SPNs Demytified!

  • Article

IIS 6.0, IIS 7.0, IIS 7.5

The changes in Kerberos configuration in IIS7x (KernelModeAuthentication) makes it fairly easy to configure Kerberos on IIS. At the same time, it is critical for server admins to understand the implications of this. SPN is one of those area.

Here is a matrix of all SPN scenarios in context of IIS6.0 and IIS7x. This should make life little easier when it comes to decide which SPNs do we really need.

 

Application Pool Identity

WebSite URL

Kernel Mode

Authentication

Additional SPN Needed

Active Directory SPN Settings

NetworkService or LocalSystem

AD FQDN or

Netbios Name

OFF

No

Object server:

HOST/FQDN

HOST/Netbiosname

NetworkService or LocalSystem

AD FQDN or

Netbios Name

ON

No

Object server:

HOST/FQDN

HOST/Netbiosname

NetworkService or LocalSystem

DNS Alias

OFF

SETSPN -A HTTP/DNSAlias Netbiosname

Object server:

HOST/FQDN

HOST/Netbiosname

HTTP/DNSALias

NetworkService or LocalSystem

DNS Alias

ON

SETSPN -A HTTP/DNSAlias Netbiosname

Object server:

HOST/FQDN

HOST/Netbiosname

HTTP/DNSALias

Domain User

AD FQDN or

Netbios Name

OFF

SETSPN -A HTTP/FQDN Domain\User

SETSPN -A HTTP/Netbios Domain\User

 

 

Object server:

HOST/FQDN

HOST/Netbiosname

Object User:

HTTP/FQDN

HTTP/Netbiosname

Domain User

AD FQDN or

Netbios Name

ON

NO

Object server:

HOST/FQDN

HOST/Netbiosname

Domain User

DNS Alias

OFF

SETSPN -A HTTP/DNSAlias Domain\User

 

 

Object server:

HOST/FQDN

HOST/Netbiosname

Object User:

HTTP/DNSAlias

Domain User

DNS Alias

ON

SETSPN -A HTTP/DNSAlias Netbiosname

Object server:

HOST/FQDN

HOST/Netbiosname

HTTP/DNSALias

 

Notes -

 

1. Be wary of useAppPoolCredentials flag! This is critical.

 

Setting this on(useAppPoolCredentials=true) is as good as Disabling kernel mode Authentication

 

When and how to set, please refer - https://technet.microsoft.com/en-us/library/dd573004(office.13).aspx

 

<system.webServer>

   <security>

      <authentication>

         <windowsAuthentication enabled="true" useAppPoolCredentials="true" />

      </authentication>

   </security>

</system.webServer>

 

 

2. For IIS6 settings, refer to sections where Kernel Mode Authentication is OFF

 

3. In case of double hop scenario,

Verify that the Domain User is marked “Trust this User for delegation to any service”

  Active Directory Users and Computers MMC\UserAccount\Properties\Delegation Tab\

 

4. Use new SPN tool to find duplicate SPNs.

Simply run >setspn -x

 

5. Be careful while Port in SPNs. Default ports doesn’t need to be added.

E.g. Port 80, 443, 21 doesn’t need to added which are default ports for TCP, SSL, FTP respectively

 

References:

 

Service Principal Name (SPN) checklist for Kerberos authentication with IIS 7.0/7.5 -

https://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx

 

How to use SPNs when you configure Web applications that are hosted on Internet Information Services

https://support.microsoft.com/kb/929650