Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » AcceptSecurityContext and Service Accounts
AcceptSecurityContext and Service Accounts [message #156121] Wed, 10 June 2009 16:07 Go to next message
neelsmail  is currently offline neelsmail  India
Messages: 4
Registered: May 2009
Junior Member
Hi,

I have a service running on one of the servers in domain. As long as
it runs in context of Local Service Account, I can use SSPI (GSSAPI)
to authenticate to it. But as soon as the service is run in context of
domain user account AcceptSecurityContext starts throwing
SEC_E_LOGON_DENIED error.

From the information on the net, I did following:

- Added as many SPNs which were related to service to the domain user
account account and removed them from machine account
- Gave privileges to the domain account including "Act As part of
operating system"
- raised the functional level of domain to windows 2003 and gave
complete delegation rights for *any* service to the domain account

Even after doing all that, I am still getting SEC_E_LOGON_DENIED from
AcceptSecurityContext.

Could you tell me why more configuration might be required?

Any help will be appreciated,
-Neel.
Re: AcceptSecurityContext and Service Accounts [message #156122 is a reply to message #156121] Wed, 10 June 2009 16:12 Go to previous messageGo to next message
neelsmail  is currently offline neelsmail  India
Messages: 4
Registered: May 2009
Junior Member
On Jun 11, 1:07 am, neelsm...@rediffmail.com wrote:
> Hi,
>
> I have a service running on one of the servers in domain. As long as
> it runs in context of Local Service Account,  I can use SSPI (GSSAPI)
> to authenticate to it. But as soon as the service is run in context of
> domain user account AcceptSecurityContext starts throwing
> SEC_E_LOGON_DENIED error.
>
> From the information on the net, I did following:
>
> - Added as many SPNs which were related to service to the domain user
> account account and removed them from machine account
> - Gave privileges to the domain account including "Act As part of
> operating system"
> - raised the functional level of domain to windows 2003 and gave
> complete delegation rights for *any*  service to the domain account
>
> Even after doing all that, I am still getting SEC_E_LOGON_DENIED from
> AcceptSecurityContext.
>
> Could you tell me why more configuration might be required?

My mistake. I meant "could you tell me *what* more configuration might
be required?"

>
> Any help will be appreciated,
> -Neel.

Additionally, even though when service is being run in context of
domain user, it is most likely to use NTLM instead of Kerberos (which
I want to use), I have configured service to use only kerberos
protocol instead.

Thanks again,
-Neel.
Re: AcceptSecurityContext and Service Accounts [message #156131 is a reply to message #156122] Wed, 10 June 2009 17:04 Go to previous message
Joe Kaplan  is currently offline Joe Kaplan  United States
Messages: 88
Registered: July 2009
Member
First off, does the domain service account have "log on as a service" right
in the local security policy? All accounts that run actual services need
this. Note that on a domain box, the NETWORK SERVICE account IS a domain
account as it uses the network credentials of the computer account in AD
whenever network credentials are needed (hence the name), so you don't
actually NEED A fixed domain service account just to be able to authenticate
with the domain or use Kerb. Network Service also has all the right
privileges associated with it by default, so it is easier to use in many
cases.

Regarding Kerb, the SPN for your service needs to be set on the account in
AD that runs the service (either your domain account or the computer account
if you switch back to network service). Normally, the SPN is a service
class like HTTP and a machine name or DNS name (or both can be registered).
For this particular service, what service class do the clients requesting
the service ticket use (or how is the SPN formed basically)?

It is also probably a good idea to avoid using a service class that is
aliased by HOST as the HOST SPN is associated with the computer account, so
requests for services aliased by HOST (like HTTP or CIFS) will match on the
object in AD with the HOST registered for the same machine name unless the
more specific version is registered on a different account. In general, you
want to avoid situations where there may be multiple matches to the same SPN
on different services or you'll get Kerb errors.

The fact that you are getting NTLM now makes it sound like there is no SPN
registered for the service in question and thus Kerb is not being attempted.
Normally if the SPN is registered, Kerb will be attempted and just fail.
NTLM isn't attempted after that. Basically, Negotiate chooses one or the
other to use but not both.

HTH!

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
<neelsmail@rediffmail.com> wrote in message
news:d9802601-0792-428c-8b31-85b675848dcf@k20g2000vbp.googlegroups.com...
On Jun 11, 1:07 am, neelsm...@rediffmail.com wrote:
> Hi,
>
> I have a service running on one of the servers in domain. As long as
> it runs in context of Local Service Account, I can use SSPI (GSSAPI)
> to authenticate to it. But as soon as the service is run in context of
> domain user account AcceptSecurityContext starts throwing
> SEC_E_LOGON_DENIED error.
>
> From the information on the net, I did following:
>
> - Added as many SPNs which were related to service to the domain user
> account account and removed them from machine account
> - Gave privileges to the domain account including "Act As part of
> operating system"
> - raised the functional level of domain to windows 2003 and gave
> complete delegation rights for *any* service to the domain account
>
> Even after doing all that, I am still getting SEC_E_LOGON_DENIED from
> AcceptSecurityContext.
>
> Could you tell me why more configuration might be required?

My mistake. I meant "could you tell me *what* more configuration might
be required?"

>
> Any help will be appreciated,
> -Neel.

Additionally, even though when service is being run in context of
domain user, it is most likely to use NTLM instead of Kerberos (which
I want to use), I have configured service to use only kerberos
protocol instead.

Thanks again,
-Neel.
Previous Topic:Re: How to limit concurrent connections in active directory
Next Topic:List printer in active directory on other side of VPN
Goto Forum:
  


Current Time: Wed Oct 18 01:40:08 EDT 2017

Total time taken to generate the page: 0.05202 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software