Host_Name SPN requirement Need register SPN on IIS server’s computer account, like: SetSPN -a HTTP/Customer_Host_NAME IIS_SRV_NetBIOS Comments This is same for IIS 6 scenario. Scenario 8 Kernel Mode Authentication Disabled useAppPoolCredentials No Matter Application Pool Identity Machine Account URL used to access web site http(s)://IIS_SERVER_NetBIOS_NAME SPN requirement No HTTP/ SPN required. By default, the HOST/ IIS_Server_NetBIOS_Name will be used. If you want, you can register HTTP/ IIS_Server_NetBIOS_Name on the server name. Comments This is similar to the default scenario of IIS 6. Цитата Ссылка на комментарий Поделиться на других сайтах Больше кнопок...
Рекомендованные сообщения
Присоединяйтесь к обсуждению
Вы можете опубликовать сообщение сейчас, а зарегистрироваться позже. Если у вас есть аккаунт, войдите в него для написания от своего имени.
Примечание: вашему сообщению потребуется утверждение модератора, прежде чем оно станет доступным.