Todd Mostowy
asked on
SPN - If HTTP, do I need to add all these URL's?
I have a 2 node 2003 cluster of IIS6 and this web application. The cluster is built, but I get periodic reports that authentication is not working. So I send them to the server name rather than the VIP name and all is well.
After some research, I find that I need to run setspn and add in all the URL's for this web app. I think this is true, but I find that the Metadata.xml file is forcing them to use NTLM. I thought that the SPN's are only to be set for all URL's if kerberos was the authentication type.
Please help me, we are having an office discussion about this and I am being told that I do not need this.
If this is not it, how can I troubleshoot the fact that IE is not passing the credentials always when using the VIP address rather than the URL to an individual server.
Thanks,
Stowy
After some research, I find that I need to run setspn and add in all the URL's for this web app. I think this is true, but I find that the Metadata.xml file is forcing them to use NTLM. I thought that the SPN's are only to be set for all URL's if kerberos was the authentication type.
Please help me, we are having an office discussion about this and I am being told that I do not need this.
If this is not it, how can I troubleshoot the fact that IE is not passing the credentials always when using the VIP address rather than the URL to an individual server.
Thanks,
Stowy
ASKER
So my question is this.. So I need to enter in ALL URL's that the users enter with this setspn tool?
Only if they are fully qualified, but yes, if they are fully qualified, and you hope to use integrated windows authentication with it, you have to enter them.
Got the syntax of the command down?
setspn -a HOST/intranet.mydomain.com MYWEBSERVERNAME
setspn -a HTTP/intranet.mydomain.com MYWEBSERVERNAME
Got the syntax of the command down?
setspn -a HOST/intranet.mydomain.com
setspn -a HTTP/intranet.mydomain.com
ASKER
when I do the setspn -l servername command, it should list all the URL's if they were entered correctly, right?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you!
e.g.
http://intranet.mydomain.com
And yes, they work with Keberos authentication. The authentication will try Keberos first, and if that fails, will resort to NTLM.
You also need a checkbox in IE checked "Enabled Integrated Windows Authentication", or it definitely won't use Keberos!