Orchestrating Kerberos Authentication .... SPN Cheat Sheet
When it comes to orchestrating Kerberos authentication on IIS websites most people get it wrong when the question of Service Principal Names (SPN) comes up. Microsoft PSS gets a huge number of such issues.
When you set a SPN you are telling the Key Distribution Centre (KDC) that a service of this type and this name is being provided by this account and you can issue Kerberos tickets for it.
Here I have put together a table of the most common configuration scenarios and the SPNs that are required. I am assuming the netbios name of your server is alpha and its FQDN is alpha.example.com. I am also assuming that you will use the setspn tool to set a particular spn.
Scenario I
Website Application Pool Identity : Preconfigured Identity (Network Service/Local Service/Local System)
Website accessed with URL : https://alpha/
Theoritically you will need the two spns below. But you do not have to set them as the netbiosname account will already have the HOST/ SPN which is a superset.
setspn -A HTTP/alpha alpha
setspn -A HTTP/alpha.example.com alpha
You do not have to explicitly set these as the alpha account already has a SPN HOST/alpha by default.
Scenario II
Website Application Pool Identity : Preconfigured Identity (Network Service/Local Service/Local System)
Website accessed with URL : https://www.example.com
setspn -A HTTP/www.example.com alpha
Note : This URL entry has to be an Host (A) Record in the DNS and not a CNAME.
Scenario III
Website Application Pool Identity : CustomDomainIdentity
Website accessed with URL : https://alpha/
setspn -A HTTP/alpha CustomDomainIdentity
setspn -A HTTP/alpha.example.com CustomDomainIdentity
Scenario IV
Website Application Pool Identity : CustomDomainIdentity
Website accessed with URL : https://www.example.com
setspn -A HTTP/www.example.com CustomDomainIdentity
Scenario V
Load Balanced Website on servers alpha and beta
Website Application Pool Identity : CustomDomainIdentity(Mandatory)
Website accessed with URL : https://www.example.com
setspn -A HTTP/www.example.com CustomDomainIdentity
If the website is accessed with individual netbios names : https://alpha/ https://beta
setspn -A HTTP/alpha CustomDomainIdentity
setspn -A HTTP/alpha.example.com CustomDomainIdentity
setspn -A HTTP/beta CustomDomainIdentity
setspn - A HTTP/beta.example.com CustomDomainIdentity
Note : The custom domain identity running the application pool has to be added to the IIS_WPG group.
Remember : Internet Explorer treats URLs with a dot in it as an Internet Address. You have to explicitly tell IE to treat it as a Local Intranet website by adding it to the Local Intranet Zone.