To support Kerberos for endw3wp.exe
worker process to run as an account that has been trusted for delegation.
You can run the IIS either under the machine domain account or under user domain account. Each approach has advantages and disadvantages:
Which approach you use, depends on how you want to manage your system security.
For complete information about security risks associated with system or user domain accounts, refer to the Microsoft web site: http://www.microsoft.com.
Refer to either of the following procedures, depending on whether you want to use a machine or user domain account:
Changing this property can take several minutes to propagate!
If you don't want to use end
w3wp.exe
worker process:Note: Configuring the w3wp.exe
account to run as a LocalSystem account will cause all ASP.NET web applications on the web server to run as privileged system accounts.
Note: For security reasons, make sure that the account which the IIS worked processes run under does not belong to a mapped group.
setspn
serverhost.
domainname.com
serverhost
For example, if access is via www.domainname.com but the machine name is web.domainname.com.
w3wp.exe
to run as a user domain account that has been trusted for delegation. To do this, change the following parameters in the <processModel>
block in the \WINDOWS\Microsoft.NET\Framework\
version\CONFIG\machine.config
file:userName="
domainaccount"
Password="
password"
In the above path name, version represents the software version.
Where domainaccount is a domain account that you have set to be trusted for delegation, and password is the password for the domain account.
Note: If you don't want to use end
setspn
serverhost.
domainname.com
serverhost
For example, if access is via www.domainname.com but the machine name is web.domainname.com.
Business Objects http://www.businessobjects.com/ Support services http://www.businessobjects.com/services/support/ Product Documentation on the Web http://support.businessobjects.com/documentation/ |