Thursday, March 13, 2014

SPNs required when using Kerberos auth for Windows Auth on an Asp.net website

To use Kerberos authentication

  • Internet Explorer security settings must be configured to enable Integrated Windows authentication. To enable the browser to respond to a negotiate challenge and perform Kerberos authentication, select the Enable Integrated Windows Authentication check box in the Security section of the Advanced tab of the Internet Options menu, and then restart the browser.

image

  • If a custom service account is used to run the ASP.NET application, then a Service Principal Name (SPN) must be registered for the account in Active Directory.

To register an SPN, use the Setspn.exe utility by running the following commands from a command prompt:

setspn -A HTTP/webservername domain\customAccountName

setspn -A HTTP/webservername.fullyqualifieddomainname domain\customAccountName