Solved

How do i configure Kerberos authentication for a website alias (Host (A) entry in dns)

Posted on 2008-06-19
13
969 Views
Last Modified: 2012-05-05
Good Morning/Afternoon,

I have a web app (ASP.NET) that is configured as a virtual directory under the default web site on our webserver. I aslo have a HOST(A) entry in DNS called intranet which forwards to the webserver.

Webserver = webserver.domain.com
webapp = hr
HOST (A) = intranet

I can access my app using http://webserver/hr in a browser and kerberos works fine as i get authenticated against the sql server. But if i try http://intranet/hr i get the anonymous logon error message (See Attachment).

Delegation is ticked in AD for the webserver and i have the following spn's setup

HOST/webserver
HOST/webserver.domain.com
HTTP/intranet webserver
HTTP/intranet.domain.com webserver

The app pool is running under the network service account.

ASP is configured to use windows authentication and so is directory security.

Am i missing something here. Any help would be appreciated.

Thanks
Anthony
Error.png
0
Comment
Question by:christiegroup
  • 7
  • 6
13 Comments
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Hey,

Have you tried disabling strict name checking on the server?

This article isn't entirely relevant. But it does describe how to turn it off well enough:

http://support.microsoft.com/kb/281308

Presumably you enabled Kerberos Delegation on the server account?

HTH

Chris
0
 
LVL 1

Author Comment

by:christiegroup
Comment Utility
Hi,

Thanks for the info, looks like this might help as i do get the system erro 52 if i do "net view intranet". I will reboot the server tonight and see if this solves the issue.

I had already enabled kerberos delegation on the server account.

Thanks

Anthony
0
 
LVL 1

Author Comment

by:christiegroup
Comment Utility
Hi Chris,

This didn't solve the problem. I am still getting the anonymous logon error when using the alias.

Any other ideas?

Anthony
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Well that's annoying...

The site is appearing on Internet Explorer as an Intranet Site isn't it?

Chris
0
 
LVL 1

Author Comment

by:christiegroup
Comment Utility
Yeah i have added it to the local intranet sites list and "logon with current username and password" is selected in the security options.

Anthony
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Is it showing logon failures in the Security log at all (on the server)? That is, is it attempting and failing?

The only other thing I can think of at the moment is blocking anonymous access to that portion of the site.

I'll have a look around for other bits. Got to finish off a bit of my own application that intends to operate in the same way as this.

Chris
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 1

Author Comment

by:christiegroup
Comment Utility
This is what i get for each address

http://intranet.domain.com/hr

Successful Network Logon:
       User Name:      USERNAME
       Domain:            DOMAIN
       Logon ID:            (0x0,0x9EE35E)
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM       
       Logon GUID:      -
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -

http://webserver.domain.com/hr

Description:
Successful Network Logon:
       User Name:      USERNAME
       Domain:            DOMAIN
       Logon ID:            (0x0,0x9E73D9)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos       
       Logon GUID:      {13fa1301-ce28-0bbb-fab6-d6eccd89a9e7}
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -

It uses NTLM for the alias but kerberos for webserver name.
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Okay that makes sense then.

Can we just verify those Service Principal Names again.

Is this really how the SPN entries appear?

HTTP/intranet webserver
HTTP/intranet.domain.com webserver

What command did you use to add those?

Using SetSPN like this:

setspn -a HTTP/intranet webserver

Should have given you:

HTTP/intranet

Which the client uses to locate a server to send a Kerberos Ticket to.

Chris
0
 
LVL 1

Author Comment

by:christiegroup
Comment Utility
These are all the spn's that are setup for the webserver.

HOST/webserver
HOST/webserver.domain.com
HTTP/intranet webserver
HTTP/intranet.domain.com
MSOLAPSvc/webserver
MSOLAPSvc/webserver.domain.com

Im not sure what the bottom 2 are for as i didn't put them there. The two HTTP entries I added manually using adsiedit.msc.

Anthony
0
 
LVL 1

Author Comment

by:christiegroup
Comment Utility
that should have been HTTP/intranet.domain.com webserver
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
Comment Utility

Ahh okay.

Remove the intranet SPN referencing the server name as well, it's not going to work (I should have spotted that earlier). Just figured you'd pasted in the part of the command you'd used to add them.

The SPN should match the service name accessed. It doesn't need the reference back to "webserver", that is implicit because of where the SPN is registered.

That should make the SPN entries:

HTTP/intranet
HTTP/intranet.domain.com

Chris
0
 
LVL 1

Author Comment

by:christiegroup
Comment Utility
Your a star.

Works like a charm now.

Thanks for sticking with me.

Anthony
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

You're welcome, glad we got there in the end :)

Chris
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Thoughout my experience working on eCommerce web applications I have seen applications succumbing to increased user demand and throughput. With increased loads the response times started to spike, which leads to user frustration and lost sales. I ha…
Introduction A frequently used term in Object-Oriented design is "SOLID" which is a mnemonic acronym that covers five principles of OO design.  These principles do not stand alone; there is interplay among them.  And they are not laws, merely princ…
This video teaches users how to migrate an existing Wordpress website to a new domain.
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to choose which pages of your form are visible to your users based on their inputs. The page rules feature provides you with an opportunity to create if:then statements for y…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now