RE: Service Principal Name in Kerberos
- From: jetan@xxxxxxxxxxxxxxxxxxxx ("Jeffrey Tan[MSFT]")
- Date: Mon, 22 Oct 2007 07:07:37 GMT
Hi Andrei,
SPN's are registered on the accounts in the format SERVICE\hostname[:port]
and are not entered during logon. Setspn ¨Cl <account> should show you
whether the correct SPN has been registered on each service account.
Apart from that, can you be more specific about how the apps are being
accessed? Are you talking about a user on a workstation that logs on,
opens IE and accesses the Client App on IIS that then accesses the Server
App on another IIS which then talks to SQL (i.e. 3-tier)¡or something
completely different?
If IE is involved, you need to make sure that the Client App and Server App
is offering Kerberos and the browser is choosing it. A network trace from
the client and appservers while accessing the App should show this.
You also need to make sure the Apps are considered being in the correct
security Zone within IE (Trusted site or Local Internet).
Otherwise, recycling electrons:
908209 Internet Explorer 6 cannot use the Kerberos authentication protocol
to connect to a Web site that uses a non-standard port on Windows XP,
Windows Server 2003 or Windows Vista
http://support.microsoft.com/default.aspx?scid=kb;EN-US;908209
NOTE: the KB article talks about IE 6.? IE 7 has the same problem, but does
not require the hotfix, but does require the registry key change.
899900 Windows HTTP Services does not let you append a port number to the
service principal name in a program or service when you use Kerberos
authentication on a Windows Server 2003 SP1-based computer?
http://support.microsoft.com/kb/899900/
Hope this helps.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
.
- Follow-Ups:
- Re: Service Principal Name in Kerberos
- From: Andrei Zakharov
- Re: Service Principal Name in Kerberos
- References:
- Service Principal Name in Kerberos
- From: Andrei Zakharov
- Service Principal Name in Kerberos
- Prev by Date: Re: Calculate One-Key CBC-MAC in COPP
- Next by Date: Installing several certificates from the PFX
- Previous by thread: Service Principal Name in Kerberos
- Next by thread: Re: Service Principal Name in Kerberos
- Index(es):
Relevant Pages
|
