it:ad:setspn:issues:in_iis

IT:AD:SetSPN:Issues:In IIS

Server Side

When an IIS application

  • runs under a domain user account instead of under the default network service account,
  • Kernel-Mode = false

you must set the SPN for the HTTP service under the domain account.

In this scenario, you access the IIS application by using either the NetBIOS name of the server that is running IIS or the FQDN of the server that is running IIS. 

Setspn –S HTTP/NETBIOS_NAME_OF_IIS_SERVER domain\username

* Reference http://support.microsoft.com/kb/929650

Client Side

To enable the Negotiate process to select the Kerberos protocol for network authentication, the client application:

  • MUST provide an SPN, a user principal name, or a NetBIOS account name as the target name.

If the client application does not provide a target name, the Negotiate process cannot use the Kerberos protocol. If the Negotiate process cannot use the Kerberos protocol, the Negotiate process selects the NTLM protocol.

  • /home/skysigal/public_html/data/pages/it/ad/setspn/issues/in_iis.txt
  • Last modified: 2023/11/04 23:02
  • by 127.0.0.1