Use Setspn for internal website to not require user credentials

One of our web developers is creating a new website for our customer service to access orders. Our current one requires a user to enter their domain username/password to access the site. With the new website he would like the browser to automatically use the current AD user credentials. I think i have the command formatted correctly. One thing i am unsure of is the netbios name of the server...if i should also include the netbios name of the domain or not. ( option 2a in this link is what he is trying to accomplish )

internal url is
netbios name of IIS server is QA2008IIS
netbios domain name is domainname

the command i have is    Setspn –a http/ QA2008IIS

is this the correct syntax for what he wants to accomplish?  What about netbios server name formatting.?? should that be domainname\QA2008IIS or just QA2008IIS   ??
Scott LarkinsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jeff GloverSr. Systems AdministratorCommented:
Did you try just adding the site to the Intranet zone in IE?
Dan McFaddenSystems EngineerCommented:
1. When you run the following command, what is the output?

setspn -l QA2008IIS

Open in new window

2. What is the AppPool's Identity?
3. Assuming you are using "Windows Authentication," have you enabled Kernel-Mode Authentication?

The NetBIOS name of the server is the host name of the Fully Qualified Domain Name (FQDN).  So if the server's FQDN is, then the NetBIOS name is qa2008iis.

This means the SETSPN commands would be:

setspn -a HTTP/qa2008IIS
setspn -a HTTP/

But if you read thru the article, the HOST category of the SPN registration includes HTTP, meaning this may not be needed.

Scott LarkinsAuthor Commented:
Do i need to run both setspn commands?? I will have to find out from the developer what the app pool identity is and if Kernel mode authentication is enabled....

Registered ServicePrincipalNames for CN=QA2008IIS,CN=Computers,DC=domainname,DC=local:
        TERMSRV/QA2008IIS. domainname.local
        RestrictedKrbHost/QA2008IIS. domainname.local
        HOST/QA2008IIS. domainname.local
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

Dan McFaddenSystems EngineerCommented:
Based on the output from the SETSPN list command, you do not need to do anything.  As stated, the HOST entry contains/implies the HTTP entry.  But if you feel you must make the entries manually, then yes, you need to run both commands.

If you have access to the IIS Server, you can view those settings without the help of the DEV.

In IIS Manager:
1. Expand the navigation tree under the server object, select the "Application Pools" object.  This fills the center panel with the AppPools running on the server.  There is a column named "Identity"
2. Expand the Sites object in the navigation tree
3. Select the website in question.  This lists the site features, that are available, in the center panel.
4. Open the "Authentication" feature.  Make a note of the options that are enabled.
5. Select "Windows Authentication" and then, in the right-hand Actions panel, click "Advanced Settings..."  This will bring up the option to enable/disable Kernel-mode auth.  Make a note of its setting.

Can you post the results found?

Scott LarkinsAuthor Commented:
•      AppPool Identity: domainname\QA2008IIS$
•      Domain:

Kernel mode authentication is enabled
Dan McFaddenSystems EngineerCommented:
OK, so nothing looks too unusual.  But I would question why the AppPool is running with the Server Domain Account.  I would have expected (for Server 2008 or 2008R2) the Network Service ID.

Scott LarkinsAuthor Commented:
I posted what the dev gave me...looking in IIS manager...clicking application pools....under name column it shows PORTAL....under the identity says ApplicationPoolIdentity....
Dan McFaddenSystems EngineerCommented:
PORTAL is only the name of the AppPool and has no real significance other than an easy to read label.  An AppPool using "ApplicationPoolIdentity" as it's Identity is what I would expect.  It is also the default setting.

Still, the server's SPNs are fine.  Unless otherwise told by the developer(s) that the AppPool config needs to be changed, then you are good to go.

Scott LarkinsAuthor Commented:
so running the 2 commands you listed

setspn -a HTTP/qa2008IIS
setspn -a HTTP/

would accomplish what i want to do...have the browser look at and use the domain users credentials they are logged int o windows with so they would not be presented with a login prompt for the website..??
Dan McFaddenSystems EngineerCommented:
As I stated twice now, the command is not necessary since the HOST entry contains the HTTP entry.

Without knowing how the DEVs are writing the code, I cannot say that this will resolve your issue.  Usually getting and using the logged in user's credentials in done in code.

Reference link:
Display the Name of the Current User  :

To be clear, I have never used an SPN to try to resolve the issue you are trying to solve.  I have only seen this done via ASP.NET code.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.