Whereas the previous tip was mostly targeted at SQL related stuff, this one will go back to the basics. Whenever you’re doubting Service Prinicpal Name (SPN) registration, you can start using setspn. With each new version of Windows the setspn command line utility has been extended. The options below are based on the Windows 2008 R2 setspn.
- setspn –x: allows you to do a quick check for duplicate SPN’s in the domain. Which in turn might explain why you are falling back to NTLM
- setspn –l: allows you to list the registered SPN’s for a given machine or user account
- setspn –q: allows you to query for a given SPN
- setspn –d: allows you to remove a given SPN from a given account
- setspn –a: allows you to register a SPN for a given account: try to avoid this one, use setspn –s (and –f) instead.
- setspn –s: allows you to regsiter a SPN for a given account after verifying no duplicates exist in the domain
- setspn –f –s: allows you to regsiter a SPN for a given account after verifying no duplicates exist in the forest
Whenever registering SPN’s you have to carefully construct it: what service is it for, which name will be used to access it, and what port is it running at. For most services this is straightforward, but Internet Explorer as a web browsing client complicates this. IE6, IE7 and IE8 still ignore the port entered in the address bar. They even ignore the name if it is a CNAME record. Why is there a difference between a CNAME and A record?
In the screenshot you can clearly see that in the first case (A record) the “alias.home.local” resolves to an IP address. However with a CNAME record, the “cname.home.local” resolves to the “dc01.home.local” and then to the IP address. If you are browsing with IE to cname.home.local, a SPN will be queried for using “dc01.home.local”.
Therefore it’s advised to always use A records for your web sites. And keep in mind that registering the port in the SPN for HTTP web sites is mostly in vain. You can alter this behavior according to KB908209: Internet Explorer 6 cannot use the Kerberos authentication protocol to connect to a Web site that uses a non-standard port in Windows XP and in Windows Server 2003 It says IE6 in the title but in the applies to section IE7 and IE8 are mentioned as well. In case you really aren’t getting where you want with the SPN’s if you can’t include the port number you could create the registry keys as described in the KB article.
So as a final tip for today, make sure to use ping whenever troubleshooting your SPN’s. It will show you how and if the name you registered the service under is reachable.
No Response to "Kerberos Basic Troubleshooting: Tip 3"
Add Your Comment