0

I developed a webservice (hosted with OWIN not IIS) where my users have to authenticate with their domain credentials. Currently it's using NTLM and everything is working fine but I want to switch to Kerberos, AFAIK I need to add a SPN to AD to make this work. So I tried the following:

  • adding HTTP/myserver.myDomain.local to host manually in AD users and computers GUI
  • Setspn -S HTTP/myserver.myDomain.local myDomain\ServiceUser (this gave me an duplicate SPN Error in first, so I deleted SPN from Step 1)
  • In one of the MS docs I found Setspn -A HTTP/myServer.myDomain.local myDomain\ServiceUser (this gave me an duplicate SPN Error in first, so I deleted SPN from Step 2)

In all cases I get an HTTP401 when trying it in my browser. My URL is https://myserver.mydomain.local:9000/api/listapps

So can anyone please tell me what is the right SPN and why? I tried to understand the documentation from Microsoft but I don't understand in which case you use which parameters

thank you

404_username_not_found
  • 3
  • 2
  • There needs to be an SPN for the site name in the url including the port number. (HTTP/myserver.mydomain.local:9000) There also needs to be delegation configured. See: https://dirteam.com/tomek/2009/12/20/kerberos-a-sprawa-portu/ – Greg Askew Aug 11 '22 at 16:16
  • You can also verify that your client is sending a Kerberos authentication header. An NTLM auth header begins with a T, Kerberos begins with a Y. If your client is not sending a Y, that is the problem. – Greg Askew Aug 11 '22 at 16:18
  • With the port number in SPN it worked, thank you. In my case delegation is not necessary – 404_username_not_found Aug 16 '22 at 07:07
  • I only thought it works, because client and server were on negotiate. Now I told the Client to use Kerberos only and it don't work anymore. The SPN is with port and for testing I set delegation to trust on all services. Any more ideas? – 404_username_not_found Aug 17 '22 at 08:58
  • Did you confirm if the client is sending a Kerberos or NTLM auth header? – Greg Askew Aug 17 '22 at 09:26
  • I used Fiddler to inspect my traffic and it tells me the following stuff: Auth Header: "Negotiate YIIP..." and in the auth tab "WWW-Authenticate Header (Negotiate) appears to be a Kerberos reply:" so I believe my client is trying kerberos and fails – 404_username_not_found Aug 17 '22 at 14:44
  • Assuming the AD domain\username for the account you are using is valid, if you believe delegation is required, has the service account used for the SPN and delegation/impersonation been properly configured? Usually user accounts that perform impersonation with delegatable credentials require Act As Part of the Operating System privilege. – Greg Askew Aug 17 '22 at 16:16
  • Delegation should not be necessary in my opinion, because I need Kerberos just to validate the users identity. After that I just need (and use) their username. I added these privilege nevertheless but it doesn't change anything. – 404_username_not_found Aug 19 '22 at 14:03
  • Delegation is not required to authenticate. If there is a web API call to auth, delegation is not even a factor. Delegation is a factor when you attempt to use the credentials to impersonate the identity and access a non-local resource. There should be a log somewhere with more detail than just 401, maybe a sub code. – Greg Askew Aug 19 '22 at 15:44
  • I enabled Kerberos logging on client and server side. In the client logs I find the following error: KRB_AP_ERR_MODIFIED. MS docs tells me two possible reasons for this: - SPN configured on wrong account -> doubble-checked it. Service runs as myUser@mydomain.local and on myUser I find the SPN "HTTP/myServer.mydomain.local:9000 - PW different on service and AD -> changed PW in AD and service, waited for all DCs to replicate and restarted server and client application – 404_username_not_found Aug 22 '22 at 10:21
  • These are Windows/AD credentials. There may be logon failures in the security event log (4625 or similar). – Greg Askew Aug 22 '22 at 10:35
  • That's right. In the logs of the DC I found 4625 entrys for this user, saying username or password was wrong. After I changed the password again, this event is no longer logged (old pw with special chars, new pw only letters and numbers) but KRB_AP_ERR_MODIFIED is still there. – 404_username_not_found Aug 22 '22 at 13:44

0 Answers0