How to name a SPN (part 2)

As you learned last time, the full syntax of SPN name is:

service class/host[:port[/service name]]

Today I will be talking about port. Port number is an optional qualifier that you can use to ensure that the SPN is unique in the forest.

The default port number for a http request is 80 (and 443 for https). If you are using the default port number for you application, then you don't need to add the port number when you are registering SPN because Internet Explorer knows that the port number should be ignored when requesting a Kerberos ticket.

On the other hand, if you are using a different port number, e.g. 82, then everything becomes a bit trickier.

Let us for a moment ignore the fact that there is really no need for a special port on the HRWeb application because Internet Information Server can use host name in the binding and allow many applications to use port 80 side by side. Instead, let us assume that we are listening on port 82 and that we have registered the following two SPN's for the application (both are pointing to the correct domain account for the application pool and the web site is configured to not use Kernel mode authentication).

http/hrweb:82
http/hrweb.mydomain.com:82

Next the user (Joe) is opening Internet Explorer on a domain joined Windows client to view his current salary. 

Sorry, but that doesn't work. At least not out of the box.

If you try, you will see the following error in the Failed RequestTracing on IIS:

ModuleName ManagedPipelineHandler
Notification 128
HttpStatus 500
HttpReason Internal Server Error
HttpSubStatus 0
ErrorCode 0

 

The reason is that the default configuration for Internet Explorer does not include the port number when it is requesting a Kerberos ticket.

There is several ways to solve this, but you need to select the option that works best for you:

  • Register the SPN without port number. Share application pool account.  Example:
    • HRweb:82 is assigned application pool A (using mydomain\hrwebact as application pool identity)
    • HRweb:83 is assigned application pool B (also using mydomain\hrwebact as application pool identity)
  • Use a load-balancer that translate hostname into port number. Use a dedicated hostname for each application. Register the SPN without port number. Example:
    • HRweb:80 is translated by the load-balancer to *:82 on the web server (replace * with the actual IP address)
    • Training:80 is translated by the load-balancer to *:83 on the web server (replace * with the actual IP address)
  • Configure the Internet Explorer to use port number when requesting a Kerberos ticket

The last option is described in kb 908209  (does also apply to IE8 and IE9) as a registry key. You need to think twice before doing this because it is an all-or-nothing change, you cannot specify that this change does only apply to some applications.