IIS Website Access Fails When Using FQDN but Works Under Localhost

Posted: December 4, 2010 in Error, Microsoft
Tags: , , , , ,

Hurrah, hurrah and Goddamn you Microsoft, goddamn you all to hell. This encompasses the mixture of emotions running through my soul right now.

For several days and nights I’ve been trying to work out why windows authentication is failing on the install of CLM i’m setting up for a customer. Now CLM is a .NET product that operates within IIS and having installed it within the customers environment it would give me an access denied error every time I tried to access it. I quickly discovered that I could access it under localhost, but not from the external URL that all the users will hit the site from.

It was as if when using the FQDN the browser was failing to pass the logon credentials. It would appear to be logging in and then pop up the user account/ password dialog. Having sone this 3 times it would give up and show an access denied message.

Now CLM operates under several service accounts which you can preset up in your domain, requires certificates for a number of them and is governed by an opaque set of permissions that tend towards failure. For a couple of days Ive been working through errors in the windows event logs, adding accounts to local admin groups and domain groups and generally trying to work out which permissions I or it didn’t have. The result of this was less errors in the event log but no apparent improvement in the logon situation.

I have in no particular order added the site to the local intranet zone in I.E., added the machine to this within SQL that have permissions on the CLM database, fiddled with the permissions on the various Active Directory objects that CLM adds to that Schema.

So what was it I hear you cry and sob especially if your in the same boat. Well CLM creates an appPool in IIS and runs the worker process within it, in doing so it sets the identity that the process operates under to the service account you specified at install time. In my case this was sa_clmWebPool.

Get too it man, stop dallying.

Windows authentication encompasses a number of technologies and paramount amongst these is kerberos. By default it allows IIS appPools to use Network Service to authenticate via kerberos. If you set any other identity here and Microsoft does then you have to reconfigure SPNs to allow that account to use Kerberos….which Microsoft doesn’t.

Here is how:-
1. Logon to your domain controller
2. Run the command shell
3. setspn -a HTTPS/{yoururl} {domain\your service account}
4. setspn -a HTTP/{yoururl} {domain\your service account}

n.b. setspn is on the Resource kit if not already installed.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s