Solved

SPN - If HTTP, do I need to add all these URL's?

Posted on 2010-08-18
6
731 Views
Last Modified: 2012-06-21
I have a 2 node 2003 cluster of IIS6 and this web application.  The cluster is built, but I get periodic reports that authentication is not working.  So I send them to the server name rather than the VIP name and all is well.  

After some research, I find that I need to run setspn and add in all the URL's for this web app.  I think this is true, but I find that the Metadata.xml file is forcing them to use NTLM.  I thought that the SPN's are only to be set for all URL's if kerberos was the authentication type.

Please help me, we are having an office discussion about this and I am being told that I do not need this.

If this is not it, how can I troubleshoot the fact that IE is not passing the credentials always when using the VIP address rather than the URL to an individual server.

Thanks,
Stowy

0
Comment
Question by:stowyo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 33

Expert Comment

by:raterus
ID: 33465300
SPN's are only needed if your users are accessing the webserver using a fully qualified domain name

e.g.
http://intranet.mydomain.com

And yes, they work with Keberos authentication.  The authentication will try Keberos first, and if that fails, will resort to NTLM.

You also need a checkbox in IE checked "Enabled Integrated Windows Authentication", or it definitely won't use Keberos!
0
 
LVL 1

Author Comment

by:stowyo
ID: 33465516
So my question is this..   So I need to enter in ALL URL's that the users enter with this setspn tool?
0
 
LVL 33

Expert Comment

by:raterus
ID: 33465609
Only if they are fully qualified, but yes, if they are fully qualified, and you hope to use integrated windows authentication with it, you have to enter them.

Got the syntax of the command down?
setspn -a HOST/intranet.mydomain.com MYWEBSERVERNAME
setspn -a HTTP/intranet.mydomain.com MYWEBSERVERNAME



0
Percona Live Europe 2017 | Sep 25 - 27, 2017

The Percona Live Open Source Database Conference Europe 2017 is the premier event for the diverse and active European open source database community, as well as businesses that develop and use open source database software.

 
LVL 1

Author Comment

by:stowyo
ID: 33465657
when I do the setspn -l servername command, it should list all the URL's if they were entered correctly, right?
0
 
LVL 33

Accepted Solution

by:
raterus earned 500 total points
ID: 33465758
yes, you should see something spit out like I posted last.
0
 
LVL 1

Author Closing Comment

by:stowyo
ID: 33466528
Thank you!
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Running classic asp applications under Windows Server 2008 R2 (x64) and IIS 7 is not as easy as one may think. It took me a while to figure it out while getting error 8002801d a few times. After you install the OS you will need to install the fol…
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question