Solved

SPN - If HTTP, do I need to add all these URL's?

Posted on 2010-08-18
6
725 Views
Last Modified: 2012-06-21
I have a 2 node 2003 cluster of IIS6 and this web application.  The cluster is built, but I get periodic reports that authentication is not working.  So I send them to the server name rather than the VIP name and all is well.  

After some research, I find that I need to run setspn and add in all the URL's for this web app.  I think this is true, but I find that the Metadata.xml file is forcing them to use NTLM.  I thought that the SPN's are only to be set for all URL's if kerberos was the authentication type.

Please help me, we are having an office discussion about this and I am being told that I do not need this.

If this is not it, how can I troubleshoot the fact that IE is not passing the credentials always when using the VIP address rather than the URL to an individual server.

Thanks,
Stowy

0
Comment
Question by:stowyo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 33

Expert Comment

by:raterus
ID: 33465300
SPN's are only needed if your users are accessing the webserver using a fully qualified domain name

e.g.
http://intranet.mydomain.com

And yes, they work with Keberos authentication.  The authentication will try Keberos first, and if that fails, will resort to NTLM.

You also need a checkbox in IE checked "Enabled Integrated Windows Authentication", or it definitely won't use Keberos!
0
 
LVL 1

Author Comment

by:stowyo
ID: 33465516
So my question is this..   So I need to enter in ALL URL's that the users enter with this setspn tool?
0
 
LVL 33

Expert Comment

by:raterus
ID: 33465609
Only if they are fully qualified, but yes, if they are fully qualified, and you hope to use integrated windows authentication with it, you have to enter them.

Got the syntax of the command down?
setspn -a HOST/intranet.mydomain.com MYWEBSERVERNAME
setspn -a HTTP/intranet.mydomain.com MYWEBSERVERNAME



0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 1

Author Comment

by:stowyo
ID: 33465657
when I do the setspn -l servername command, it should list all the URL's if they were entered correctly, right?
0
 
LVL 33

Accepted Solution

by:
raterus earned 500 total points
ID: 33465758
yes, you should see something spit out like I posted last.
0
 
LVL 1

Author Closing Comment

by:stowyo
ID: 33466528
Thank you!
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question