Solved

SPN - If HTTP, do I need to add all these URL's?

Posted on 2010-08-18
6
724 Views
Last Modified: 2012-06-21
I have a 2 node 2003 cluster of IIS6 and this web application.  The cluster is built, but I get periodic reports that authentication is not working.  So I send them to the server name rather than the VIP name and all is well.  

After some research, I find that I need to run setspn and add in all the URL's for this web app.  I think this is true, but I find that the Metadata.xml file is forcing them to use NTLM.  I thought that the SPN's are only to be set for all URL's if kerberos was the authentication type.

Please help me, we are having an office discussion about this and I am being told that I do not need this.

If this is not it, how can I troubleshoot the fact that IE is not passing the credentials always when using the VIP address rather than the URL to an individual server.

Thanks,
Stowy

0
Comment
Question by:stowyo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 33

Expert Comment

by:raterus
ID: 33465300
SPN's are only needed if your users are accessing the webserver using a fully qualified domain name

e.g.
http://intranet.mydomain.com

And yes, they work with Keberos authentication.  The authentication will try Keberos first, and if that fails, will resort to NTLM.

You also need a checkbox in IE checked "Enabled Integrated Windows Authentication", or it definitely won't use Keberos!
0
 
LVL 1

Author Comment

by:stowyo
ID: 33465516
So my question is this..   So I need to enter in ALL URL's that the users enter with this setspn tool?
0
 
LVL 33

Expert Comment

by:raterus
ID: 33465609
Only if they are fully qualified, but yes, if they are fully qualified, and you hope to use integrated windows authentication with it, you have to enter them.

Got the syntax of the command down?
setspn -a HOST/intranet.mydomain.com MYWEBSERVERNAME
setspn -a HTTP/intranet.mydomain.com MYWEBSERVERNAME



0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:stowyo
ID: 33465657
when I do the setspn -l servername command, it should list all the URL's if they were entered correctly, right?
0
 
LVL 33

Accepted Solution

by:
raterus earned 500 total points
ID: 33465758
yes, you should see something spit out like I posted last.
0
 
LVL 1

Author Closing Comment

by:stowyo
ID: 33466528
Thank you!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Lync server 2013 or Skype for business Backup Service Error ID 4049 – After File Share Migration
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question