Use Setspn for internal website to not require user credentials

One of our web developers is creating a new website for our customer service to access orders. Our current one requires a user to enter their domain username/password to access the site. With the new website he would like the browser to automatically use the current AD user credentials. I think i have the command formatted correctly. One thing i am unsure of is the netbios name of the server...if i should also include the netbios name of the domain or not. ( option 2a in this link is what he is trying to accomplish https://blogs.msdn.microsoft.com/webtopics/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-07-5/ )

internal url is   orders.example.com
netbios name of IIS server is QA2008IIS
netbios domain name is domainname

the command i have is    Setspn –a http/orders.example.com QA2008IIS

is this the correct syntax for what he wants to accomplish?  What about netbios server name formatting.?? should that be domainname\QA2008IIS or just QA2008IIS   ??
Scott LarkinsAsked:
Who is Participating?
 
Dan McFaddenSystems EngineerCommented:
As I stated twice now, the command is not necessary since the HOST entry contains the HTTP entry.

Without knowing how the DEVs are writing the code, I cannot say that this will resolve your issue.  Usually getting and using the logged in user's credentials in done in code.

Reference link:
Display the Name of the Current User  :  https://msdn.microsoft.com/en-us/library/ms178344.aspx?f=255&MSPPError=-2147217396

To be clear, I have never used an SPN to try to resolve the issue you are trying to solve.  I have only seen this done via ASP.NET code.

Dan
0
 
Jeff GloverSr. Systems AdministratorCommented:
Did you try just adding the site to the Intranet zone in IE?
0
 
Dan McFaddenSystems EngineerCommented:
1. When you run the following command, what is the output?

setspn -l QA2008IIS

Open in new window


2. What is the AppPool's Identity?
3. Assuming you are using "Windows Authentication," have you enabled Kernel-Mode Authentication?

The NetBIOS name of the server is the host name of the Fully Qualified Domain Name (FQDN).  So if the server's FQDN is qa2008IIS.domain.com, then the NetBIOS name is qa2008iis.

This means the SETSPN commands would be:

setspn -a HTTP/qa2008IIS
setspn -a HTTP/qa2008IIS.domain.com

But if you read thru the article, the HOST category of the SPN registration includes HTTP, meaning this may not be needed.

Dan
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Scott LarkinsAuthor Commented:
Do i need to run both setspn commands?? I will have to find out from the developer what the app pool identity is and if Kernel mode authentication is enabled....

Registered ServicePrincipalNames for CN=QA2008IIS,CN=Computers,DC=domainname,DC=local:
        TERMSRV/QA2008IIS
        TERMSRV/QA2008IIS. domainname.local
        WSMAN/QA2008IIS
        WSMAN/QA2008IIS.domainname.local
        RestrictedKrbHost/QA2008IIS
        HOST/QA2008IIS
        RestrictedKrbHost/QA2008IIS. domainname.local
        HOST/QA2008IIS. domainname.local
0
 
Dan McFaddenSystems EngineerCommented:
Based on the output from the SETSPN list command, you do not need to do anything.  As stated, the HOST entry contains/implies the HTTP entry.  But if you feel you must make the entries manually, then yes, you need to run both commands.

If you have access to the IIS Server, you can view those settings without the help of the DEV.

In IIS Manager:
1. Expand the navigation tree under the server object, select the "Application Pools" object.  This fills the center panel with the AppPools running on the server.  There is a column named "Identity"
2. Expand the Sites object in the navigation tree
3. Select the website in question.  This lists the site features, that are available, in the center panel.
4. Open the "Authentication" feature.  Make a note of the options that are enabled.
5. Select "Windows Authentication" and then, in the right-hand Actions panel, click "Advanced Settings..."  This will bring up the option to enable/disable Kernel-mode auth.  Make a note of its setting.

Can you post the results found?

Dan
0
 
Scott LarkinsAuthor Commented:
•      AppPool Identity: domainname\QA2008IIS$
•      Domain: qa-portal.example.com

Kernel mode authentication is enabled
0
 
Dan McFaddenSystems EngineerCommented:
OK, so nothing looks too unusual.  But I would question why the AppPool is running with the Server Domain Account.  I would have expected (for Server 2008 or 2008R2) the Network Service ID.

Dan
0
 
Scott LarkinsAuthor Commented:
I posted what the dev gave me...looking in IIS manager...clicking application pools....under name column it shows PORTAL....under the identity column....it says ApplicationPoolIdentity....
0
 
Dan McFaddenSystems EngineerCommented:
PORTAL is only the name of the AppPool and has no real significance other than an easy to read label.  An AppPool using "ApplicationPoolIdentity" as it's Identity is what I would expect.  It is also the default setting.

Still, the server's SPNs are fine.  Unless otherwise told by the developer(s) that the AppPool config needs to be changed, then you are good to go.

Dan
0
 
Scott LarkinsAuthor Commented:
so running the 2 commands you listed

setspn -a HTTP/qa2008IIS
setspn -a HTTP/qa2008IIS.domain.com

would accomplish what i want to do...have the browser look at and use the domain users credentials they are logged int o windows with so they would not be presented with a login prompt for the website..??
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.