My rebuilt Windows 2003 Server machine produced a number of benefits in performance and overall system cleanliness, but I forgot about the need to work through W2K3's increased security measures to get certain functions up and running, like supporting IIS NT Authentication with a Web Application Pool using a domain user identity.
I wrote an entire series on my initial encounters with W2K3 security configuration issues back in 2003, and I indeed consulted some of those posts yesterday while configuring IIS NT Authentication for a client ASP.NET project. I had to do things this time that I didn't do 3 years ago, which is weird, but probably because I'm starting with the W2K3 SP1 as a baseline now. So I thought I'd post a checklist I used to configure IIS NT Authentication with a domain user for the Web Application Pool.
- Add domain user to local IIS_WPG group
- Confirm IIS_WPG has access to the web directories
- Give following local security settings to domain user: 1) Log on Locally, 2) Log on as a service, 3) Replace a process level token, 4) Adjust memory quotas for a process
- Grab SETSPN.exe from the Windows 2003 Server Support Tools folder on the install disk. Run it for the domain user as shown on this KB. Run with -A to confirm the user is a Service Principal Name for your site, ex:
G:\Program Files\Support Tools>setspn -l mydomain\dburke
Registered ServicePrincipalNames for CN=Dave Burke,CN=Users,DC=mydomain,DC=com:
http/mysite.mydomain.com
http/mysite
- Add your site to your Local Intranet or Trusted Sites zone. (Easy to forget this one.)
- Reboot
I think that's it.