RE: IE, Kerberos, and Port Numbers
- From: Don Stanley <DonStanley@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 4 Jan 2007 14:59:01 -0800
We have seen this in both IE6 and IE7. I think this may solve our problems.
We have MS Premier Support, so we will attempt to obtain the hotfix that way.
Thanks!
Don
"Brian Delaney [MSFT]" wrote:
Hi Don,.
Which version of IE are you using?
I have found a hotfix for IE6 that I believe is what you are looking for.
Please review the fix: http://support.microsoft.com/kb/908209
If this is what you are looking for please let me know and provide an email
address and I will provide you with instructions on getting the fix.
Hope this helps,
Brian Delaney
Microsoft Canada
--
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
Thread-Topic: IE, Kerberos, and Port Numberswith
thread-index: Accuq+/wmeXlSyn5ReCD1peVs62DuA==
X-WBNR-Posting-Host: 66.210.174.40
From: =?Utf-8?B?RG9uIFN0YW5sZXk=?= <Don Stanley@xxxxxxxxxxxxxxxxxxxxxxxxx>
Subject: IE, Kerberos, and Port Numbers
Date: Tue, 2 Jan 2007 12:24:00 -0800
This question has been cross-posted to the IE newsgroup as it has to do
IE's implementation of Kerberos ticket requests...for
After many trials and tribulations with Kerberos, we have come to the
conclusion that you cannot have two web sites on the same server with the
same root URL, just differentiated by port number, that both use Kerberos
authentication unless they run as the same security account.port
Our situation was a WS2003 server that has two web sites: one listening on
the default port running as a domain account (svc_1), one listening on
8080 running as a different domain account (svc_2). We has two sets ofSPNs
registered: One set for the default HTTP port, and one set for port 8080.
In essence, the setspn -L output for each account looked like this:back
For svc_1:
HTTP/WEBDEV002.company.net
HTTP/WEBDEV002
For svc_2:
HTTP/WEBDEV002.company.net:8080
HTTP/WEBDEV002:8080
We expected requests for http://WEBDEV002:8080 to use Kerberos to
authenticate (and delegation eventually), however it was always falling
to NTLM. When we read the article below, we removed the svc_1 SPN andsite
Kerberos worked on the port 8080 site (but did not work on the port 80
any longer).hostnames
From http://blogs.msdn.com/cgideon/archive/2006/09/11/749880.aspx:
If multiple Web sites are reached by the same URL but on different ports,
Kerberos will not work. To make this work, you must use different
and different SPNs. When Internet Explorer requests eitheradd
http://www.Contoso.com or http://www.Contoso.com:81, Internet Explorer
requests a ticket for SPN HTTP/www.contoso.com. Internet Explorer doesn't
the port or the virtual server/Web Application to the SPN request. Thisrequest
behavior is the same for http://www.contoso.com/app1 or
http://www.contoso.com/app2. In this scenario, Internet Explorer will
a ticket for SPN http://www.Contoso.com from the Key Distribution Centerwould
(KDC). Each SPN can be declared only for one identity. Therefore, you
also receive a KRB_DUPLICATE_SPN error message if you try to declare thisSPN
for each identity.requesting
My question is: Does IE intentionally omit the port number when
an SPN to obtain a Kerberos ticket? If not, is this a defect in IE thatcan
be fixed? If so, what is the technical reason and is there a workaround?
This is happening for both IE6 and IE7.
Thanks,
Don
- Follow-Ups:
- RE: IE, Kerberos, and Port Numbers
- From: Brian Delaney [MSFT]
- RE: IE, Kerberos, and Port Numbers
- References:
- RE: IE, Kerberos, and Port Numbers
- From: Brian Delaney [MSFT]
- RE: IE, Kerberos, and Port Numbers
- Prev by Date: Re: How to access current CAL usage
- Next by Date: Client Connections on Shared Folder
- Previous by thread: RE: IE, Kerberos, and Port Numbers
- Next by thread: RE: IE, Kerberos, and Port Numbers
- Index(es):
Relevant Pages
|
