Re: IIS to IIS using kerberos and non-standard web port
- From: "Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 29 Feb 2008 16:10:40 +1100
OK - then please give us a list of everything that you are 100% sure about. Then we can test what you are not 100% sure about.
As mentioned if you create a new SPN, but don't remove an old SPN that overlaps or is the same, then you get duplicate SPN issue and Kerberos fails. That is why I asked for a list of all SPNs (you can query via LDIDFE). But if you are 100% sure that you do not have a duplicate SPN issue, then I suggest that you tell us what other things ou are 100% sure about, so we don't waste anymore time.
Cheers
Ken
"Pom" <Pom@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:94C752F7-4A90-4CA9-8DBA-AD630554604F@xxxxxxxxxxxxxxxx
It is not an issue because I test the situation in 2 different environment:
one at home and one at work. Thers is no way I would have made the same errors
"Ken Schaefer" wrote:
can you provide a complete list of all SPNs that were originally registered,
and that you have now added? Your can use ldifde.exe to query AD
If you have created duplicate SPNs, it won't work.
Cheers
Ken
"Pom" <Pom@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:962ACC05-2278-4401-88E2-F7EFD3DE81EC@xxxxxxxxxxxxxxxx
> Yes I tried 8080.
>
> I Have an aspx program on machine a calling a web method on machine b
>
> "Ken Schaefer" wrote:
>
>> IIS itself doesn't use any particular library - that is dependant on >> your
>> calling code (e.g. whether it uses WinInet or some other library)
>>
>> When you created the SPN for the backend server, did you specift
>> http/servername:8080 for your SPN?
>>
>> Cheers
>> Ken
>>
>>
>> "Pom" <Pom@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:CA1D3836-C881-4896-8560-221EC269A28B@xxxxxxxxxxxxxxxx
>> >I have implemented kerberos in 3 tiers environnmnet where IIS 6.0 >> >access
>> >a
>> > web services on a separate IIS server. I have properly setup all my
>> > SPNs,
>> > service account etc.. and it work fine. My problem is I have a
>> > requirement
>> > to
>> > run my webservices server on 8080 web port. I try every combination >> > and
>> > I
>> > can't make it success full. It work if I ran my front-end on 8080 >> > but
>> > not
>> > the
>> > back-end. I found the following article:
>> > http://support.microsoft.com/kb/908209/ mentionning that IE:
>> >
>> > "the Wininet.dll file does not pass the port number of the target >> > Web
>> > site
>> > when it calls the InitializeSecurityContext function to build the
>> > Kerberos
>> > ticket. This prevents Internet Explorer 6 from using the Kerberos
>> > protocol
>> > to
>> > connect to multiple Web sites that run on different ports under
>> > different
>> > identities. "
>> >
>> > Is IIS doing the same thing as IE when an IIS server contact another
>> > IIS
>> > server on a non-standard port?
>>
>>
.
- References:
- Prev by Date: Re: Kerberos, SETSPN, GET & POST
- Next by Date: Re: Force HTTPS to forward to HTTP?
- Previous by thread: Re: IIS to IIS using kerberos and non-standard web port
- Next by thread: Looking for information to secure .Net in a hosted environment
- Index(es):
Relevant Pages
|
