Setting the Service Principal Name for Kerberos Authentication
The Application Pool of CCF web services on the IIS server must be configured to have a specific domain account (CCF\ASPUSER) as its identity instead of the default account (Network Service). In order to have Kerberos authentication working properly, a Service Principal Name (SPN) for the CCF\ASPUSER account must be registered for the HTTP service running on the <IISSvr> machine.
You must register this SPN under the account, in Active Directory, which runs the IIS Worker Process. You must run the setspn command on the domain controller (where the Active Directory is installed). By default, Active Directory registers the NetBIOS or machine name of the IIS server and allows the Network Service or Local System account to use Kerberos.
IIS 7.0 provides the option of using kernel mode security. In this case, the SPN is registered under the machine account irrespective of the security principal used to host the worker process. This simplifies SPN management and improves performance by moving authentication to kernel mode.
If you are not using kernel mode authentication, the configuration and limitations is similar to that of IIS 6.0. If your web application pool is hosted in a custom domain account, the SPN must be registered for that user account, rather than the machine account. Since SPN is based on machine name, ensure that all web applications hosted in the machine have their application pools configured to use the same SPN identity.
In a web farm, with multiple load-balanced web servers deployed, ensure that:
- All web application pools that are a part of the web farm are run under a custom domain user account. You must also ensure that the SPN for the virtual host name is registered under this domain user account.
- Kernel mode authentication is disabled on all web sites that are a part of the web farm.
For more information about Integrated Windows Authentication, see the MSDN article. For more information about Configuring Constrained Delegation for Kerberos, see the MSDN article about Kerberos authentication.
Note
SPN configuration is required only for Kerberos authentication for services on other machines, and it is not required for authentication to services hosted on the local machine.
To set the Server Principal Name for Kerberos Authentication:
Machine: <DomainController>
Login User: Domain administrator
Install the support tools from the Windows installation CD. The support tools are located in the SUPPORT\TOOLS folder on the Windows installation CD-ROM. Navigate to that location and double click the suptools.msi file to start the installation wizard. The support tools are also available as a download from Microsoft MSDN.
Open the command window and set the current directory to: <OSDrive>\Program Files\Support Tools. You will be using Setspn.exe to create an SPN for the NetBIOS name for the IIS machine. The syntax pattern for the command is shown below, there are two commands:
setspn –A http/IISHost MyDomain\MyServiceAccount
setspn –A http/IISHost.MyDomain.com MyDomain\MyServiceAccount
Restart the machine.
The following scenarios give example commands to set SPNs:
Scenario 1: The NetBIOS name of the IIS server is CCFIIS
In these examples, assume the following names:
- CCF – The CCF domain where the machines reside.
- CCFIIS –The NetBIOS name of the IIS machine (i.e., nothing but <IISSvr>)
- CCFIIS.ccf.demo –The FQDN name of the IIS machine.
- CCF\ASPUSER –The ASPUSER account created in the section Creating the ASPUSER User Account.
Below is a CCF Example – the actual name values may be different. At the command prompt, type, followed by Enter:
Setspn.exe -A HTTP/CCFIIS CCF\ASPUSER
At the returned command prompt, type the following command and press Enter:
Setspn.exe -A HTTP/CCFIIS.ccf.demo CCF\ASPUSER
Scenario 2: The NetBIOS name of the IIS server is something other than CCFIIS.
In these examples, assume the following names:
- CONTOSO1 – Is, in this case, the NetBIOS name of the IIS machine.
- CONTOSO1.ccf.demo – Is the FQDN of the IIS machine rather than CCFIIS.ccf.demo.
- CCFIIS – DNS host name of the IIS machine created in Configuring DNS for CCF Deployment section.
- CCFIIS.ccf.demo – Fully qualified DNS host name of the IIS machine created in Configuring DNS for CCF Deployment section.
- CCF\ASPUSER – The ASPUSER account created in the section Creating the ASPUSER User Account.
Then, run the following commands from the command prompt.
- Setspn.exe -A HTTP/ CONTOSO1 CCF\ASPUSER
- Setspn.exe -A HTTP/ CONTOSO1.ccf.demo CCF\ASPUSER
- Setspn.exe -A HTTP/CCFIIS.ccf.demo CCF\ASPUSER
Scenario 3: No DNS host names are created for the IIS machine
In these examples, assume the following names:
- CONTOSO1 – Is, in this case, the NetBIOS name of the IIS machine.
- CONTOSO1.ccf.demo – Is the FQDN of the IIS machine rather than CCFIIS.ccf.demo.
- CCF\ASPUSER – The ASPUSER account created in the section Creating the ASPUSER User Account.
Then, run the following commands from the command prompt.
- Setspn.exe -A HTTP/ CONTOSO1 CCF\ASPUSER
- Setspn.exe -A HTTP/ CONTOSO1.ccf.demo CCF\ASPUSER