Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

SPN - If HTTP, do I need to add all these URL's?

Posted on 2010-08-18
6
Medium Priority
?
733 Views
Last Modified: 2012-06-21
I have a 2 node 2003 cluster of IIS6 and this web application.  The cluster is built, but I get periodic reports that authentication is not working.  So I send them to the server name rather than the VIP name and all is well.  

After some research, I find that I need to run setspn and add in all the URL's for this web app.  I think this is true, but I find that the Metadata.xml file is forcing them to use NTLM.  I thought that the SPN's are only to be set for all URL's if kerberos was the authentication type.

Please help me, we are having an office discussion about this and I am being told that I do not need this.

If this is not it, how can I troubleshoot the fact that IE is not passing the credentials always when using the VIP address rather than the URL to an individual server.

Thanks,
Stowy

0
Comment
Question by:stowyo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 33

Expert Comment

by:raterus
ID: 33465300
SPN's are only needed if your users are accessing the webserver using a fully qualified domain name

e.g.
http://intranet.mydomain.com

And yes, they work with Keberos authentication.  The authentication will try Keberos first, and if that fails, will resort to NTLM.

You also need a checkbox in IE checked "Enabled Integrated Windows Authentication", or it definitely won't use Keberos!
0
 
LVL 1

Author Comment

by:stowyo
ID: 33465516
So my question is this..   So I need to enter in ALL URL's that the users enter with this setspn tool?
0
 
LVL 33

Expert Comment

by:raterus
ID: 33465609
Only if they are fully qualified, but yes, if they are fully qualified, and you hope to use integrated windows authentication with it, you have to enter them.

Got the syntax of the command down?
setspn -a HOST/intranet.mydomain.com MYWEBSERVERNAME
setspn -a HTTP/intranet.mydomain.com MYWEBSERVERNAME



0
Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

 
LVL 1

Author Comment

by:stowyo
ID: 33465657
when I do the setspn -l servername command, it should list all the URL's if they were entered correctly, right?
0
 
LVL 33

Accepted Solution

by:
raterus earned 2000 total points
ID: 33465758
yes, you should see something spit out like I posted last.
0
 
LVL 1

Author Closing Comment

by:stowyo
ID: 33466528
Thank you!
0

Featured Post

Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Running classic asp applications under Windows Server 2008 R2 (x64) and IIS 7 is not as easy as one may think. It took me a while to figure it out while getting error 8002801d a few times. After you install the OS you will need to install the fol…
A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question