MDT Webservice with Windows Authentication

Feb 7, 2013 at 10:45 PM
Installed the webservice and it works if I go to it using my browser but not when MDT is running during deployment.
The IIS logs shows that the call is never made with the username that was used to access the Share as it's supposed to be. I tried forcing the UserID, UserDomain, and UserPassword to valid entries and same unauthorized result.
Also OSDComputerName=ComputerName shows in the logs as being blank when calling the webservice.
Using IIS 7, MDT WS 7.3, MDT 2012 Update 1 running on Win2K8 R2.
I would appreciate some help with finding out how to get better logs of what is being called and why.

Thank you,

Marlon

P.D.
It would be nice if someone could write a tutorial setting up the webservice with Windows Authentication only and domain credentials to access. Including IIS settings, etc.
Feb 11, 2013 at 6:07 PM
Edited Feb 12, 2013 at 6:35 PM
Finally got it working but only before joining the domain. After the recover from domain join task runs the call fails. There is a Kerberos error in the event viewer. If I go through the web browser it works fine, using the mdt task fails every time. Could the script be making the call using the administrator account it's running under and since it's not a domain account it doesnt work? Please any help is appreciated.

To make it work before joining the domain I ended up using a working domain account for the application pool and then simply removing all access to .Net except for the AD group I want using the webservice. This works great for before joining the domain with the computers being imaged as I mentioned but fails as soon as it joins the domain.

The event viewer error says that the mdtservercomputername$ failed to decrypt the ticket and the spn used was servername.domain.com which is right. Forcing the application pool identity to catch the request will simply yield the accountname$ sign instead with the same error.

Thank you,

Marlon
Feb 13, 2013 at 3:38 PM
Fixed it:
  • Created SPNs for the applicationpool account "domain\username" for HTTP/servername and HTTP/servername.domain.com. Using:
setspn.exe -U -S HTTP/servername domain\serviceaccount
setspn.exe -U -S HTTP/servername.domain.com domain\serviceaccount
  • added useAppPoolCredentials="true" to the website for the webservice. You can do that last part either with manually modifying applicationhost.config:
<windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true" /> 
or by using:
appcmd.exe set config "mdt webserver website name" -section:windowsAuthentication /useAppPoolCredentials:"True" /commit:apphost
Restart IIS.