Re: Kerberos Pain

2012-04-18 Thread Jey Srikantha (GMail) 

Let me send you a couple of articles.
 

Regards,
.\jEy

Jey Srikantha  (j...@jeylabs.com.au) +61(0)400 846 996
Director of Consulting, Technology and Innovation
jEyLaBs – SharePoint Workflow Experts (www.jeylabs.com.au)
Melbourne, Australia jeylabsblog.com
 
If you think that you have received this e-mail message in error, please delete 
it and notify the sender.
 
All rights reserved by jEyLaBs pty ltd (ACN 135 541 598).

jEyLaBs or the sender is not responsible for viruses, or for delays, errors or 
interception in transmission.
 
Please consider our environment before printing.
 

On 19/04/2012, at 15:21, Dylan Tusler  
wrote:

> Interesting. I've run setspn -x and it turned up a duplicate entry.
>  
> It is a duplicate entry for the server, but with a different login name. So 
> probably not an issue.
>  
> A colleague here has pointed out a setting in IIS which is buried deep in 
> Advanced Settings under the web site authentication area, and it seems to 
> have the desired effect. I just don't know how it got "unset" in the first 
> place, which is troubling.
>  
> Cheers,
> Dylan Tusler
> Team Lead Data, Development & Integration
> ICTS Branch
> Sunshine Coast Regional Council
> P 07 5420 8002
> E dylan.tus...@sunshinecoast.qld.gov.au
> A Locked Bag 72, Sunshine Coast Mail Centre QLD 4560
> W www.sunshinecoast.qld.gov.au
> 
> Please consider the sanity of others before replying to replies to replies to 
> this email. Sometimes it just makes more sense to pick up the phone.
> 
>  
> 
> From: ozmoss-boun...@ozmoss.com [mailto:ozmoss-boun...@ozmoss.com] On Behalf 
> Of Iain Carlin
> Sent: Thursday, 19 April 2012 15:02
> To: ozMOSS
> Subject: Re: Kerberos Pain
> 
> I had the identical situation here and it ended up being due to a duplicate 
> SPN being configured for the site that was asking for credentials.
> 
> Kerberos is hours of fun...not!
> 
> On 19 April 2012 14:27, Dylan Tusler  
> wrote:
> Hi, new to list, I've been lurking a short while, but this is driving me 
> crazy so I'm plunging in.
>  
> We have a number of web applications. At one point, almost all of them were 
> configured to use Kerberos (via Authentication Providers under "Manage Web 
> Applications")
>  
> One of them, our main intranet site (Sharepoint 80) is still configured to 
> use Kerberos and works fine.
>  
> None of the other sites now work with Kerberos. I've had to switch them all 
> gradually back to NTLM authentication. (When using Kerberos, users get asked 
> to log in all the time, and credentials are rejected after three attempts.)
>  
> There are several sites that use the same app pool identity as Sharepoint 80. 
> I cannot see any difference between the way the sites that don't work are set 
> up and the way the site that does work is set up.
>  
> What is going on here?
>  
> Dylan Tusler
> 
> 
> Team Lead Data, Development & Integration
> ICTS Branch
> Sunshine Coast Regional Council
> P 07 5420 8002
> E dylan.tus...@sunshinecoast.qld.gov.au
> A Locked Bag 72, Sunshine Coast Mail Centre QLD 4560
> W www.sunshinecoast.qld.gov.au
> Please consider the sanity of others before replying to replies to replies to 
> this email. Sometimes it just makes more sense to pick up the phone.
> 
>  
> 
> 
>  __ __
> To find out more about the Sunshine Coast Council, visit your local office at 
> Caloundra, Maroochydore, Nambour or Tewantin or visit us online at 
> www.sunshinecoast.qld.gov.au. If correspondence includes personal 
> information, please refer to Council's Privacy Policy
> This email and any attachments are confidential and only for the use of the 
> addressee. If you have received this email in error you are requested to 
> notify the sender by return email or contact council on 07 5475 7272, and are 
> prohibited from forwarding, printing, copying or using it in anyway, in whole 
> or part. Please note that some council staff utilise Blackberry devices, 
> which results in information being transmitted overseas prior to delivery of 
> any communication to the device. In sending an email to Council you are 
> agreeing that the content of your email may be transmitted overseas.
> Any views expressed in this email are the author's, except where the email 
> makes it clear otherwise. The unauthorised publication of an email and any 
> attachments generated for the official functions of council is strictly 
> prohibited. Please note that council  is subject to the Right to Information 
> Act 2009 (Qld) and Information Privacy Act 2009 (Qld).
> 
> 
> ___
> ozmoss mailing list
> ozmoss@ozmoss.com
> http://prdlxvm0001.codify.net/mailman/listinfo/ozmoss
> 
> 
> ___
> ozmoss mailing list
> ozmoss@ozmoss.com
> http://prdlxvm0001.codify.net/mailman/listinfo/ozmoss
___
ozmoss mailing list
ozmoss@ozmoss.com
http://prdlxvm0001.codify.net/mailman/listinfo/ozmoss

RE: Kerberos Pain

2012-04-18 Thread Dylan Tusler 
Interesting. I've run setspn -x and it turned up a duplicate entry.

It is a duplicate entry for the server, but with a different login name. So 
probably not an issue.

A colleague here has pointed out a setting in IIS which is buried deep in 
Advanced Settings under the web site authentication area, and it seems to have 
the desired effect. I just don't know how it got "unset" in the first place, 
which is troubling.

Cheers,

Dylan Tusler
Team Lead Data, Development & Integration
ICTS Branch
Sunshine Coast Regional Council
P 07 5420 8002
E 
dylan.tus...@sunshinecoast.qld.gov.au<mailto:dylan.tus...@sunshinecoast.qld.gov.au>
A Locked Bag 72, Sunshine Coast Mail Centre QLD 4560
W www.sunshinecoast.qld.gov.au<http://www.sunshinecoast.qld.gov.au/>

Please consider the sanity of others before replying to replies to replies to 
this email. Sometimes it just makes more sense to pick up the phone.




From: ozmoss-boun...@ozmoss.com [mailto:ozmoss-boun...@ozmoss.com] On Behalf Of 
Iain Carlin
Sent: Thursday, 19 April 2012 15:02
To: ozMOSS
Subject: Re: Kerberos Pain

I had the identical situation here and it ended up being due to a duplicate SPN 
being configured for the site that was asking for credentials.

Kerberos is hours of fun...not!

On 19 April 2012 14:27, Dylan Tusler 
mailto:dylan.tus...@sunshinecoast.qld.gov.au>>
 wrote:
Hi, new to list, I've been lurking a short while, but this is driving me crazy 
so I'm plunging in.

We have a number of web applications. At one point, almost all of them were 
configured to use Kerberos (via Authentication Providers under "Manage Web 
Applications")

One of them, our main intranet site (Sharepoint 80) is still configured to use 
Kerberos and works fine.

None of the other sites now work with Kerberos. I've had to switch them all 
gradually back to NTLM authentication. (When using Kerberos, users get asked to 
log in all the time, and credentials are rejected after three attempts.)

There are several sites that use the same app pool identity as Sharepoint 80. I 
cannot see any difference between the way the sites that don't work are set up 
and the way the site that does work is set up.

What is going on here?


Dylan Tusler

Team Lead Data, Development & Integration
ICTS Branch
Sunshine Coast Regional Council
P 07 5420 8002
E 
dylan.tus...@sunshinecoast.qld.gov.au<mailto:dylan.tus...@sunshinecoast.qld.gov.au>
A Locked Bag 72, Sunshine Coast Mail Centre QLD 4560
W www.sunshinecoast.qld.gov.au<http://www.sunshinecoast.qld.gov.au/>

Please consider the sanity of others before replying to replies to replies to 
this email. Sometimes it just makes more sense to pick up the phone.


[Sunshine Coast Council]<http://www.sunshinecoast.qld.gov.au/>

[Sunshine Coast Council is on 
Facebook]<https://www.facebook.com/SunshineCoastCouncil> __ __
To find out more about the Sunshine Coast Council, visit your local office at 
Caloundra, Maroochydore, Nambour or Tewantin or visit us online at 
www.sunshinecoast.qld.gov.au.<http://www.sunshinecoast.qld.gov.au/> If 
correspondence includes personal information, please refer to Council's Privacy 
Policy<http://www.sunshinecoast.qld.gov.au/sitePage.cfm?code=disclaimer>

This email and any attachments are confidential and only for the use of the 
addressee. If you have received this email in error you are requested to notify 
the sender by return email or contact council on 07 5475 7272, and are 
prohibited from forwarding, printing, copying or using it in anyway, in whole 
or part. Please note that some council staff utilise Blackberry devices, which 
results in information being transmitted overseas prior to delivery of any 
communication to the device. In sending an email to Council you are agreeing 
that the content of your email may be transmitted overseas.
Any views expressed in this email are the author's, except where the email 
makes it clear otherwise. The unauthorised publication of an email and any 
attachments generated for the official functions of council is strictly 
prohibited. Please note that council is subject to the Right to Information Act 
2009 (Qld) and Information Privacy Act 2009 (Qld).

___
ozmoss mailing list
ozmoss@ozmoss.com<mailto:ozmoss@ozmoss.com>
http://prdlxvm0001.codify.net/mailman/listinfo/ozmoss



-
To find out more about the Sunshine Coast Regional Council, visit your local 
office at Caloundra, Maroochydore, Nambour or Tewantin or visit us online at 
www.sunshinecoast.qld.gov.au.  If correspondence includes personal information, 
please refer to Council's Privacy Policy at http://www.sunshinecoast.qld.gov.au 
.

This email and any attachments are confidential and only for the use of the 
addressee.  If you have received thi

RE: Kerberos Pain

2012-04-18 Thread Dylan Tusler 
Aah, yes, Sharepoint 2010 SP1 with June 2011 CU


Dylan Tusler
Team Lead Data, Development & Integration
ICTS Branch
Sunshine Coast Regional Council
P 07 5420 8002
E 
dylan.tus...@sunshinecoast.qld.gov.au<mailto:dylan.tus...@sunshinecoast.qld.gov.au>
A Locked Bag 72, Sunshine Coast Mail Centre QLD 4560
W www.sunshinecoast.qld.gov.au<http://www.sunshinecoast.qld.gov.au/>

Please consider the sanity of others before replying to replies to replies to 
this email. Sometimes it just makes more sense to pick up the phone.




From: ozmoss-boun...@ozmoss.com [mailto:ozmoss-boun...@ozmoss.com] On Behalf Of 
Nigel Hertz
Sent: Thursday, 19 April 2012 15:02
To: ozMOSS
Subject: RE: Kerberos Pain

Hi Dylan

Welcome to the list. First, and probably the most important question - 
SharePoint 2010 or MOSS 2007?   :)

N

From: ozmoss-boun...@ozmoss.com [mailto:ozmoss-boun...@ozmoss.com] On Behalf Of 
Dylan Tusler
Sent: Thursday, 19 April 2012 2:57 PM
To: 'ozmoss@ozmoss.com'
Subject: Kerberos Pain

Hi, new to list, I've been lurking a short while, but this is driving me crazy 
so I'm plunging in.

We have a number of web applications. At one point, almost all of them were 
configured to use Kerberos (via Authentication Providers under "Manage Web 
Applications")

One of them, our main intranet site (Sharepoint 80) is still configured to use 
Kerberos and works fine.

None of the other sites now work with Kerberos. I've had to switch them all 
gradually back to NTLM authentication. (When using Kerberos, users get asked to 
log in all the time, and credentials are rejected after three attempts.)

There are several sites that use the same app pool identity as Sharepoint 80. I 
cannot see any difference between the way the sites that don't work are set up 
and the way the site that does work is set up.

What is going on here?


Dylan Tusler
Team Lead Data, Development & Integration
ICTS Branch
Sunshine Coast Regional Council
P 07 5420 8002
E 
dylan.tus...@sunshinecoast.qld.gov.au<mailto:dylan.tus...@sunshinecoast.qld.gov.au>
A Locked Bag 72, Sunshine Coast Mail Centre QLD 4560
W www.sunshinecoast.qld.gov.au<http://www.sunshinecoast.qld.gov.au/>

Please consider the sanity of others before replying to replies to replies to 
this email. Sometimes it just makes more sense to pick up the phone.

[Sunshine Coast Council]<http://www.sunshinecoast.qld.gov.au/>

[Sunshine Coast Council is on 
Facebook]<https://www.facebook.com/SunshineCoastCouncil>__ __
To find out more about the Sunshine Coast Council, visit your local office at 
Caloundra, Maroochydore, Nambour or Tewantin or visit us online at 
www.sunshinecoast.qld.gov.au.<http://www.sunshinecoast.qld.gov.au/> If 
correspondence includes personal information, please refer to Council's Privacy 
Policy<http://www.sunshinecoast.qld.gov.au/sitePage.cfm?code=disclaimer>

This email and any attachments are confidential and only for the use of the 
addressee. If you have received this email in error you are requested to notify 
the sender by return email or contact council on 07 5475 7272, and are 
prohibited from forwarding, printing, copying or using it in anyway, in whole 
or part. Please note that some council staff utilise Blackberry devices, which 
results in information being transmitted overseas prior to delivery of any 
communication to the device. In sending an email to Council you are agreeing 
that the content of your email may be transmitted overseas.
Any views expressed in this email are the author's, except where the email 
makes it clear otherwise. The unauthorised publication of an email and any 
attachments generated for the official functions of council is strictly 
prohibited. Please note that council is subject to the Right to Information Act 
2009 (Qld) and Information Privacy Act 2009 (Qld).


Stockland Notice: If this communication has been sent to you by mistake, please 
delete and notify us. If it has been sent to you by mistake, legal privilege is 
not waived or lost and you are not entitled to use it in any way. Stockland and 
its subsidiaries reserve the right to monitor e-mail communication through its 
networks.

-
To find out more about the Sunshine Coast Regional Council, visit your local 
office at Caloundra, Maroochydore, Nambour or Tewantin or visit us online at 
www.sunshinecoast.qld.gov.au.  If correspondence includes personal information, 
please refer to Council's Privacy Policy at http://www.sunshinecoast.qld.gov.au 
.

This email and any attachments are confidential and only for the use of the 
addressee.  If you have received this email in error you are requested to 
notify the sender by return email or contact council on 07 5475 7272, and are 
prohibited from forwarding, printing, copying or using it in anyway, i

Re: Kerberos Pain

2012-04-18 Thread Iain Carlin 
I had the identical situation here and it ended up being due to a duplicate
SPN being configured for the site that was asking for credentials.

Kerberos is hours of fun...not!

On 19 April 2012 14:27, Dylan Tusler
wrote:

> **
> Hi, new to list, I've been lurking a short while, but this is driving me
> crazy so I'm plunging in.
>
> We have a number of web applications. At one point, almost all of them
> were configured to use Kerberos (via Authentication Providers under "Manage
> Web Applications")
>
> One of them, our main intranet site (Sharepoint 80) is still configured to
> use Kerberos and works fine.
>
> None of the other sites now work with Kerberos. I've had to switch them
> all gradually back to NTLM authentication. (When using Kerberos, users get
> asked to log in all the time, and credentials are rejected after three
> attempts.)
>
> There are several sites that use the same app pool identity as Sharepoint
> 80. I cannot see any difference between the way the sites that don't work
> are set up and the way the site that does work is set up.
>
> What is going on here?
>
>
> Dylan Tusler
>
> Team Lead Data, Development & Integration
> ICTS Branch
> Sunshine Coast Regional Council
> P 07 5420 8002
> E 
> *dylan.tus...@sunshinecoast.qld.gov.au*
> A Locked Bag 72, Sunshine Coast Mail Centre QLD 4560
> W *www.sunshinecoast.qld.gov.au* 
>
> Please consider the sanity of others before replying to replies to replies
> to this email. Sometimes it just makes more sense to pick up the phone.
>
> [image: Sunshine Coast Council] 
>
> [image: Sunshine Coast Council is on 
> Facebook] __
> __
> To find out more about the Sunshine Coast Council, visit your local office
> at Caloundra, Maroochydore, Nambour or Tewantin or visit us online at
> www.sunshinecoast.qld.gov.au.  If
> correspondence includes personal information, please refer to Council's
> Privacy 
> Policy
>
> This email and any attachments are confidential and only for the use of
> the addressee. If you have received this email in error you are requested
> to notify the sender by return email or contact council on 07 5475 7272,
> and are prohibited from forwarding, printing, copying or using it in
> anyway, in whole or part. Please note that some council staff utilise
> Blackberry devices, which results in information being transmitted overseas
> prior to delivery of any communication to the device. In sending an email
> to Council you are agreeing that the content of your email may be
> transmitted overseas.
> Any views expressed in this email are the author's, except where the email
> makes it clear otherwise. The unauthorised publication of an email and any
> attachments generated for the official functions of council is strictly
> prohibited. Please note that council is subject to the Right to Information
> Act 2009 (Qld) and Information Privacy Act 2009 (Qld).
>
> ___
> ozmoss mailing list
> ozmoss@ozmoss.com
> http://prdlxvm0001.codify.net/mailman/listinfo/ozmoss
>
>
___
ozmoss mailing list
ozmoss@ozmoss.com
http://prdlxvm0001.codify.net/mailman/listinfo/ozmoss

RE: Kerberos Pain

2012-04-18 Thread Nigel Hertz 
Hi Dylan

Welcome to the list. First, and probably the most important question - 
SharePoint 2010 or MOSS 2007?   :)

N

From: ozmoss-boun...@ozmoss.com [mailto:ozmoss-boun...@ozmoss.com] On Behalf Of 
Dylan Tusler
Sent: Thursday, 19 April 2012 2:57 PM
To: 'ozmoss@ozmoss.com'
Subject: Kerberos Pain

Hi, new to list, I've been lurking a short while, but this is driving me crazy 
so I'm plunging in.

We have a number of web applications. At one point, almost all of them were 
configured to use Kerberos (via Authentication Providers under "Manage Web 
Applications")

One of them, our main intranet site (Sharepoint 80) is still configured to use 
Kerberos and works fine.

None of the other sites now work with Kerberos. I've had to switch them all 
gradually back to NTLM authentication. (When using Kerberos, users get asked to 
log in all the time, and credentials are rejected after three attempts.)

There are several sites that use the same app pool identity as Sharepoint 80. I 
cannot see any difference between the way the sites that don't work are set up 
and the way the site that does work is set up.

What is going on here?


Dylan Tusler
Team Lead Data, Development & Integration
ICTS Branch
Sunshine Coast Regional Council
P 07 5420 8002
E 
dylan.tus...@sunshinecoast.qld.gov.au
A Locked Bag 72, Sunshine Coast Mail Centre QLD 4560
W www.sunshinecoast.qld.gov.au

Please consider the sanity of others before replying to replies to replies to 
this email. Sometimes it just makes more sense to pick up the phone.

[https://www.sunshinecoast.qld.gov.au/email_logos/logo4mailfooter.jpg]

[https://www.sunshinecoast.qld.gov.au/email_logos/facebook_SCC2.png]__
 __
To find out more about the Sunshine Coast Council, visit your local office at 
Caloundra, Maroochydore, Nambour or Tewantin or visit us online at 
www.sunshinecoast.qld.gov.au. If 
correspondence includes personal information, please refer to Council's Privacy 
Policy

This email and any attachments are confidential and only for the use of the 
addressee. If you have received this email in error you are requested to notify 
the sender by return email or contact council on 07 5475 7272, and are 
prohibited from forwarding, printing, copying or using it in anyway, in whole 
or part. Please note that some council staff utilise Blackberry devices, which 
results in information being transmitted overseas prior to delivery of any 
communication to the device. In sending an email to Council you are agreeing 
that the content of your email may be transmitted overseas.
Any views expressed in this email are the author's, except where the email 
makes it clear otherwise. The unauthorised publication of an email and any 
attachments generated for the official functions of council is strictly 
prohibited. Please note that council is subject to the Right to Information Act 
2009 (Qld) and Information Privacy Act 2009 (Qld).


Stockland Notice: If this communication has been sent to you by mistake, please 
delete and notify us. If it has been sent to you by mistake, legal privilege is 
not waived or lost and you are not entitled to use it in any way. Stockland and 
its subsidiaries reserve the right to monitor e-mail communication through its 
networks.
___
ozmoss mailing list
ozmoss@ozmoss.com
http://prdlxvm0001.codify.net/mailman/listinfo/ozmoss