Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 982
  • Last Modified:

How do i configure Kerberos authentication for a website alias (Host (A) entry in dns)

Good Morning/Afternoon,

I have a web app (ASP.NET) that is configured as a virtual directory under the default web site on our webserver. I aslo have a HOST(A) entry in DNS called intranet which forwards to the webserver.

Webserver = webserver.domain.com
webapp = hr
HOST (A) = intranet

I can access my app using http://webserver/hr in a browser and kerberos works fine as i get authenticated against the sql server. But if i try http://intranet/hr i get the anonymous logon error message (See Attachment).

Delegation is ticked in AD for the webserver and i have the following spn's setup

HOST/webserver
HOST/webserver.domain.com
HTTP/intranet webserver
HTTP/intranet.domain.com webserver

The app pool is running under the network service account.

ASP is configured to use windows authentication and so is directory security.

Am i missing something here. Any help would be appreciated.

Thanks
Anthony
Error.png
0
christiegroup
Asked:
christiegroup
  • 7
  • 6
1 Solution
 
Chris DentPowerShell DeveloperCommented:

Hey,

Have you tried disabling strict name checking on the server?

This article isn't entirely relevant. But it does describe how to turn it off well enough:

http://support.microsoft.com/kb/281308

Presumably you enabled Kerberos Delegation on the server account?

HTH

Chris
0
 
christiegroupAuthor Commented:
Hi,

Thanks for the info, looks like this might help as i do get the system erro 52 if i do "net view intranet". I will reboot the server tonight and see if this solves the issue.

I had already enabled kerberos delegation on the server account.

Thanks

Anthony
0
 
christiegroupAuthor Commented:
Hi Chris,

This didn't solve the problem. I am still getting the anonymous logon error when using the alias.

Any other ideas?

Anthony
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
Chris DentPowerShell DeveloperCommented:

Well that's annoying...

The site is appearing on Internet Explorer as an Intranet Site isn't it?

Chris
0
 
christiegroupAuthor Commented:
Yeah i have added it to the local intranet sites list and "logon with current username and password" is selected in the security options.

Anthony
0
 
Chris DentPowerShell DeveloperCommented:

Is it showing logon failures in the Security log at all (on the server)? That is, is it attempting and failing?

The only other thing I can think of at the moment is blocking anonymous access to that portion of the site.

I'll have a look around for other bits. Got to finish off a bit of my own application that intends to operate in the same way as this.

Chris
0
 
christiegroupAuthor Commented:
This is what i get for each address

http://intranet.domain.com/hr

Successful Network Logon:
       User Name:      USERNAME
       Domain:            DOMAIN
       Logon ID:            (0x0,0x9EE35E)
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM       
       Logon GUID:      -
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -

http://webserver.domain.com/hr

Description:
Successful Network Logon:
       User Name:      USERNAME
       Domain:            DOMAIN
       Logon ID:            (0x0,0x9E73D9)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos       
       Logon GUID:      {13fa1301-ce28-0bbb-fab6-d6eccd89a9e7}
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -

It uses NTLM for the alias but kerberos for webserver name.
0
 
Chris DentPowerShell DeveloperCommented:

Okay that makes sense then.

Can we just verify those Service Principal Names again.

Is this really how the SPN entries appear?

HTTP/intranet webserver
HTTP/intranet.domain.com webserver

What command did you use to add those?

Using SetSPN like this:

setspn -a HTTP/intranet webserver

Should have given you:

HTTP/intranet

Which the client uses to locate a server to send a Kerberos Ticket to.

Chris
0
 
christiegroupAuthor Commented:
These are all the spn's that are setup for the webserver.

HOST/webserver
HOST/webserver.domain.com
HTTP/intranet webserver
HTTP/intranet.domain.com
MSOLAPSvc/webserver
MSOLAPSvc/webserver.domain.com

Im not sure what the bottom 2 are for as i didn't put them there. The two HTTP entries I added manually using adsiedit.msc.

Anthony
0
 
christiegroupAuthor Commented:
that should have been HTTP/intranet.domain.com webserver
0
 
Chris DentPowerShell DeveloperCommented:

Ahh okay.

Remove the intranet SPN referencing the server name as well, it's not going to work (I should have spotted that earlier). Just figured you'd pasted in the part of the command you'd used to add them.

The SPN should match the service name accessed. It doesn't need the reference back to "webserver", that is implicit because of where the SPN is registered.

That should make the SPN entries:

HTTP/intranet
HTTP/intranet.domain.com

Chris
0
 
christiegroupAuthor Commented:
Your a star.

Works like a charm now.

Thanks for sticking with me.

Anthony
0
 
Chris DentPowerShell DeveloperCommented:

You're welcome, glad we got there in the end :)

Chris
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now