Service Principal Name (SPN) checklist for Kerberos authentication with IIS 7.0/7.5
In continuation to one of my earlier posts which focused on IIS 6.0 this post is more about the confusion that may arise around SPNs for setting up Kerberos authentication in IIS 7.0. IIS 7.0 has a new Kernel-mode authentication feature using which the ticket for the requested service is decrypted using Machine account (Local system) of the IIS server. It no longer depends upon the application pool Identity for this purpose by default and in turn improves the performance.
Here is how it looks like.
So what does this mean?
You no longer need to worry about the correlation between HTTP SPNs and the Application pool Identity that was required in the earlier version i.e. IIS 6.0. But that's not blindly true. There has been some confusion whether we don't have to care at all about SPNs or may have to depending upon the settings. Here is a checklist to give more clarity for different scenarios that you may fall under:
SCENARIO 1a
| IIS 7.0 Web Site/Application | |
| Authentication | Integrated Windows authentication |
| Application Pool Identity | NETWORK SERVICE |
| Kernel-Mode authentication | Enabled (<attribute name="useKernelMode" type="bool" defaultValue="true" /> in the ApplicationHost.config file) |
| Site URL | Accessed with the NetBIOS name, like https:// <myIISserver-NetBIOS-name> /Default.aspx |
SPNs will be required ONLY for the IIS machine account:
| HOST/<myIISserver-NetBIOS-name> |
| HOST/<myIISserver-NetBIOS-name.fully-qualified-domainname> for e.g. HOST/myIISserver.mydomain.com |
***Note: By default HOST/<myIISserver-NetBIOS-name> and HOST/<myIISserver-NetBIOS-name.fully-qualified-name> is already added for the machine account when a machine is added to a domain and HTTP forms a part of HOST. So you may not have to do anything special here for SPNs. Everything should be set by default.
You can check the set of existing SPNs for the machine account by running the following command:
> Setspn.exe -L <myIISserver-NetBIOS-name> or directly using a Snap-in like Adsiedit.msc.
SCENARIO 1b
| IIS 7.0 Web Site/Application | |
| Authentication | Integrated Windows authentication |
| Application Pool Identity | Custom account for e.g. Domain1\Username1 |
| Kernel-Mode authentication | Enabled (<attribute name="useKernelMode" type="bool" defaultValue="true" /> in the ApplicationHost.config file) |
| Site URL | Accessed with the NetBIOS name, like https:// <myIISserver-NetBIOS-name> /Default.aspx |
The SPN requirements remain the same as above. You don't have to add SPNs like http/ <myIISserver-NetBIOS-name> for the Domain1\Username1 unlike in IIS 6.0 (where we had to add an SPN of the form http/<myIISserver-NetBIOS-name> for the Application Pool identity).
SPNs will be required ONLY for the IIS machine account:
| HOST/<myIISserver-NetBIOS-name> |
| HOST/<myIISserver-NetBIOS-name.fully-qualified-domainname> for e.g. HOST/myIISserver.mydomain.com |
***Note: By default HOST/<myIISserver-NetBIOS-name> and HOST/<myIISserver-NetBIOS-name.fully-qualified-name> is already added for the machine account when a machine is added to a domain and HTTP forms a part of HOST. So you may not have to do anything special here for SPNs. Everything should be set by default.
You can check the set of existing SPNs for the machine account by running the following command:
> Setspn.exe -L <myIISserver-NetBIOS-name> or directly using Snap-in like Adsiedit.msc.
SCENARIO 2a
| IIS 7.0 Web Site/Application | |
| Authentication | Integrated Windows authentication |
| Application Pool Identity | NETWORK SERVICE |
| Kernel-Mode authentication | Enabled (<attribute name="useKernelMode" type="bool" defaultValue="true" /> in the ApplicationHost.config file) |
| Site URL | Accessed with a Custom Host name, like https://www.mysite.com |
SPNs will be required ONLY for the IIS machine account in the following format:
| HTTP/ <site-custom-name> for e.g. HTTP/www.mysite.com |
You can add an SPN using Setspn.exe like
> Setspn -a http/ <site-custom-name> <myIISserver-NetBIOS-name>
where <myIISserver-NetBIOS-name> is the IIS machine account and <site-custom-name> is the custom host/host header name for the Web Site URL.
e.g. > Setspn -a http/www.mysite.com <myIISserver-NetBIOS-name>
*The command is NOT case sensitive
You can check the existing set of SPNs for the machine account by running the following command:
> Setspn.exe -L <myIISserver-NetBIOS-name>
SCENARIO 2b
| IIS 7.0 Web Site/Application | |
| Authentication | Integrated Windows authentication |
| Application Pool Identity | Custom account for e.g. Domain1\Username1 |
| Kernel-Mode authentication | Enabled (<attribute name="useKernelMode" type="bool" defaultValue="true" /> in the ApplicationHost.config file) |
| Site URL | Accessed with a Custom host/Host header name, like https://www.mysite.com |
SPNs will be required ONLY for the IIS machine account and NOT for Domain1\Username1 account unlike in IIS 6.0.
| HTTP/ <site-custom-name> for e.g. HTTP/www.mysite.com |
You can add an SPN using Setspn.exe like
> Setspn -a http/<site-custom-name> <myIISserver-NetBIOS-name> where <myIISserver-NetBIOS-name> is the IIS machine account and <site-custom-name> is the custom host/host header name for the Web Site URL.
e.g. > Setspn -a http/www.mysite.com <myIISserver-NetBIOS-name>
*The command is NOT case sensitive
You can check the existing set of SPNs for the machine account by running the following command:
> Setspn.exe -L <myIISserver-NetBIOS-name>
Special case of running IIS 7.0 in a WEB FARM
If you are running IIS 7.0 server in a Web farm the KDC will not know in advance which individual server the request may go to and hence ticket decryption may fail. Hence in such a scenario instead of registering SPNs under a specific machine account use a domain account. I am not a SharePoint guy but based on what I have read on the Web this scenario is also applicable to a single SharePoint server configuration.
There are two ways to go:
Either
Disable Kernel mode authentication and follow the general steps for Kerberos as in the previous IIS 6.0 version. Refer this.
Or,
[Recommended for Performance reasons]
Let Kernel mode authentication be enabled and the Application pool's identity be used for Kerberos ticket decryption. The only thing you need to do here is:
1. Run the Application pool under a common custom domain account.
2. Add this attribute "useAppPoolCredentials" in the ApplicationHost.config file.
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true" />
</authentication>
</security>
</system.webServer>
Remember there is no GUI setting for this. You need to modify the ApplicationHost.config file from
<%SystemDrive%>/Windows/System32/inetsrv/config folder on the IIS 7.0 machine.
3. Add the SPNs in the form:
http/<virtualhost-name> and
http/<virtualhost-name.fully-qualified-name> for the Application Pool Identity.
Ensure that we don't have such an entry for SPNs for any other account including IIS server machine account.
***If we have the same SPN mapped to multiple accounts (be it a machine or an user account) it leads to Duplicate SPNs and will break Kerberos.
Hope this helps!
Comments
Anonymous
January 19, 2009
This post is more about the confusion that may arise around SPNs for setting up Kerberos authenticationAnonymous
March 17, 2009
There has been a known issue around Server going into a blue screen (OS crash) when you have Windows Authentication and Kernel Mode authentication enabled plus you have the useAppPoolCredentials attribute set to true in the authentication section in the Applicationhost.config file. *Ensure that you apply the following hotfix to the IIS 7.0 Server. http://support.microsoft.com/kb/962943Anonymous
March 13, 2012
Dear Saurabh, Thanks a lot for these useful info. We would like to deploy on the same server an IIS web server (7 or 7.5) and a Tomcat web server, both using Windows Authentication/Spnego. For Tomcat, we use http://spnego.sourceforge.net/ and it works fine but we have to define a SPN (HTPP/<server-NetBIOS-name.fully-qualified-domainname>). In that case, can we still use Kernel-mode authentication or should we disable it and configure the application pool identity to use the system account linked to the SPN? Thanks, Benoit