Re: IIS to IIS using kerberos and non-standard web port

---

• From: Pom <Pom@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Tue, 26 Feb 2008 20:26:00 -0800

---

It is not an issue because I test the situation in 2 different environment:
one at home and one at work. Thers is no way I would have made the same errors

"Ken Schaefer" wrote:

can you provide a complete list of all SPNs that were originally registered,
and that you have now added? Your can use ldifde.exe to query AD

If you have created duplicate SPNs, it won't work.

Cheers
Ken

"Pom" <Pom@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:962ACC05-2278-4401-88E2-F7EFD3DE81EC@xxxxxxxxxxxxxxxx

Yes I tried 8080.

I Have an aspx program on machine a calling a web method on machine b

"Ken Schaefer" wrote:

IIS itself doesn't use any particular library - that is dependant on your
calling code (e.g. whether it uses WinInet or some other library)

When you created the SPN for the backend server, did you specift
http/servername:8080 for your SPN?

Cheers
Ken


"Pom" <Pom@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:CA1D3836-C881-4896-8560-221EC269A28B@xxxxxxxxxxxxxxxx

I have implemented kerberos in 3 tiers environnmnet where IIS 6.0 access
a
web services on a separate IIS server. I have properly setup all my
SPNs,
service account etc.. and it work fine. My problem is I have a
requirement
to
run my webservices server on 8080 web port. I try every combination and
I
can't make it success full. It work if I ran my front-end on 8080 but
not
the
back-end. I found the following article:
http://support.microsoft.com/kb/908209/ mentionning that IE:

"the Wininet.dll file does not pass the port number of the target Web
site
when it calls the InitializeSecurityContext function to build the
Kerberos
ticket. This prevents Internet Explorer 6 from using the Kerberos
protocol
to
connect to multiple Web sites that run on different ports under
different
identities. "

Is IIS doing the same thing as IE when an IIS server contact another
IIS
server on a non-standard port?

.

---

• Follow-Ups:
  • Re: IIS to IIS using kerberos and non-standard web port
    • From: Ken Schaefer

• Prev by Date: Re: IIS 6 and a legacy ISAPI filter
• Next by Date: Re: Howto refresh IIS 6 Application pool identity credential info
• Previous by thread: Client certificates on non-domain Server 2003
• Next by thread: Re: IIS to IIS using kerberos and non-standard web port
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: IIS outgoing http vulnerability ... Not an IIS server sending data out to some remote ... are unsolicited connections from external sources. ... Now, if your webserver is a public server, and accepts connections on port ... (microsoft.public.inetserver.iis.security) Re: how to configure two IIS machines side by side ? ... Scott, the correct answer is " sort of ", and it will require some special ... all requests will hit the first server. ... You need to create a dummy site on the first server, that when hit on port ... Have 2 sites on one IIS server? ... (microsoft.public.win2000.networking) Re: Server on DMZ ... Or if you are really paranoid and must have an IIS server ... forward port 1433 from your IIS server to the SQL ... you only have to have the firewall ... (microsoft.public.sqlserver.security) Re: Server on DMZ ... It's not a dynamic port. ... the DMZ to the SQL Server you should be ok. ... >>the IIS Server behind the fire wall, allow traffic on port 80 to the IIS ... (microsoft.public.sqlserver.security) SPN and SQL Server with multiple instance names ... When configuring a SPN for SQL Server using setspn.exe I should use the port ... What are the best practices to configure the SPN for SQL ... (microsoft.public.sqlserver.server)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.inetserver.iis.security  > 2008-02