Kerberos authentication issue : Site stops working automatically after some time

Question

There is a website set to run on windows authentication. There are 3 web applications under the site, each on their own application pool, but with the same domain account. ASP.NET impersonation, Use App Pool credentials, Use Kernel mode authentication are set to true.

1. SPN for the website DNS url is in place for the app pool account.
2. SPN for the SQL service is in place.
3. App pool account is set to delegate to the SQL service account.

With the above settings in place, the three applications work fine for sometime. Then automatically they stop connecting to the DB with the error "Login failed for user NT Authority\Anonymous Logon".

After resetting IIS, the 3 applications stay up for sometime, then they again stop connecting to DB, one application after another. Weird?

What could be the issue? Any pointers?

Answer 1

Short Answer:

1. Create separate websites and app pools.
2. Create 3 SPNs for three websites.
3. Create 3 SPNs for three Databases.

Long answer:

• All 3 web applications have their own Database in the same DB server.
• A single kerberos ticket is issued for the URL and it works fine as long as only 1 application is hit.

• But there are 3 web applications sitting underneath the website. So had to create 3 separate websites with different URLs with separate app pools, but using the same app pool identity.

  1. SPNs are set for the 3 DNS entries.
  2. And had to create 3 unique SPNs for the 3 Databases as well.

After the above are done, there are no more issues ! Hurray !