?
Solved

SPN - If HTTP, do I need to add all these URL's?

Posted on 2010-08-18
6
Medium Priority
?
740 Views
Last Modified: 2012-06-21
I have a 2 node 2003 cluster of IIS6 and this web application.  The cluster is built, but I get periodic reports that authentication is not working.  So I send them to the server name rather than the VIP name and all is well.  

After some research, I find that I need to run setspn and add in all the URL's for this web app.  I think this is true, but I find that the Metadata.xml file is forcing them to use NTLM.  I thought that the SPN's are only to be set for all URL's if kerberos was the authentication type.

Please help me, we are having an office discussion about this and I am being told that I do not need this.

If this is not it, how can I troubleshoot the fact that IE is not passing the credentials always when using the VIP address rather than the URL to an individual server.

Thanks,
Stowy

0
Comment
Question by:stowyo
  • 3
  • 3
6 Comments
 
LVL 33

Expert Comment

by:raterus
ID: 33465300
SPN's are only needed if your users are accessing the webserver using a fully qualified domain name

e.g.
http://intranet.mydomain.com

And yes, they work with Keberos authentication.  The authentication will try Keberos first, and if that fails, will resort to NTLM.

You also need a checkbox in IE checked "Enabled Integrated Windows Authentication", or it definitely won't use Keberos!
0
 
LVL 1

Author Comment

by:stowyo
ID: 33465516
So my question is this..   So I need to enter in ALL URL's that the users enter with this setspn tool?
0
 
LVL 33

Expert Comment

by:raterus
ID: 33465609
Only if they are fully qualified, but yes, if they are fully qualified, and you hope to use integrated windows authentication with it, you have to enter them.

Got the syntax of the command down?
setspn -a HOST/intranet.mydomain.com MYWEBSERVERNAME
setspn -a HTTP/intranet.mydomain.com MYWEBSERVERNAME



0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 1

Author Comment

by:stowyo
ID: 33465657
when I do the setspn -l servername command, it should list all the URL's if they were entered correctly, right?
0
 
LVL 33

Accepted Solution

by:
raterus earned 2000 total points
ID: 33465758
yes, you should see something spit out like I posted last.
0
 
LVL 1

Author Closing Comment

by:stowyo
ID: 33466528
Thank you!
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

IntroductionWhile developing web applications, a single page might contain many regions and each region might contain many number of controls with the capability to perform  postback. Many times you might need to perform some action on an ASP.NET po…
Prologue It is often required to host multiple websites on a single instance of IIS, mostly in development environments instead of on production servers. I am sure it is not much a preferred solution on production servers but this is at least a pos…
Watch the video of Kernel Migrator for SharePoint, which demonstrate the process easily of migration from SharePoint to SharePoint, OneDrive for Business & Google Drive servers, Public Folder to SharePoint, File Server to SharePoint. The tool has va…
From store locators to asset tracking and route optimization, learn how leading companies are using Google Maps APIs throughout the customer journey to increase checkout conversions, boost user engagement, and optimize order fulfillment. Powered …

590 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question