Spat's WebLog (Steve Patrick)

When things go wrong...

More fun with Kerberos and Web Sites

More fun with Kerberos and Web Sites

  • Comments 1

SPN’s.

Service Principal Names.

I am not going to go into the details of how SPN’s are used right now, see my other posts on Kerberos or go use your favorite search engine to determine how they are used.

Most of this post will relate to web sites and access to sites via Kerberos.

Scenario:

Servername: 2k8STS1.CONTOSO.COM
A Record =2k8STS1.CONTOSO.COM
CNAME record = ALIAS.BOGUS.COM

So of course, now when I ping ALIAS.BOGUS.COM it will hit 2k8STS1.CONTOSO.COM

Now – from IE, when I type in HTTP://ALIAS.BOGUS.COM , what SPN will be in the ticket request?

clip_image002

How come it was not ALIAS.BOGUS.COM ?

If you want it to use the name as typed into the browser, for the TGS_REQ, then you need to apply http://support.microsoft.com/kb/911149 ( 2k8 already has the code to honor it so all you need is the reg key )

And create the key = FEATURE_USE_CNAME_FOR_SPN_KB911149

Afterwards IE will use the CNAME for the SPN in the TGS_REQ.

clip_image004

The other item you may want to be aware of is :

http://support.microsoft.com/default.aspx/kb/908209

From the KB:

Internet Explorer 6 cannot use the Kerberos authentication protocol to connect to a Web site that uses a non-standard port in Windows XP and in Windows Server 2003

You have two Web sites that have different ports and identities. These two Web sites are running on the same computer. For example, Web site 1 runs on port 80 under identity "id1" and Web site 2 runs on port 81 under identity "id2”.

• Both the Web sites use Kerberos authentication protocol version 5.

• You use the Setspn utility to declare the Service Principal Name (SPN) for Web site 2.

• You use the same host name to connect to Web site 1 and to Web site 2. You use Microsoft Internet Explorer 6 to make this connection.

For example, you use http://examplewebserver to connect to Web site 1 and http://examplewebserver:81 to connect to Web site 2. In this example, you use the same examplewebserver host name to connect to both Web sites.

In this scenario, Internet Explorer 6 can use the Kerberos protocol to connect to Web site 1. However, Internet Explorer 6 cannot use the Kerberos protocol to connect to Web site 2.

 Have fun.. spat

 

Leave a Comment
  • Please add 7 and 8 and type the answer here:
  • Post
  • Hi,

    FYI, this *feature* is fixed in IE7 on Vista, but on XP you still need the reg key FEATURE_USE_CNAME_FOR_SPN_KB911149 for it to honour the CNAME.

    With IE7 on Vista SP1 and IE8 Beta 2 on XP and Vista you don't need the reg key, it just works.

    Interestingly, with the version of IE8 that ships with the Windows 7 beta you can't use kerberos with DNS CNAMES at all - its just broken. Adding the reg key on Windows 7 doesn't help either.

Page 1 of 1 (1 items)