Kerberos troubleshooting from IIS perspective

re: Kerberos troubleshooting from IIS perspective

Grant Earl — Tue, 06 Nov 2007 01:50:48 GMT

Great entry with some very valuable information.

re: Kerberos troubleshooting from IIS perspective

C. List — Tue, 08 Jul 2008 03:08:26 GMT

Thanks for the informative post. It's a very confusing topic, and I'm amazed MS hasn't released a more intuitive graphical tool for managing SPNs.

When you say:

SPN:

- http/<computer-name>:<port> <iis-computer-name>

http/<FQDN> <iis computer-name>

What is "computer name"? The IE computer or the SQL Server computer? I assume it's not the IE computer because adding the SPN for every IE computer that will be accessing the site is impossible.

Am I correct in this assumption?

Thanks,

Chris

re: Kerberos troubleshooting from IIS perspective

Saurabh Singh — Tue, 08 Jul 2008 03:22:06 GMT

Chris, you are right. This has to be the server name and not the client (IE) name. My mistake I will rectify this to clear the confusion. If you are setting SPN for a web site this is the IIS server's netbios name. Similarly for a SQL server.

I understand that we do not have a very friendly public utility to handle these issues. However I would suggest you to go through this tool. It was written by an Escalation engg in IIS support business.

Please read these:

http://blogs.iis.net/brian-murphy-booth/archive/2007/03/09/delegconfig-delegation-configuration-reporting-tool.aspx

http://blogs.iis.net/bretb/archive/2008/03/27/How-to-Use-DelegConfig.aspx

re: Kerberos troubleshooting from IIS perspective

C. List — Thu, 10 Jul 2008 17:32:11 GMT

Thank you very much. With the help of your post and the report-configuarion tool you posted the link to, we were able to fix our delegation problems!

In retrospect, I think one of the most confusing thing for Kerberos newbies is; "What *is* an SPN?". After getting this working, my understanding is that it's something that tells AD what services an account can *receive* credentials for. The other piece of the puzzle in 2003 is that you have to tell the delegation tab what services each account *send* credentials to. My confusion was that I thought the delegation tab was like a GUI into the SPN list for a given account, but that is not the case. The fact that you need to tell the delegation tab on the IIS account to delegate to the SPN for the SQL account, but that you should NOT have a MSSQLSvc SPN for the IIS account is rather confusing unless you think of SPNs as "can receive credentials" entries, and the delegation tab list as "can send" entries.

The fact that one uses the AD GUI and the other uses a command line tool is certainly less than intuitive!

Cheers, and thanks again for your blog!

- Chris

Who knows! You may be missing these points for Kerberos authentication failures for Web applications...

Penning my thoughts... — Sun, 16 Nov 2008 13:11:25 GMT

I am sharing here some of the general + elusive + ignored + must-have info that you may want to recheck