Orchestrating Kerberos Authentication .... SPN Cheat Sheet

  • Article

When it comes to orchestrating Kerberos authentication on IIS websites most people get it wrong when the question of Service Principal Names (SPN) comes up. Microsoft PSS gets a huge number of such issues.

When you set a SPN you are telling the Key Distribution Centre (KDC) that a service of this type and this name is being provided by this account and you can issue Kerberos tickets for it.

Here I have put together a table of the most common configuration scenarios and the SPNs that are required. I am assuming the netbios name of your server is alpha and its FQDN is alpha.example.com. I am also assuming that you will use the setspn tool to set a particular spn.

Scenario I

Website Application Pool Identity : Preconfigured Identity (Network Service/Local Service/Local System)

Website accessed with URL : https://alpha/

Theoritically you will need the two spns below. But you do not have to set them as the netbiosname account will already have the HOST/ SPN which is  a superset.

setspn -A HTTP/alpha alpha

setspn -A HTTP/alpha.example.com alpha

You do not have to explicitly set these as the alpha account already has a SPN HOST/alpha by default.

Scenario II

Website Application Pool Identity : Preconfigured Identity (Network Service/Local Service/Local System)

Website accessed with URL : https://www.example.com

setspn -A HTTP/www.example.com alpha

Note : This URL entry has to be an Host (A) Record in the DNS and not a CNAME.

Scenario III

Website Application Pool Identity : CustomDomainIdentity

Website accessed with URL : https://alpha/

setspn -A HTTP/alpha CustomDomainIdentity

setspn -A HTTP/alpha.example.com CustomDomainIdentity

Scenario IV

Website Application Pool Identity : CustomDomainIdentity

Website accessed with URL : https://www.example.com

setspn -A HTTP/www.example.com CustomDomainIdentity

Scenario V

Load Balanced Website on servers alpha and beta

Website Application Pool Identity : CustomDomainIdentity(Mandatory)

Website accessed with URL : https://www.example.com

setspn -A HTTP/www.example.com CustomDomainIdentity

If the website is accessed with individual netbios names : https://alpha/ https://beta

setspn -A HTTP/alpha CustomDomainIdentity

setspn -A HTTP/alpha.example.com CustomDomainIdentity

setspn -A HTTP/beta CustomDomainIdentity

setspn - A HTTP/beta.example.com CustomDomainIdentity

Note : The custom domain identity running the application pool has to be added to the IIS_WPG group.

Remember : Internet Explorer treats URLs with a dot in it as an Internet Address. You have to explicitly tell IE to treat it as a Local Intranet website by adding it to the Local Intranet Zone.

 

Bookmark and Share