Last post Feb 05, 2009 03:55 PM by Grub425
Feb 05, 2009 03:55 PM|Grub425|LINK
I have an application that is using LDAP only with Single Sign On running on a windows 2003 server, running iis 6.0
My Dojain Functional Level: Windows 2003 Server, Forest Functional level: Windows 2003
On the web server I will see the user authenticated with NTLM instead of Kerberos
If I run and test webpage from the user workstation to retrieve the users credential It returns:
You have connected from your browser to IIS using Kerberos authentication and verifies that the SPN is ok.
Also the .ini file for the application open a login file which has modify rights for all users but when the login fails using a filemon trace I see an access denied error for the log.
Kerberos settings in the domain are:
Enforce user logon restrictions Enabled
Maximum lifetime for service ticket 60 minutes
Maximum lifetime for user ticket 7 hours
Maximum lifetime for user ticket renewal 10 days
Maximum tolerance for computer clock synchronization 5 minutes
Server and service accounts have delegation set to trust this computer for delegation to any service (kerberso only).
The ”name” parameter is obtained from Windows as the name of the user the current thread is impersonating – the delegated end user. That’s how GetUserDN() is called:
. . .
Debug messages are logged to viewstar.log at [LOG] LEVEL=4
AD C# LDAP single sign-on