Recently, we migrated a web application to a SharePoint server. The web application is a custom built ASP/ASPX app that supports Integrated Windows Authentication. We were able to run the application successfully using Anonymous Access but we were unable to authenticate from remote computers when Anonymous Access was disabled.
I checked the NTFS permissions and double checked the IIS properties for both the Web site and the Virtual directory and everything was setup properly. Different types of domain accounts, even Domain Admins, were attempted and none were able to login successfully from remote machines. Logging in from the server itself, however, worked just fine.
Our SharePoint sites which Windows Authentication and Kerberos were authenticating properly, so it wasn't the server. I checked the web server logs and saw HTTP 401 errors failing with the IIS specific code "2148074254." Searching the web turned up nothing useful. I tried a registry change and even rebooted the server to no avail.
I checked the server again -- local login works just fine, remote logins do not. I recalled experiencing something similar with another application I'd written and the problem had to do with Kerberos' restrictions on double-hop authentication. Maybe this site just needs an SPN?
I created a new application pool, assigned the web application to that pool and ran the pool as a domain user. I then created an SPN using the hostname of the newly migrated site.
Setspn.exe -A HTTP/vieval.domain.com domain\iisservice
Setspn.exe -A HTTP/vieval domain\iisservice
Success! Once the registration was complete, we were able to login to the web application. I find it surprising that the Kerberos setting is server-wide. Anyone know the reasons why?