1

We have in house IIS apps built on ASP .Net 2.0 running on IIS 7.5- Server 2008 R2 x64. Back end is SQL 2005. It uses Kerberos (Windows integrated) authentication. Once in a while we need to change SPNs that map the site name to the server, when a new server is put into production or a site is moved to a different server.

Most recent change required me to reboot the IIS & SQL servers for the SPN change to take effect. Before reboot, users get authentication errors in IE.

Is there a less intrusive way to get the SPN changes to take effect? These are 24/7 production sites, so service restarts and/or server reboots are difficult.

satchel_74
  • 65
  • 1
  • 7
  • Have you tried setspn -D? – Ben Thul Oct 31 '12 at 21:14
  • Yes, that's part of the change process. I use setspn -D to remove the old one, then setspn -S to add the new record (-S checks for duplicates). However these changes don't take effect for clients, not even days later. Rebooting fixed it. It seems that the records are cached in IIS/SQL or both, because if I make a new DNS test record for the same site, add a brand new SPN, add host header values to the site, it all works right away. Changing existing records and moving the site to a different server causes the headaches. – satchel_74 Oct 31 '12 at 21:19
  • To clarify, Rebooting the IIS & SQL servers fixed this issue. – satchel_74 Jul 08 '13 at 15:01

1 Answers1

1

You can use klist on each of your server instances to clear the cached tickets:

http://technet.microsoft.com/en-us/library/hh134826.aspx

My problem is with cached tickets on the client side, which can also cause problems.

Adding new SPNs to existing service ids

Community
  • 1
jmh
  • 146
  • 4