Solved

How do i configure Kerberos authentication for a website alias (Host (A) entry in dns)

Posted on 2008-06-19
13
970 Views
Last Modified: 2012-05-05
Good Morning/Afternoon,

I have a web app (ASP.NET) that is configured as a virtual directory under the default web site on our webserver. I aslo have a HOST(A) entry in DNS called intranet which forwards to the webserver.

Webserver = webserver.domain.com
webapp = hr
HOST (A) = intranet

I can access my app using http://webserver/hr in a browser and kerberos works fine as i get authenticated against the sql server. But if i try http://intranet/hr i get the anonymous logon error message (See Attachment).

Delegation is ticked in AD for the webserver and i have the following spn's setup

HOST/webserver
HOST/webserver.domain.com
HTTP/intranet webserver
HTTP/intranet.domain.com webserver

The app pool is running under the network service account.

ASP is configured to use windows authentication and so is directory security.

Am i missing something here. Any help would be appreciated.

Thanks
Anthony
Error.png
0
Comment
Question by:christiegroup
  • 7
  • 6
13 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21835490

Hey,

Have you tried disabling strict name checking on the server?

This article isn't entirely relevant. But it does describe how to turn it off well enough:

http://support.microsoft.com/kb/281308

Presumably you enabled Kerberos Delegation on the server account?

HTH

Chris
0
 
LVL 1

Author Comment

by:christiegroup
ID: 21844799
Hi,

Thanks for the info, looks like this might help as i do get the system erro 52 if i do "net view intranet". I will reboot the server tonight and see if this solves the issue.

I had already enabled kerberos delegation on the server account.

Thanks

Anthony
0
 
LVL 1

Author Comment

by:christiegroup
ID: 21853319
Hi Chris,

This didn't solve the problem. I am still getting the anonymous logon error when using the alias.

Any other ideas?

Anthony
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21853345

Well that's annoying...

The site is appearing on Internet Explorer as an Intranet Site isn't it?

Chris
0
 
LVL 1

Author Comment

by:christiegroup
ID: 21854659
Yeah i have added it to the local intranet sites list and "logon with current username and password" is selected in the security options.

Anthony
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21854766

Is it showing logon failures in the Security log at all (on the server)? That is, is it attempting and failing?

The only other thing I can think of at the moment is blocking anonymous access to that portion of the site.

I'll have a look around for other bits. Got to finish off a bit of my own application that intends to operate in the same way as this.

Chris
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 1

Author Comment

by:christiegroup
ID: 21854796
This is what i get for each address

http://intranet.domain.com/hr

Successful Network Logon:
       User Name:      USERNAME
       Domain:            DOMAIN
       Logon ID:            (0x0,0x9EE35E)
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM       
       Logon GUID:      -
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -

http://webserver.domain.com/hr

Description:
Successful Network Logon:
       User Name:      USERNAME
       Domain:            DOMAIN
       Logon ID:            (0x0,0x9E73D9)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos       
       Logon GUID:      {13fa1301-ce28-0bbb-fab6-d6eccd89a9e7}
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -

It uses NTLM for the alias but kerberos for webserver name.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21854812

Okay that makes sense then.

Can we just verify those Service Principal Names again.

Is this really how the SPN entries appear?

HTTP/intranet webserver
HTTP/intranet.domain.com webserver

What command did you use to add those?

Using SetSPN like this:

setspn -a HTTP/intranet webserver

Should have given you:

HTTP/intranet

Which the client uses to locate a server to send a Kerberos Ticket to.

Chris
0
 
LVL 1

Author Comment

by:christiegroup
ID: 21854864
These are all the spn's that are setup for the webserver.

HOST/webserver
HOST/webserver.domain.com
HTTP/intranet webserver
HTTP/intranet.domain.com
MSOLAPSvc/webserver
MSOLAPSvc/webserver.domain.com

Im not sure what the bottom 2 are for as i didn't put them there. The two HTTP entries I added manually using adsiedit.msc.

Anthony
0
 
LVL 1

Author Comment

by:christiegroup
ID: 21854885
that should have been HTTP/intranet.domain.com webserver
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 21854915

Ahh okay.

Remove the intranet SPN referencing the server name as well, it's not going to work (I should have spotted that earlier). Just figured you'd pasted in the part of the command you'd used to add them.

The SPN should match the service name accessed. It doesn't need the reference back to "webserver", that is implicit because of where the SPN is registered.

That should make the SPN entries:

HTTP/intranet
HTTP/intranet.domain.com

Chris
0
 
LVL 1

Author Comment

by:christiegroup
ID: 21855051
Your a star.

Works like a charm now.

Thanks for sticking with me.

Anthony
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21855069

You're welcome, glad we got there in the end :)

Chris
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction HyperText Transfer Protocol (http://www.ietf.org/rfc/rfc2616.txt) or "HTTP" is the underpinning of internet communication.  As a teacher of web development I have heard many questions, mostly from my younger students who have come to t…
Thoughout my experience working on eCommerce web applications I have seen applications succumbing to increased user demand and throughput. With increased loads the response times started to spike, which leads to user frustration and lost sales. I ha…
Wufoo.com provides powerful tools for surveying targeted groups, and utilizing data from completed surveys to find trends, discover areas of demand or customer expectation, and make business decisions on products or services.
Learn how to set-up custom confirmation messages to users who complete your Wufoo form. Include inputs from fields in your form, webpage redirects, and more with Wufoo’s confirmation options.

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now