|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Service Principal Name Confusionaccounts to run application pools has always caused me problems. I think this is because I never *really* understood what an SPN was and what it was for. Recently I did some reading and I think I've just about got it licked. I still have one question that I can't find an answer for: Q. If I change my default application pool to run as a domain user and configure my default website to use Kerberos (ie zero host headers) then I can just follow the solution given here: http://support.microsoft.com/default.aspx?scid=kb;en-us;871179 The KB article more or less says create the following two SPN's setspn -A http/FQDN domain\user and setspn -A http/netbiosname domain\user The question is, if I create a second website site (host header www.wibble.com for example) and disable the original default website, will I have to create a new SPN thus: setspn -A http/www.wibble.com domain\user i.e. Is the SPN related to a particular website or to IIS in general (in which case setspn -A http/FQDN domain\user and setspn -A http/netbiosname domain\user would be enough)? What if the site was using HTTPS, would I need to setup setspn -A https/www.wibble.com domain\user TIA. bk Hi there,
This is a good doco to read: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerbdel.mspx The SPN is based on the name used to access the site. IIS installation should have already created an SPN for the NetBIOS name of the machine (and the default worker process identity). If you add a FQDN, then you will need an SPN for that. If you add another site, or change the FQDN for an existing site, you will need to set another SPN. Cheers Ken Show quoteHide quote "boarding_king" <boardingk***@discussions.microsoft.com> wrote in message news:27C7AFBA-5E81-4339-84F4-5E92A2DB6E14@microsoft.com... : Setting up IIS 6.0 with Kerberos authentication on sites using domain : accounts to run application pools has always caused me problems. I think this : is because I never *really* understood what an SPN was and what it was for. : Recently I did some reading and I think I've just about got it licked. I : still have one question that I can't find an answer for: : : Q. If I change my default application pool to run as a domain user and : configure my default website to use Kerberos (ie zero host headers) then I : can just follow the solution given here: : : http://support.microsoft.com/default.aspx?scid=kb;en-us;871179 : : The KB article more or less says create the following two SPN's : : setspn -A http/FQDN domain\user : and : setspn -A http/netbiosname domain\user : : The question is, if I create a second website site (host header : www.wibble.com for example) and disable the original default website, will I : have to create a new SPN thus: : : setspn -A http/www.wibble.com domain\user : : i.e. Is the SPN related to a particular website or to IIS in general (in : which case : : setspn -A http/FQDN domain\user : and : setspn -A http/netbiosname domain\user : : would be enough)? : : What if the site was using HTTPS, would I need to setup : : setspn -A https/www.wibble.com domain\user : : TIA. : : bk 
Other interesting topics
UrlScan.dll Terminating
IIS folder structure and security. IIS Challenge for Password. WinXP authenticates differently than Win2k. Need to block Web Spider software like Teleport pro SelfSSL Utility - Not working? Re: Does Http.sys block all mobile device requests? FSO exploit IIS6, WIN2k3SP1 and integrated authentication URLScan as an attack vector? Security concern in event viewer |
|||||||||||||||||||||||
