RE: IE, Kerberos, and Port Numbers

From: briandel@xxxxxxxxxxxxxxxxxxxx (Brian Delaney [MSFT])
Date: Fri, 05 Jan 2007 20:38:20 GMT

Hi Don,

That's great to hear. I did not find any fix for IE7 so you may only need
to set the registry key mentioned below to fix the problem. Let me know
how it goes.

Hope this helps,

Brian Delaney
Microsoft Canada
--

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------

Thread-Topic: IE, Kerberos, and Port Numbers
thread-index: AccwU+yiXpUHvXvVQ7eL2MGa/dCXfw==
X-WBNR-Posting-Host: 66.210.174.40
From: =?Utf-8?B?RG9uIFN0YW5sZXk=?= <DonStanley@xxxxxxxxxxxxxxxxxxxxxxxxx>
References: <143B575E-4DF0-4895-9118-57663D4E0893@xxxxxxxxxxxxx>

<Gv4J7WEMHHA.4020@xxxxxxxxxxxxxxxxxxxxxx>

Subject: RE: IE, Kerberos, and Port Numbers
Date: Thu, 4 Jan 2007 14:59:01 -0800

We have seen this in both IE6 and IE7. I think this may solve our

problems.

We have MS Premier Support, so we will attempt to obtain the hotfix that

way.

Thanks!

Don

"Brian Delaney [MSFT]" wrote:

Hi Don,

Which version of IE are you using?
I have found a hotfix for IE6 that I believe is what you are looking for.

Please review the fix: http://support.microsoft.com/kb/908209
If this is what you are looking for please let me know and provide an

address and I will provide you with instructions on getting the fix.

Hope this helps,

Brian Delaney
Microsoft Canada
--

This posting is provided "AS IS" with no warranties, and confers no

rights.

--------------------

Thread-Topic: IE, Kerberos, and Port Numbers
thread-index: Accuq+/wmeXlSyn5ReCD1peVs62DuA==
X-WBNR-Posting-Host: 66.210.174.40
From: =?Utf-8?B?RG9uIFN0YW5sZXk=?= <Don

Stanley@xxxxxxxxxxxxxxxxxxxxxxxxx>

Subject: IE, Kerberos, and Port Numbers
Date: Tue, 2 Jan 2007 12:24:00 -0800

This question has been cross-posted to the IE newsgroup as it has to do

with

IE's implementation of Kerberos ticket requests...

After many trials and tribulations with Kerberos, we have come to the
conclusion that you cannot have two web sites on the same server with

the

same root URL, just differentiated by port number, that both use

Kerberos

for

authentication unless they run as the same security account.

Our situation was a WS2003 server that has two web sites: one listening

the default port running as a domain account (svc_1), one listening on

port

8080 running as a different domain account (svc_2). We has two sets of

SPNs

registered: One set for the default HTTP port, and one set for port

8080.

In essence, the setspn -L output for each account looked like this:

For svc_1:
HTTP/WEBDEV002.company.net
HTTP/WEBDEV002

For svc_2:
HTTP/WEBDEV002.company.net:8080
HTTP/WEBDEV002:8080

We expected requests for http://WEBDEV002:8080 to use Kerberos to
authenticate (and delegation eventually), however it was always falling

back

to NTLM. When we read the article below, we removed the svc_1 SPN and
Kerberos worked on the port 8080 site (but did not work on the port 80

site

any longer).

From http://blogs.msdn.com/cgideon/archive/2006/09/11/749880.aspx:

If multiple Web sites are reached by the same URL but on different

ports,

Kerberos will not work. To make this work, you must use different

hostnames

and different SPNs. When Internet Explorer requests either
http://www.Contoso.com or http://www.Contoso.com:81, Internet Explorer
requests a ticket for SPN HTTP/www.contoso.com. Internet Explorer

doesn't

add

the port or the virtual server/Web Application to the SPN request. This
behavior is the same for http://www.contoso.com/app1 or
http://www.contoso.com/app2. In this scenario, Internet Explorer will

request

a ticket for SPN http://www.Contoso.com from the Key Distribution

Center

(KDC). Each SPN can be declared only for one identity. Therefore, you

would

also receive a KRB_DUPLICATE_SPN error message if you try to declare

this

SPN

for each identity.

My question is: Does IE intentionally omit the port number when

requesting

an SPN to obtain a Kerberos ticket? If not, is this a defect in IE

that

can

be fixed? If so, what is the technical reason and is there a

workaround?

This is happening for both IE6 and IE7.

Thanks,

Don

References:
- RE: IE, Kerberos, and Port Numbers
  - From: Brian Delaney [MSFT]
- RE: IE, Kerberos, and Port Numbers
  - From: Don Stanley

Prev by Date: RE: Option 135 not available in DHCP Scope Options
Next by Date: Re: Microsoft Software Shadow Copy Provider service info needed.
Previous by thread: RE: IE, Kerberos, and Port Numbers
Next by thread: Locking folders but NOT files? How?
Index(es):
- Date
- Thread

Relevant Pages

Re: Error Message Appears At Startup
... Aside from removing IE7 there is another workaround that might fix your ... startup which is probably why you're seeing MovieMaker crash. ... Movie maker is now working again. ...
(microsoft.public.windowsxp.moviemaker)
Re: certificate problems
... WITH A CERTIFICATE ERROR ON SOME WEB SITES THAT I HAVE NEVER HAD ... THIS ISSUE SO CAN ANY ONE HELP HOW TO FIX THIS PROBLEM? ... Have you tried emptying the Internet Explorer Temporary Internet Files? ...
(microsoft.public.windowsxp.help_and_support)
Re: HELP! IE7 is messing up URLs in my emails
... and anyway I achieved the same partial fix without making IE7 my ... This should fix the problem. ... Since then URLs in the text of HTML emails received via Outlook ... The advice he was given then was to edit 3 or 4 keys in the registry every ...
(microsoft.public.outlook.general)
Re: One of my HDs finally quit showing up.
... drives section, that's for internal drives only usually. ... there a fix for IE7 to recognize this HD that finally quit showing ... by IE7 or Explorer. ... have done the custom install bit). ...
(microsoft.public.windowsxp.general)
Re: One of my HDs finally quit showing up.
... drives section, that's for internal drives only usually. ... there a fix for IE7 to recognize this HD that finally quit showing ... by IE7 or Explorer. ... have done the custom install bit). ...
(microsoft.public.windowsxp.general)