In a previous post I explained how to configure Impersonation and Delegation in ASP.Net (for the Windows Server 2008 and IIS7 case at least). Turns out there’s one extra little step required.

After all that setup, I could use Internet Explorer to browse to the site fine – integrated Windows Authentication would let me in. However, as the DNS had yet to be set up, and the web server and the website had the same IP address, I was browsing using the machine name, e.g. http://machine.domain/website instead of http://dnsname.co.uk/website.

When the DNS was set up and I tried to browse to the website, I got a Windows user name & password box popping up. After 3 tries I was denied access (a 401 error). Just changing the DNS name to the machine name in the location bar let me in, even though they were both the same IP address!

Using Fiddler, I could see the initial client GET request, and the server’s 401 challenge response, including a WWW-Authenticate header set to “Negotiate”. This occurred in both cases (browsing to the DNS name and to the machine name). However, the client response to this challenge was different in each case. The Negotiate token the client sent to the DNS name was much shorter than the one sent to the machine name. Clearly something was telling the client not to send the proper Kerberos authentication token to the DNS name.

Just looking at the HTTP traffic was not enough here – for cases like these a lower-level tool like Microsoft’s Network Monitor is required, or Wireshark if you’re feeling hardcore. This showed that the client was encountering a Kerberos error. A bit of searching around this and…

A magic SPN setting will solve this, all explained in a handy MSDN article. You will need to run this command (I ran it on the web server itself, however this may not be necessary):

setspn -A HTTP/[dns name of the site] [machine name]

Then a reboot of the web server, and a few hours’ wait for the settings to propagate around the domain. This will allow clients to send complete Kerberos authentication tokens to the website. Problem solved!

2 comments so far

Add Your Comment
  1. UPDATE: That might not be all! See Part 2.

  2. Thank you very much for writing about this, it has come in very useful!