Re: Service Principal Name in Kerberos
- From: "Andrei Zakharov" <zandr@xxxxxxxxxxxxxxxx>
- Date: Thu, 25 Oct 2007 15:20:11 +0400
Hi Jeffrey,
Well, what is the difference between the case when SPN =
Domain\AppServerUser and when SPN is registered in the form
OurServiceName/host.domain? I don't take into account IE, IIS, etc., because
we don't use them here.
Thanks.
--
Andrei.
""Jeffrey Tan[MSFT]"" <jetan@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:04tYEHrFIHA.5176@xxxxxxxxxxxxxxxxxxxxxxxxx
Hi Andrei,http://blogs.iis.net/brian-murphy-booth/archive/2007/03/09/delegconfig-deleg
Sorry for the late response. Our MSDN support tool is experiencing some
problem, so I did not see your reply till now.
Regarding this issue, step one is to verify the correct SPN¡¯s are
registered on the appropriate accounts (setspn ¨Cl <account>), step two is
to verify that the server app is configured to use Kerberos and that the
client is choosing it (a network trace might help identify that).
If it is purely a question about whether Kerberos delegation is working,
something like the DelegConfig tool could be useful to test it outside of
the applications. KB842861 is also a good place to start.
DelegConfig
ation-configuration-reporting-tool.aspxhttp://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
Troubleshooting Kerberos authentication with secure Web applications and
Microsoft SQL Server
http://support.microsoft.com/?id=842861
Hope this helps.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
ications.rights.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no
.
- Follow-Ups:
- Re: Service Principal Name in Kerberos
- From: "Jeffrey Tan[MSFT]"
- Re: Service Principal Name in Kerberos
- References:
- Service Principal Name in Kerberos
- From: Andrei Zakharov
- RE: Service Principal Name in Kerberos
- From: "Jeffrey Tan[MSFT]"
- Re: Service Principal Name in Kerberos
- From: Andrei Zakharov
- Re: Service Principal Name in Kerberos
- From: "Jeffrey Tan[MSFT]"
- Service Principal Name in Kerberos
- Prev by Date: Re: Service Principal Name in Kerberos
- Next by Date: Privileges: allow/deny problem...
- Previous by thread: Re: Service Principal Name in Kerberos
- Next by thread: Re: Service Principal Name in Kerberos
- Index(es):
Relevant Pages
|
