Re: Service Principal Name Confusion

From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 04/20/05 

Date: Thu, 21 Apr 2005 01:37:11 +1000

Hi there,

This is a good doco to read:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerbdel.mspx

The SPN is based on the name used to access the site. IIS installation
should have already created an SPN for the NetBIOS name of the machine (and
the default worker process identity). If you add a FQDN, then you will need
an SPN for that. If you add another site, or change the FQDN for an existing
site, you will need to set another SPN.

Cheers
Ken 

-- 
Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com
"boarding_king" <boardingking@discussions.microsoft.com> wrote in message 
news:27C7AFBA-5E81-4339-84F4-5E92A2DB6E14@microsoft.com...
: Setting up IIS 6.0 with Kerberos authentication on sites using domain
: accounts to run application pools has always caused me problems. I think 
this
: is because I never *really* understood what an SPN was and what it was 
for.
: Recently I did some reading and I think I've just about got it licked. I
: still have one question that I can't find an answer for:
:
: Q. If I change my default application pool to run as a domain user and
: configure my default website to use Kerberos (ie zero host headers) then I
: can just follow the solution given here:
:
: http://support.microsoft.com/default.aspx?scid=kb;en-us;871179
:
: The KB article more or less says create the following two SPN's
:
: setspn -A http/FQDN domain\user
: and
: setspn -A http/netbiosname domain\user
:
: The question is, if I create a second website site (host header
: www.wibble.com for example) and disable the original default website, will 
I
: have to create a new SPN thus:
:
: setspn -A http/www.wibble.com domain\user
:
: i.e. Is the SPN related to a particular website or to IIS in general (in
: which case
:
: setspn -A http/FQDN domain\user
: and
: setspn -A http/netbiosname domain\user
:
: would be enough)?
:
: What if the site was using HTTPS, would I need to setup
:
: setspn -A https/www.wibble.com domain\user
:
: TIA.
:
: bk

Relevant Pages

  • Re: "Account is trusted for delegation" is not shown
    ... Did you install the support tools to run setspn? ... Where SPN is the servicename/computername ... account with the Setspn utility in the support tools on your CD. ... It should be caused by raising functional level to windows 2003. ...
    (microsoft.public.windows.server.general)
  • Re: "Account is trusted for delegation" is not shown
    ... Did you install the support tools to run setspn? ... Where SPN is the servicename/computername (MESSENGER/SERVERNAME for ... account with the Setspn utility in the support tools on your CD. ... It should be caused by raising functional level to windows 2003. ...
    (microsoft.public.windows.server.general)
  • SETSPN breaks access to IIS web site
    ... I used SETSPN to create a servicePrincipalName for the account I'm ... To confirm that SETSPN was the problem, I deleted the SPN using SETSPN ... IIS server, which was a member of Administrators on the server, could ...
    (microsoft.public.win2000.security)
  • RE: Integrated Security fails using machine name, succeeds using FQN
    ... I think you have an SPN problem. ... by running setspn -l domain\user. ... If your app pool is running under a system account, ... registered for the DNS alias to the machine name by running setspn -l foobar. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Der Versuch die HOST-SPNs (Service Principal Names) des Computers im Active Directory zu aktuali
    ... > Wie kann ich das prüfen, ob der das connection-specific suffix in sein SPN ... Mit SETSPN -L "maschinenname" kannst Du die registrierten SPN's einer Maschine ... auslesen. ...
    (microsoft.public.de.german.win2000.active_directory)