This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 23%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJJ%3C/text%3E%3C/svg%3E)
i use the Negotiate package to do SSPI authentication, and try to set the different target name. my domain name is "test", domain user is "judy", and i also register the spn "host\judy" for "judy" using setspn, so i try the target name as "judy", "test\judy", "administrator", "host\judy" "judy@test .com", but all the authentication would be downgrade to NTLM.
Do i miss something?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 34%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EXY%3C/text%3E%3C/svg%3E)
Have you set SPN correctly? or Try the command: Netdom computername <COMPUTER> /add:<ALIAS> which need to run as administrator or provide permissions for the Network Controller machines to automatically configures the SPN.
Also There is a guide for Configuring a Service Principal Name as IP Address.
Finally, I found that with The SPN is the correct domain account, virtual account, MSA, or built-in account, Local connections use NTLM, remote connections use Kerberos.
thanks for your reply, i just write two EXEs and started by domain user "test\judy", so i don't use IIS, and i use setspn to set the spn name "HOST\Judy" for domain user "test\judt". so for this case, which are the next steps i need to try.
Do you use the Sample SSPI Code? There is some setting for Kerberos in InitializeSecurityContext and the linked sample uses ISC_REQ_CONFIDENTIALITY without Kerberos .
yes, i use this sample code, set the spn name for initializeSecurityContext parameter, but always to downgrade NTLM.
Perhaps Need to specify Kerberos security package in the InitializeSecurityContext function. Have you changed the ServerName and TargetName(=SPN) in the sample.
could you see my description? i said i used setspn to register new spn for domain user, and set the target name to this new spn name. i try the target name as "judy", "test\judy", "administrator", "host\judy" "judy@test .com", but all the authentication would be downgrade to NTLM.
Has host\judy been listed in the judy account’s SPNs? I suppose the SPN cannot work so that the calling application did not provide sufficient information to use Kerberos according to Microsoft Negotiate.
And Try to specify Kerberos instead of Negotiate in AcquireCredentialsHandle function.
yes, when i run setspn -L judy, it can list host\judy as SPNs. And if i specified the Kerberos rather than "Negotiate", it will return error SEC_E_INVALID_TOKEN when i call InitializeSecurityContext function
AcquireCredentialsHandle has a pszPackage parameter specifying the name of the security package. Not InitializeSecurityContext.
And Do the client.exe and the server.exe run on different computers?
yes, i know. i can set the package name to "Kerberos " in AcquireCredentialsHandle function and it can return success. then i need to call InitializeSecurityContext with the CredHandle which returned by AcquireCredentialsHandle , right? but i always failed.
they are run on the different computer, but in the same domain.
could you provide some sample code just like the sample code in MSDN for Kerberos? And do i need to change some configuration in AD or server? just like some policy to enable Kerberos?
According to the Feature Request, I realized changing Kerberos on the client isn‘t enough. It’s also needed to changing Kerberos on the server. The error code SEC_E_INVALID_TOKEN indicates that.
And Perhaps you also need to change the SPN‘s format according to the request following comments?
My computer doesn't work on SPN.
yes, i set the Kerberos both in Server and Client as AcquireCredentialsHandle parameter. i am not very clear about your comments "And Perhaps you also need to change the SPN‘s format according to the request following comments?" what's the correct format?
Try such http/* format, for Kerbros authentication.
i try to use http/server as the TargetName, but still fail into NTLM auth
and by the way, in domain case, when i disconnect AD controller, the connection authentication would be failed, is it the right behavior? if i use sspi in domain case, sever and client transmit message only when the AD contoller is connected?
I have escalated the question. Please wait for more details.
You can also query the question's owner which has implemented Kerberos using Windows SSPI successfully.