cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO to InfoView with IIS 7 problem

Former Member

on ‎02-09-2010 3:03 PM

0 Kudos

Hello,

I couldn't find a answer to my problem in other threads. I read the dokumentation for this but one piece is missing since it is not funktion properly.

Description of Problem or Question:

I do get a Windows login promp when I configure Windows-Authentication in IIS 7. It asks for user-credentials of the IIS-Server-Host. (Which is also the CRServer) The only user accepted is the local administrator. I can't fugure out which peace of configuration is missing.

Where do I configure which type of authentication in IIS? I have several options (from top):

IISServername - Default Web Site - InfoViewApp - logon

I have tried every possible combination between Anonymous and Windows Authentication.

Product\Version\Service Pack\Fixpack (if applicable):

Crystal Reports Server 2008 V1 12.1.0.882

Relevant Environment Information (OS & version, java or .net & version, DB & version):

Windows Server 2008 (32bit), CMC: WACS, InfoView: IIS 7, (all on the same server)

SQL Server 2005

Windows XP Clients with IE8

Sporadic or Consistent (if applicable):

Consistent.

What has already been tried (where have you searched for a solution to your question/problem):

I searched this forum and some guides.

Steps to Reproduce (if applicable):

When I configure in IIS 7 everywhere Anonymous Authentication, then I get in InfoView login page the error: Account Information Not Recognized: Internal error. When I type in an domain user account the login works fine.

When I configure in IIS 7 for example at the Default Web Page (I don't know if this is the right place) and try to open the InfoView login page, I get before the page can open a windows login promt where it want's a login to IISServer or CRServer (which is the same). When I enter the local administrator of the IISServer then InfoView login page opens and I can access InfoView with a domain user. If I enter three times incorrect user credentials I get an HTTP 401 error.

By the way once logged in SSO2DB works fine. "Just" SSO2Infoview does not.

Please help since I think it's just a litte peace missing.

Edited by: Richard Martinek on Feb 9, 2010 4:21 PM

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎05-10-2010 10:36 AM
0 Kudos

Sorry for the late response. I had some other projects to do first.

I configured the above settings and in IIS7 I had to configure authentication. ASP.NET Impersonation and Windows Authentication is enabled on all tree-levels. All other authentication settings are disabled.

Thanks

Show replies
Show replies
BasicTek
Advisor
Advisor
‎02-10-2010 3:44 AM
0 Kudos

IIS 7 has a few different configuration changes than IIS 6. We have an SAP note on it if you can search SAP notes for key words IIS 7 kerberos. I'll look up the number tomorrow if you don't find it.

You may also find what you need by searching Microsoft KB's as that is where we originally got the information from.

Regards,

Tim

Show replies
Show replies
Former Member
‎02-10-2010 5:14 PM
0 Kudos

I had just time for a quik look at the notes today but couldn't find the solution there. What I found is how to enable logging for kerberos. Also I will monitor authentication tries via whireshark. Since I'm on vacation til next week I will go on and update my threat then.

BasicTek
Advisor
Advisor
‎02-10-2010 6:54 PM
0 Kudos

Ok the issue I was thinking of may just be for IIS server farm and wasn't noted just emailed to me.

"Turns out in IIS 7 changing the APP POOL to run under the service account isnu2019t enough anymore. We also had to configure a setting in the ApplicationHost.config file.

Hereu2019s the snip from the blog and a link to it: http://blogs.msdn.com/saurabh_singh/archive/2008/12/25/service-principal-name-spn-checklist-for-kerb...

Special case of running IIS 7.0 in a WEB FARM

If you are running IIS 7.0 server in a Web farm the KDC will not know in advance which individual server the request may go to and hence ticket decryption may fail. Hence in such a scenario instead of registering SPNs under a specific machine account use a domain account. I am not a SharePoint guy but based on what I have read on the Web this scenario is also applicable to a single SharePoint server configuration.

There are two ways to go:

Either

Disable Kernel mode authentication and follow the general steps for Kerberos as in the previous IIS 6.0 version. Refer this.

Or,

[Recommended for Performance reasons]

Let Kernel mode authentication be enabled and the Application pool's identity be used for Kerberos ticket decryption. The only thing you need to do here is:

1. Run the Application pool under a common custom domain account.

2. Add this attribute "useAppPoolCredentials" in the ApplicationHost.config file.

<system.webServer>

<security>

<authentication>

<windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true" />

</authentication>

</security>

</system.webServer>

Remember there is no GUI setting for this. You need to modify the ApplicationHost.config file from

<%SystemDrive%>/Windows/System32/inetsrv/config folder on the IIS 7.0 machine.

3. Add the SPNs in the form:

http/<virtualhost-name> and

http/<virtualhost-name.fully-qualified-name> for the Application Pool Identity.

Ensure that we don't have such an entry for SPNs for any other account including IIS server machine account."

This KB is for IIS 6 but shows the AD and web.config instructions required for .net kerberos

1356046 - Setting up .net Infoview for kerberos SSO with an AD service account in XI 3.1

Regards,

Tim

Ask a Question