MOSS Forum

Ask Question   UnAnswered
Home » Forum » MOSS       RSS Feeds

App Pools and SPNs

  Asked By: Sade    Date: Jan 10    Category: MOSS    Views: 727

When installing Moss 2007, I tried following the security best
practices, by creating and applying the 8 accounts listed in the Admin
Companion book. I may have misused some of the accounts, because I'm
having authentication problems with Central Admin and my SSP. The
problem is that I get a login prompt when accessing Central Admin and
the SSP when I'm logged in to the Web Server as the system account
(serverfarm). I'm hoping that if I list my Web Apps, App Pools and the
corresponding accounts, that someone might see where I went wrong. Also,
did I need to register an SPN for Central Admin and SSP? Hope someone
can help.

Web App App Pool Pool Identity
SPN registered
Central Admin Central Admin serverfarm
sspapppool yes
Intranet Intranet
serverfarm yes
Mysites Mysites
serverfarm yes
serviceaccount no

You can see that the Central Admin, Intranet and Mysites share the same
App Pool Identity account. When we registered the SPN's, we did so using
a unique url for each Web App. I think where I initially went wrong was
with the Central Admin set-up; it should have it's own unique account
and not have an SPN registered. Is that right? Also, does the SSP have
to have an SPN registered?

I'm so confused as to how all of these things work together. Any advice
is greatly appreciated.



3 Answers Found

Answer #1    Answered By: Irving Hurley     Answered On: Jan 10

It could be the new security settings in Internet Explorer

If you put your hostname in the intranet zone's trusted sites it will
pass your windows credentials

Otherwise it will not and you have to login manually.

Answer #2    Answered By: Yvonne Rodriquez     Answered On: Jan 10

That did it. I could've sworn that this was set before. Oh well. On
a similar note. I added myself to the SSP admin group, but when I
try to access the SSP from my own desktop browser, I get an
authorization error. Any ideas? I've made sure that the site is
trusted already.

Answer #3    Answered By: Elisha Abbott     Answered On: Jan 10

We've had some of the same challenges using Kerberos. We still can't
sign in to CA using the browser on our W2K3 server - only from across
the network. We set up separate accounts, but we've allowed some
overlap, so your mileage may vary.

It seems as if the server security settings get in the way when
connecting from the server even though IIS is on the same box. We didn't
set up SPNs for each individual app  - just one under the security
context of each service account for the web front-end server. Are you
able to connect from an XP workstation over the network? You can use a
little .cmd file with a "runas" command in to connect using IIS running
under the correct user.

runas /user:<YourDomain>\<YourUser> "C:\Program Files\Internet
Explorer\iexplore.exe http://<YourWFE>:<YourPort>"

We're connecting to CA that way exclusively now and things seems to be
settled in otherwise.

Didn't find what you were looking for? Find more on App Pools and SPNs Or get search suggestion and latest updates.