Re: quick confirmation about kerberos & network service...

Thanks.

I know most part of your really good and indepth answer.
But you clearly answers my question.

other question, I don't remember how to identify duplicated entries.
I have found this in the past, but I have lost the link.

Other question. (again)
Do you know if there is any improvement for firewall issues with Win 2003
SP1?
today I know that ISA Server doesn't support Kerberos
I mean, I have portal server on a server and external users access it
through my ISA Server. Today I'm using HTTPS + Basic authentication.
There is any improvment to support Kerberos with firewalls & NAT?
I have read about registry settings to disabled client IP address
validation/verification, does this can help us?

Thanks a lot

Jerome.


"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:%23ml5aNbJGHA.3896@xxxxxxxxxxxxxxxxxxxxxxx
> When you set an SPN on an account, you are allowing that account to
> authenticate clients via Kerberos who use the name you specified in the
> SPN to connect to the service. Thus, if your service account has an SPN
> of "HTTP/yourapp.yourdomain.com", then browser clients should be able to
> authenticate against your IIS-based web site using
> http://yourapp.yourdomain.com in the URL (or https) and get Kerberos
> authentication, assuming the service account in question has been
> configured as the IIS worker process account (under App Pools).
>
> When the SPN is set on the machine account, any service on the box that
> uses the machine account's credentials on the network can use this SPN.
> For 2003 server, that would be Local System and Network Service.
>
> Note that adding an SPN does not enable delegation. That is a different
> setting. What the SPN does is allows the original client to authenticate
> via Kerberos in the first place. If the client to server authentication
> fails over to NTLM because of a missing SPN on the service account, then
> delegation is not possible (unless you are using protocol transition).
>
> Note also that you can use the "HOST/xxxx" SPN style for web traffic.
> HOST is a catch all for lots of services. HTTP is more specific though.
>
> Also, make sure you do not accidentally duplicate SPNs in your forest.
> That will break things. Only one account in a forest should have a
> specific SPN.
>
> Joe K.
>
> "Jéjé" <willgart_A_@xxxxxxxxxxxxxx> wrote in message
> news:elfzAZaJGHA.1132@xxxxxxxxxxxxxxxxxxxxxxx
>> Hi,
>>
>> When I configure a service to delegate the security (like IIS)
>> I'm using this command:
>>
>> setspn -a http/<server>.<domain> <domain>\<netbios name>
>>
>> Does command allow both services running under the Local System & Network
>> Service accounts?
>> or only the Local System account can delegate the user?
>>
>> I'm not sure about this, can you confirm this?
>>
>> (I confirm that I'm NOT using a domain user, only system & network
>> account)
>>
>> thanks.
>>
>> Jerome.
>>
>>
>
>


.

Relevant Pages