Re: SPN for website (with AppPool) running under a Host Header

From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 11/28/05 

Date: Mon, 28 Nov 2005 14:58:48 +1100

That is correct. You can use SetSPN to ensure that the SPNs exist under the
Test\App Pool Username user account.

Additionally, you can use LDIFDE (or other tool) to ensure that there are no
duplicate SPNs (i.e. an SPN for that FQDN registred under another user or
machine account in AD)

ldifde -f ldif.txt -j c:\ -d dc=yourdomain,dc=com -l serviceprincipalname -r
(serviceprincipalname=HTTP*)"

Cheers
Ken

"Iain Sander***" <iain.sander***@discussions.microsoft.com> wrote in
message news:66D0DA0F-CE38-4079-ADA4-D0DB12758703@microsoft.com...
: yes, I know that the 2nd SPN entry should also have the domain and app
pool
: identity....that was just a cut & paste typo in my original post
:
: Setspn -A HTTP/workspace.test.com TEST\<App Pool username>
: Setspn -A HTTP/workspace TEST\<App Pool username>
:
:
: "Iain Sander***" wrote:
:
: > Hi All,
: >
: > I've dealt alot with kerberos in the past, and have a good
understanding. My
: > dilemma is that I'm trying to get a more complex scenario running, and
am
: > after a definitive example from someone who has got this working, just
to
: > confirm that I'm heading down the right path....
: >
: > I have a webserver with 3 websites, each one runs under its own
: > apppool/worker identity
: >
: > 1- Default Web site - WSS SP1, with host header for machine FQDN
: > (webserver.test.com)
: > 2 - specific website with Host Header name ( which is a CNAME Alias for
this
: > webserver = workspace.test.com)
: > 3 - Sharepoint Central Administration website (with standard [non port
80]
: > port for WSS admin site)
: >
: > Running the K2 website under the networkservice identity works, but as
soon
: > as I change it to use an AppPool this breaks. I've read various MS KB
: > articles about this, and have made sure that I am isolating via AppPools
at
: > the website level (i.e. this app pool is used for all application on
that 1
: > website)
: >
: > So, when I register an SPN, should it be this
: >
: > Setspn -A HTTP/workspace.test.com TEST\<App Pool username>
: > Setspn -A HTTP/workspace
: >
: > Is there something that I should also be doing? Does anyone have any
other
: > suggestions for what SPNs should be registered instead?
: >
: >
: > Thanks in Advance
: >
: > Cheers
: >
: > iain

Quantcast