Kerberos Authentication Not Working

Well there could be a large number of reasons why your Kerberos Delegation may not appear to be working, but I’m just going to quickly cover one reason here and it’s to do with DNS names.  I had this issue today and it took me a while to drag it out of my memory, but I got there eventually.

If you have a single-part host header for your website such as http://myintranet then you MUST define two SPNs for your site if you want to run it under Kerberos.  So if your root fully qualified domain name (FQDN) is mydomain.local and your Application Pool account name for your Web Application which you want to run under Keberos is  mydomain\myapppoolaccount, then you must declare the following two SPNs:

setspn -S HTTP/myintranet mydomain\myapppoolaccount
setspn -S HTTP/myintranet.mydomain.local  mydomain\myapppoolaccount

The reason is you don’t have a ‘dot’ in your domain name, so Kerberos decides that the SPN is actually referring to a machine name, even though it isn’t, and sticks the DNS suffix on the end of the transited service, so if you don’t declare the FQDN SPN, Kerberos will fail.

Fell for this one today and cost me some time.  Once I declared the second FQDN SPN everything clicked in.


Dave Mc

About davemcmahon81
Software Developer & Architect, User Group Leader, Speaker, Writer, Blogger, Occasional Guitarist, Man-made Global Warming Sceptic, Climate Change Believer, General Optimist but most of all proud Husband and Dad ...

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: