|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Unable to access site with FQDNHelp!!
I have configured a CNAME record (home.myorg.co.uk) for one of my servers (sv006.myorg.co.uk) and I have registered SPN's against the App Pool Identity account (MYORG\vIISService) for both the "HTTP/home" and "HTTP/home.myorg.co.uk". However Kerberos Authentication fails if I connect through "home.myorg.co.uk" If I connect directly to "home" all is fine. TIA Mike On Mar 7, 4:56 am, mc <m...@community.nospam> wrote:
> Help!! If the client doesn't think that home.myorg.co.uk is an intranet site> > I have configured a CNAME record (home.myorg.co.uk) for one of my servers (sv006.myorg.co.uk) and I > have registered SPN's against the App Pool Identity account (MYORG\vIISService) for both the > "HTTP/home" and "HTTP/home.myorg.co.uk". > > However Kerberos Authentication fails if I connect through "home.myorg.co..uk" If I connect directly > to "home" all is fine. > > TIA > > Mike then it won't attempt Kerb or NTLM auth. Try adding the URL to the IE trusted sites on the client and see if that makes it behave correctly. HTH, Dave
Show quote
Hide quote
"DaveMo" <david.mow***@gmail.com> wrote in message One slight nitpick - NTLM works fine in any zone (intranet, internet etc). news:ab51d16d-e1f6-4411-adbc-b8a940dc950d@s28g2000vbp.googlegroups.com... > On Mar 7, 4:56 am, mc <m...@community.nospam> wrote: >> Help!! >> >> I have configured a CNAME record (home.myorg.co.uk) for one of my servers >> (sv006.myorg.co.uk) and I >> have registered SPN's against the App Pool Identity account >> (MYORG\vIISService) for both the >> "HTTP/home" and "HTTP/home.myorg.co.uk". >> >> However Kerberos Authentication fails if I connect through >> "home.myorg.co.uk" If I connect directly >> to "home" all is fine. >> >> TIA >> >> Mike > > If the client doesn't think that home.myorg.co.uk is an intranet site > then it won't attempt Kerb or NTLM auth. Try adding the URL to the IE > trusted sites on the client and see if that makes it behave correctly. If IE thinks the site is in he Internet zone it doesn't try Kerberos and uses NTLM by default. Put the site into the Intranet zone to make it attempt Kerberos. Cheers Ken Kerberos AuthN requires IE to see the site in the Intranet security zone.
See IIS and Kerberos Part 3 at http://www.adopenstatic.com/faq/ Cheers Ken Show quoteHide quote "mc" <mc@community.nospam> wrote in message news:49b260dc$1@mail.hmgcc.gov.uk... > Help!! > > I have configured a CNAME record (home.myorg.co.uk) for one of my servers > (sv006.myorg.co.uk) and I have registered SPN's against the App Pool > Identity account (MYORG\vIISService) for both the "HTTP/home" and > "HTTP/home.myorg.co.uk". > > However Kerberos Authentication fails if I connect through > "home.myorg.co.uk" If I connect directly to "home" all is fine. > > TIA > > > Mike Fantastic!!!!
The answer I was looking for!! Ken Schaefer wrote: Show quoteHide quote > Kerberos AuthN requires IE to see the site in the Intranet security zone. > > See IIS and Kerberos Part 3 at http://www.adopenstatic.com/faq/ > > Cheers > Ken > > > "mc" <mc@community.nospam> wrote in message > news:49b260dc$1@mail.hmgcc.gov.uk... >> Help!! >> >> I have configured a CNAME record (home.myorg.co.uk) for one of my >> servers (sv006.myorg.co.uk) and I have registered SPN's against the >> App Pool Identity account (MYORG\vIISService) for both the "HTTP/home" >> and "HTTP/home.myorg.co.uk". >> >> However Kerberos Authentication fails if I connect through >> "home.myorg.co.uk" If I connect directly to "home" all is fine. >> >> TIA >> >> >> Mike >  
Other interesting topics
iis 6 ssl redirect initial login encrypted?
Re: Q: Digital certificate inventory within network? Sharing between server webpage permissions IIS requiring Client "Machine" Certificate... possible? Restricting access from my site to other sites Client certificates Anonymous access Pop3 Service Login Failure using Local Windows Account Authenticat developer permissions management |
|||||||||||||||||||||||
