Re: SPN problems?

From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 18 Sep 2008 21:34:02 -0500

Can you show what the SPNs you are setting actually are and what accounts
you are setting them on?

A common cause of Kerb auth errors is when you create an SPN like
HTTP/someapp and try to put that on two different service accounts. The
rule with SPNs is that they can only be on a single account. HTTP does not
use the port for forming the SPN, so you cannot differentiate the SPN by
port.

Another thing to understand is whether the SPN your are setting is the plain
host name of the server and if there is another SPN like HOST/server with
the same host name on a different account.

It would also be helpful to know if you get any useful error messages in the
system event log from Kerberos or failure audits in the security event log
related to this.

HTH,

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"gonzo" <gonzo@xxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:009144f9$0$27101$c3e8da3@xxxxxxxxxxxxxxxxxxxx

Hello,

There is a web application that uses .NET (IIS) and Java (Tomcat)
application servers (some users prefer one variant to another).

The problem is when configuring Single Sign-On for this application with
Active Directory as authentication service. Both variants use some Service
Principal Names to set-up SSO, and eventually there is some sort of
conflict between them. Each variant can be configured separately with no
problem, but when I try to make them work together they both fail.

IIS and Tomcat run on the same machine.

My first thought is: should I pay special attention when setting SPNs with
such configuration, ie. two web services running on the same machine, IIS
on port 80, Tomcat on port 8080? I realize what I write is a bit vague,
but I am starting to deal with the problem. Maybe someone have dealt with
similar problem?

Any thoughts would be greatly appreciated.

thank you,
gonzo

Follow-Ups:
- Re: SPN problems?
  - From: gonzo

References:
- SPN problems?
  - From: gonzo

Prev by Date: Re: Directory Design Best Practice
Next by Date: Re: FQDN cannot be managed because it is not running Windows NT
Previous by thread: SPN problems?
Next by thread: Re: SPN problems?
Index(es):
- Date
- Thread

Relevant Pages

Re: Remove Delegation Tab on user object
... Use a low level tool like LDP or ADSI Edit to see if those two accounts happen to have the servicePrincipalName attribute defined on them. ... Typically only user accounts with an SPN will show the delegation tab in ADUC. ... removing the SPN will break Kerberos and potentially break the app. ...
(microsoft.public.windows.server.active_directory)
RE: 0x80004005 - you need permission to view its data
... SPN without the port number and another SPN with the port number. ... typical, non-clustered computer that is running SQL Server, you only have ... to register the SPN with the port number. ...
(microsoft.public.sqlserver.security)
RE: Service Principal Names (SPNs) on Windows
... the answer is no because IE doesn't append the port number ... Behalf Of Markus Moeller ... When I read lately about setspn on w2k/w2k3 I noticed that the SPN can ...
(comp.protocols.kerberos)
Service Principal Names (SPNs) on Windows
... When I read lately about setspn on w2k/w2k3 I noticed that the SPN can be ... I saw the port being used for SPNs in SQL setups too. ... Prev by Date: ...
(comp.protocols.kerberos)
Re: IIS to IIS using kerberos and non-standard web port
... As mentioned if you create a new SPN, but don't remove an old SPN that overlaps or is the same, then you get duplicate SPN issue and Kerberos fails. ... >>> web services on a separate IIS server. ... >>> "the Wininet.dll file does not pass the port number of the target>>> Web ...
(microsoft.public.inetserver.iis.security)