Reporting Service Frequently Asked Questions (FAQ)
1. How Duplicate SPN's in IIS can come in to picture?
An SPN is a service principal name and usually uniquely identified in a domain with it's service name.
for eg: If we have a machine name "test" in the domain "contoso.com" and we have a web site (ws1) which is served by an application pool in IIS running under a user "dummy"
we will set the SPN for it as follows:
setspn -A HTTP/test contoso\dummy
setspn -A HTTP/test.contoso.com contoso\dummy
If there is another site (ws2) which is served by a different application pool identity of "dummy1"
we will set the SPN for it as follows:
setspn -A HTTP/test contoso\dummy1
setspn -A HTTP/test.contoso.com contoso\dummy1
Similarly , if there are multiple sites, we would be setting the SPN's for the same SERVICE under DIFFERENT USER CONTEXT
Seems to be a right approach if we are setting the sites for kerberos delegation...right?
We searched around and found the following KB article: https://support.microsoft.com/kb/871179
The following section is important to understand:
An SPN for a service can only be associated with ONE DOMAIN ACCOUNT. Therefore, any other application pool that is running under a different domain user account cannot be used with Integrated Windows authentication only.
What this means is, the above two SPN's that we set are duplicate even though they are running under two different domain accounts.
Then how can we enable kerberos for both the websites?
Well there are two ways out there.
1. To change all the application pools account (Of all the web sites that you want to use Kerberos) to run under the same account.
2. To create a DNS record to be used as host header on the websites.
So , if we create a host header known as hh1.contoso.com and use it for the website ws2
The SPN's for ws2 becomes:
setspn -A HTTP/hh1.contoso.com contoso\dummy1 (so we have only one SPN to set)
This would resolve the issue of dupliacte SPN's.