christiegroup
asked on
How do i configure Kerberos authentication for a website alias (Host (A) entry in dns)
Good Morning/Afternoon,
I have a web app (ASP.NET) that is configured as a virtual directory under the default web site on our webserver. I aslo have a HOST(A) entry in DNS called intranet which forwards to the webserver.
Webserver = webserver.domain.com
webapp = hr
HOST (A) = intranet
I can access my app using http://webserver/hr in a browser and kerberos works fine as i get authenticated against the sql server. But if i try http://intranet/hr i get the anonymous logon error message (See Attachment).
Delegation is ticked in AD for the webserver and i have the following spn's setup
HOST/webserver
HOST/webserver.domain.com
HTTP/intranet webserver
HTTP/intranet.domain.com webserver
The app pool is running under the network service account.
ASP is configured to use windows authentication and so is directory security.
Am i missing something here. Any help would be appreciated.
Thanks
Anthony
Error.png
I have a web app (ASP.NET) that is configured as a virtual directory under the default web site on our webserver. I aslo have a HOST(A) entry in DNS called intranet which forwards to the webserver.
Webserver = webserver.domain.com
webapp = hr
HOST (A) = intranet
I can access my app using http://webserver/hr in a browser and kerberos works fine as i get authenticated against the sql server. But if i try http://intranet/hr i get the anonymous logon error message (See Attachment).
Delegation is ticked in AD for the webserver and i have the following spn's setup
HOST/webserver
HOST/webserver.domain.com
HTTP/intranet webserver
HTTP/intranet.domain.com webserver
The app pool is running under the network service account.
ASP is configured to use windows authentication and so is directory security.
Am i missing something here. Any help would be appreciated.
Thanks
Anthony
Error.png
ASKER
Hi,
Thanks for the info, looks like this might help as i do get the system erro 52 if i do "net view intranet". I will reboot the server tonight and see if this solves the issue.
I had already enabled kerberos delegation on the server account.
Thanks
Anthony
Thanks for the info, looks like this might help as i do get the system erro 52 if i do "net view intranet". I will reboot the server tonight and see if this solves the issue.
I had already enabled kerberos delegation on the server account.
Thanks
Anthony
ASKER
Hi Chris,
This didn't solve the problem. I am still getting the anonymous logon error when using the alias.
Any other ideas?
Anthony
This didn't solve the problem. I am still getting the anonymous logon error when using the alias.
Any other ideas?
Anthony
Well that's annoying...
The site is appearing on Internet Explorer as an Intranet Site isn't it?
Chris
ASKER
Yeah i have added it to the local intranet sites list and "logon with current username and password" is selected in the security options.
Anthony
Anthony
Is it showing logon failures in the Security log at all (on the server)? That is, is it attempting and failing?
The only other thing I can think of at the moment is blocking anonymous access to that portion of the site.
I'll have a look around for other bits. Got to finish off a bit of my own application that intends to operate in the same way as this.
Chris
ASKER
This is what i get for each address
http://intranet.domain.com/hr
Successful Network Logon:
User Name: USERNAME
Domain: DOMAIN
Logon ID: (0x0,0x9EE35E)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
http://webserver.domain.com/hr
Description:
Successful Network Logon:
User Name: USERNAME
Domain: DOMAIN
Logon ID: (0x0,0x9E73D9)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Logon GUID: {13fa1301-ce28-0bbb-fab6-d 6eccd89a9e 7}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
It uses NTLM for the alias but kerberos for webserver name.
http://intranet.domain.com/hr
Successful Network Logon:
User Name: USERNAME
Domain: DOMAIN
Logon ID: (0x0,0x9EE35E)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
http://webserver.domain.com/hr
Description:
Successful Network Logon:
User Name: USERNAME
Domain: DOMAIN
Logon ID: (0x0,0x9E73D9)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Logon GUID: {13fa1301-ce28-0bbb-fab6-d
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
It uses NTLM for the alias but kerberos for webserver name.
Okay that makes sense then.
Can we just verify those Service Principal Names again.
Is this really how the SPN entries appear?
HTTP/intranet webserver
HTTP/intranet.domain.com webserver
What command did you use to add those?
Using SetSPN like this:
setspn -a HTTP/intranet webserver
Should have given you:
HTTP/intranet
Which the client uses to locate a server to send a Kerberos Ticket to.
Chris
ASKER
These are all the spn's that are setup for the webserver.
HOST/webserver
HOST/webserver.domain.com
HTTP/intranet webserver
HTTP/intranet.domain.com
MSOLAPSvc/webserver
MSOLAPSvc/webserver.domain .com
Im not sure what the bottom 2 are for as i didn't put them there. The two HTTP entries I added manually using adsiedit.msc.
Anthony
HOST/webserver
HOST/webserver.domain.com
HTTP/intranet webserver
HTTP/intranet.domain.com
MSOLAPSvc/webserver
MSOLAPSvc/webserver.domain
Im not sure what the bottom 2 are for as i didn't put them there. The two HTTP entries I added manually using adsiedit.msc.
Anthony
ASKER
that should have been HTTP/intranet.domain.com webserver
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Your a star.
Works like a charm now.
Thanks for sticking with me.
Anthony
Works like a charm now.
Thanks for sticking with me.
Anthony
You're welcome, glad we got there in the end :)
Chris
Hey,
Have you tried disabling strict name checking on the server?
This article isn't entirely relevant. But it does describe how to turn it off well enough:
http://support.microsoft.com/kb/281308
Presumably you enabled Kerberos Delegation on the server account?
HTH
Chris