Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How do i configure Kerberos authentication for a website alias (Host (A) entry in dns)

Posted on 2008-06-19
13
Medium Priority
?
980 Views
Last Modified: 2012-05-05
Good Morning/Afternoon,

I have a web app (ASP.NET) that is configured as a virtual directory under the default web site on our webserver. I aslo have a HOST(A) entry in DNS called intranet which forwards to the webserver.

Webserver = webserver.domain.com
webapp = hr
HOST (A) = intranet

I can access my app using http://webserver/hr in a browser and kerberos works fine as i get authenticated against the sql server. But if i try http://intranet/hr i get the anonymous logon error message (See Attachment).

Delegation is ticked in AD for the webserver and i have the following spn's setup

HOST/webserver
HOST/webserver.domain.com
HTTP/intranet webserver
HTTP/intranet.domain.com webserver

The app pool is running under the network service account.

ASP is configured to use windows authentication and so is directory security.

Am i missing something here. Any help would be appreciated.

Thanks
Anthony
Error.png
0
Comment
Question by:christiegroup
  • 7
  • 6
13 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 21835490

Hey,

Have you tried disabling strict name checking on the server?

This article isn't entirely relevant. But it does describe how to turn it off well enough:

http://support.microsoft.com/kb/281308

Presumably you enabled Kerberos Delegation on the server account?

HTH

Chris
0
 
LVL 1

Author Comment

by:christiegroup
ID: 21844799
Hi,

Thanks for the info, looks like this might help as i do get the system erro 52 if i do "net view intranet". I will reboot the server tonight and see if this solves the issue.

I had already enabled kerberos delegation on the server account.

Thanks

Anthony
0
 
LVL 1

Author Comment

by:christiegroup
ID: 21853319
Hi Chris,

This didn't solve the problem. I am still getting the anonymous logon error when using the alias.

Any other ideas?

Anthony
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 71

Expert Comment

by:Chris Dent
ID: 21853345

Well that's annoying...

The site is appearing on Internet Explorer as an Intranet Site isn't it?

Chris
0
 
LVL 1

Author Comment

by:christiegroup
ID: 21854659
Yeah i have added it to the local intranet sites list and "logon with current username and password" is selected in the security options.

Anthony
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 21854766

Is it showing logon failures in the Security log at all (on the server)? That is, is it attempting and failing?

The only other thing I can think of at the moment is blocking anonymous access to that portion of the site.

I'll have a look around for other bits. Got to finish off a bit of my own application that intends to operate in the same way as this.

Chris
0
 
LVL 1

Author Comment

by:christiegroup
ID: 21854796
This is what i get for each address

http://intranet.domain.com/hr

Successful Network Logon:
       User Name:      USERNAME
       Domain:            DOMAIN
       Logon ID:            (0x0,0x9EE35E)
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM       
       Logon GUID:      -
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -

http://webserver.domain.com/hr

Description:
Successful Network Logon:
       User Name:      USERNAME
       Domain:            DOMAIN
       Logon ID:            (0x0,0x9E73D9)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos       
       Logon GUID:      {13fa1301-ce28-0bbb-fab6-d6eccd89a9e7}
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -

It uses NTLM for the alias but kerberos for webserver name.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 21854812

Okay that makes sense then.

Can we just verify those Service Principal Names again.

Is this really how the SPN entries appear?

HTTP/intranet webserver
HTTP/intranet.domain.com webserver

What command did you use to add those?

Using SetSPN like this:

setspn -a HTTP/intranet webserver

Should have given you:

HTTP/intranet

Which the client uses to locate a server to send a Kerberos Ticket to.

Chris
0
 
LVL 1

Author Comment

by:christiegroup
ID: 21854864
These are all the spn's that are setup for the webserver.

HOST/webserver
HOST/webserver.domain.com
HTTP/intranet webserver
HTTP/intranet.domain.com
MSOLAPSvc/webserver
MSOLAPSvc/webserver.domain.com

Im not sure what the bottom 2 are for as i didn't put them there. The two HTTP entries I added manually using adsiedit.msc.

Anthony
0
 
LVL 1

Author Comment

by:christiegroup
ID: 21854885
that should have been HTTP/intranet.domain.com webserver
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 21854915

Ahh okay.

Remove the intranet SPN referencing the server name as well, it's not going to work (I should have spotted that earlier). Just figured you'd pasted in the part of the command you'd used to add them.

The SPN should match the service name accessed. It doesn't need the reference back to "webserver", that is implicit because of where the SPN is registered.

That should make the SPN entries:

HTTP/intranet
HTTP/intranet.domain.com

Chris
0
 
LVL 1

Author Comment

by:christiegroup
ID: 21855051
Your a star.

Works like a charm now.

Thanks for sticking with me.

Anthony
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 21855069

You're welcome, glad we got there in the end :)

Chris
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Foolproof security solutions has become one of the key necessities of every e-commerce or Internet banking website. If you too own an online shopping site then its vital for you to equip your web portal with customer security features that can allow…
If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
This video teaches viewers how to create their own website using cPanel and Wordpress. Tutorial walks users through how to set up their own domain name from tools like Domain Registrar, Hosting Account, and Wordpress. More specifically, the order in…
Learn how to set-up PayPal payment integration in your Wufoo form. Allow your users to remit payment through PayPal upon completion of your online form. This is helpful for collecting membership payments, customer payments, donations, and more.

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question