2

I am using IIS 7 for setting up a website under windows authentication. I am seeing authentication issue which i am almost sure that it is related to kerberos issue and i am wrongly setting up SPN. The scenario which i am using is as below.

I have created a new test Domain (FQDN of which let call as "test.net") governed by a Domain-Controller (lets call this mc as 'test-DC'). Under this new domain (test) i have hosted a IIS server which is suppose to use windows authentication with kerberos delegation. I have enabled windows auth enabled while other disabled in IIS manager. Lets say this IIS machine name is 'test-iis' and active directory has it username for IIS server as 'user-iis'. Application pool in IIS server is running under service account as "TEST\user-iis". I am trying to setup SPN for HTTP service type.

First question: I am setting SPN as 

setspn -a http/test-iis.test.net

Is this SPN setting right??

My second question is. I am setting this SPN value in Domain Controller thinking DC is the entity that will verify credentials and all. Is my thinking right??

Any advice with this issue will be much helpful to me and others..

Thanks..

[Edit] One more thing, i am able to ping from IIS server to 2 other machine in the same domain but i could not ping the IIS server with other two machines. can anyone help me understand why that is so?

Manish Shukla
  • 121
  • 2
  • 4

2 Answers2

1

Since you are running the application pool as TEST\user-iis, you must apply the SPN to that account. It is generally accepted that you should also include another SPN for the short name of the host as well.

setspn -a http/test-iis.test.net TEST\user-iis
setspn -a http/test-iis TEST\user-iis

And just for clarification, all setspn is doing with these commands is modifying the "servicePrincipalName" attribute of that user account. If you open the Properties dialog for it and go to the Attributes tab, you can scroll down to servicePrincipalName, open it up, and see the changes you made.

Regarding your ping issue, check the Windows firewall on the IIS box. ICMP is not enabled by default.

Ryan Bolger
  • 16,755
  • 4
  • 42
  • 64
0

When using the setspn command, don't forget the IWAM account, as seen below:

setspn -a http/test-iis.test.net Domain_name\IWAM_ACCOUNT

Note that:

  • IWAM_ACCOUNT is the account used to run the application pool you are using. (must be a domain level account)
  • you should also run the same command again but replace 'test-iis.test.net' with just 'test-iis'

Concerning your second question, you are correct in that the change is made in Active Directory... But the setspn command could be run on any server in the domain.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
user82016
  • 1