More fun with Kerberos and Web Sites
SPN’s.
Service Principal Names.
I am not going to go into the details of how SPN’s are used right now, see my other posts on Kerberos or go use your favorite search engine to determine how they are used.
Most of this post will relate to web sites and access to sites via Kerberos.
Scenario:
Servername: 2k8STS1.CONTOSO.COM
A Record =2k8STS1.CONTOSO.COM
CNAME record = ALIAS.BOGUS.COM
So of course, now when I ping ALIAS.BOGUS.COM it will hit 2k8STS1.CONTOSO.COM
Now – from IE, when I type in https://ALIAS.BOGUS.COM , what SPN will be in the ticket request?
How come it was not ALIAS.BOGUS.COM ?
If you want it to use the name as typed into the browser, for the TGS_REQ, then you need to apply https://support.microsoft.com/kb/911149 ( 2k8 already has the code to honor it so all you need is the reg key )
And create the key = FEATURE_USE_CNAME_FOR_SPN_KB911149
Afterwards IE will use the CNAME for the SPN in the TGS_REQ.
The other item you may want to be aware of is :
https://support.microsoft.com/default.aspx/kb/908209
From the KB:
Internet Explorer 6 cannot use the Kerberos authentication protocol to connect to a Web site that uses a non-standard port in Windows XP and in Windows Server 2003
You have two Web sites that have different ports and identities. These two Web sites are running on the same computer. For example, Web site 1 runs on port 80 under identity "id1" and Web site 2 runs on port 81 under identity "id2”.
• Both the Web sites use Kerberos authentication protocol version 5.
• You use the Setspn utility to declare the Service Principal Name (SPN) for Web site 2.
• You use the same host name to connect to Web site 1 and to Web site 2. You use Microsoft Internet Explorer 6 to make this connection.
For example, you use https://examplewebserver to connect to Web site 1 and https://examplewebserver:81 to connect to Web site 2. In this example, you use the same examplewebserver host name to connect to both Web sites.
In this scenario, Internet Explorer 6 can use the Kerberos protocol to connect to Web site 1. However, Internet Explorer 6 cannot use the Kerberos protocol to connect to Web site 2.
Have fun.. spat
Comments
- Anonymous
January 15, 2009
The comment has been removed