IE Kerberos failure on some machines with CNAME web server (with SPN for host's A record)
Posted
by
Eric Thames
on Server Fault
See other posts from Server Fault
or by Eric Thames
Published on 2011-02-23T06:14:35Z
Indexed on
2011/02/23
7:27 UTC
Read the original article
Hit count: 596
It's fairly well known that IE doesn't like to do Kerberos against hosts that are registered in DNS as CNAMEs. What happens is that IE turns around and uses the underlying A record for the host for looking up the Service Principal Name (SPN).
On a test network we are able to get Kerberos working by having the SPN registered for the A record of the host, so that Kerberos authentication happens successfully when accessing the web server via it's CNAME in the browser. Kerberos authentication works properly when directly accessing the web server with the A record host in the URL, but for various reasons that are beyond my control, it is desired to use the CNAME.
On the production network, this same configuration fails though and I can't figure out why. Any thoughts?
This is a java web application using the SPNEGO library - not IIS. Kerberos authentication is working properly in both the test and production networks (and has been confirmed to not fail back to NTLM), but the CNAME access only works in test.
© Server Fault or respective owner