How to configure SPN for IIS website under NLB setup

I ran into this Kerberos issue a few times and it prompted me to write this blog post.

Symptoms

You would run into one of the following errors

"The request failed with HTTP status 401: Unauthorized” Or 401.2

You’ve already verified the following

1) Web site is configured for Integrated Authentication

2) Website is configured to use Negotiate by configuring NTAuthenticationProviders

3) Configured IE to use Integrated Authentication

4) DelegConfig tool detects that SPN configuration is valid

5) Valid SPN’s are set as per URL

Cause

Most common reasons for the Kerberos issues are resulted due to invalid SPN setup / Duplicate SPN setup, this case is no different.

The URL (hostheader) for browsing the website is test-web01.mycompany.net and you’ve configured SPN’s for website is test-web01.mycompany.net , however when we try to resolve this FQDN it is resolving to “test - web01.something.test.mycompany.net”, in this case we needed to set SPN for “test-web01.something.test.mycompany.net”

It is important that we configure SPN for the name it is resolving to, not the name we are using to browse the website. Following is the example

Website URL: www.abc.com
HostHeader : www.abc.com

Ping www.abc.com and note down the name it is resolving it to, in some NLB scenarios due to the some custom requirements, customers would have a alias configured for www.abc.com, so in reality if we ping www.abc.com is resolving it to www.xyz.com due to DNS configuration, in this case we need to set SPN's for www.xyz.com , not for www.abc.com

Resolution

For this specific case, we removed the existing SPN’s and added the SPN for “test-web01.something.test.mycompany.net” by following the below command

Setspn – a HTTP/test-web01.something.test.mycompany.net Testdomain/ServiceUser

Note: The HTTP service class differs from the HTTP protocol. Both the HTTP protocol and the HTTPS protocol use the HTTP service class. The service class is the string that identifies the general class of service. Well-known service class names include "www" for a Web service and "ldap" for a directory service.

 

References

How to use SPNs when you configure Web applications that are hosted on IIS 6.0

https://support.microsoft.com/kb/929650

 

Kerberos SPN Viewer and Helper Tool Sample

https://blogs.msdn.com/sansom/archive/2009/10/12/kerberos-spn-viewer-and-helper-tool-sample.aspx