 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Windows Server Forum / IIS / IIS Security / July 2008Kerberos - Multi-domain SPN problem
I have an interesting problem with Kerberos and our network setup, i'll try to keep it simple. Client user is ADDomain1.com/user. IIS Web Site service account user is ADDomain2.com/serviceuser. DNS alias points to web site via website.NotAnADDDomain.com. ADDomain1.com and ADDomain2.com have 2 way full trusts. The actual URL we want to use is http://website.NotAnADDomain.com (which is obviously not an AD domain, just domain setup via DNS). So we register the SPN as: SetSPN -A HTTP\host1.NotAnADDomain.com ADDomain2.com/serviceuser So when ADDomain1.com/user talks to ADDomain1.DC (KDC) to get the kerberos ticket, we get an KDC_ERR_S_PRINCIPAL_UNKNOWN error ("Server not found in Kerberos database") I assume that is due to the HTTP\website.NotAnADDomain.com SPN; the ADDomain1 DC/KDC does not even know to point the ADDomain1.user to ADDomain2.KDC to get the kerberos ticket. Is that right? Is there a mapping we can put in that would tell ADDomain1.KDC that when it gets a request for that SPN/host (website.NotAnADDomain.com), it should point the client to the DC/KDC in ADDomain2 where the serviceuser account exists? Maybe something in the domain trusts, or perhaps the HostToRealm registry key (not much documentation on that)? Thanks so much. I'll try to hold a day or 2 before cross posting in other security newsgroups. Hi, Add website.NotAnADDomain.com as an additional UPN for ADDomain2 In the Forest Trust properties, configure UPN suffix routing for website.NotAnADDomain.com across the trust Now the DCs in ADDomain1 know that they can refer clients to DCs in ADDomain2 for a service ticket Cheers Ken >I have an interesting problem with Kerberos and our network setup, i'll try > to keep it simple. [quoted text clipped - 30 lines] > Thanks so much. I'll try to hold a day or 2 before cross posting in other > security newsgroups. Also, I am going to cover UPN suffix routing for Cross Forest scenarios in my next IIS and Kerberos post, with more detailed instructions and some discussion. The other posts are here: www.adopenstatic.com/faq Cheers Ken > Hi, > [quoted text clipped - 46 lines] >> Thanks so much. I'll try to hold a day or 2 before cross posting in other >> security newsgroups. Thanks Ken, that's exactly what I was looking for. BTW, I have been at your site before, it was very informative, good job! Thanks, Mike > Also, I am going to cover UPN suffix routing for Cross Forest scenarios in > my next IIS and Kerberos post, with more detailed instructions and some [quoted text clipped - 53 lines] > >> Thanks so much. I'll try to hold a day or 2 before cross posting in other > >> security newsgroups. Hi Mike, I've also discussed with some other IIS engineers on this scenario, they also think that Ken's suggestion is reasonable. You need to register suffix NotAnADDomain.com in forest ADDomain2.com, so forest ADDomain1.com can route the ticket requests properly. Sincerely, Steven Cheng Microsoft MSDN Online Support Lead Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msdnmg@microsoft.com. ================================================== Get notification to my posts through email? Please refer to http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif ications. -------------------- >From: =?Utf-8?B?YmFrZQ==?= <mikeemail@nospam.nospam> >References: <F78C0A55-1E3F-4EE4-B97F-41BF9C0DE89C@microsoft.com> <uoBHdTJ4IHA.4272@TK2MSFTNGP03.phx.gbl> <#WIfsaJ4IHA.4720@TK2MSFTNGP03.phx.gbl> >Subject: Re: Kerberos - Multi-domain SPN problem >Date: Tue, 8 Jul 2008 12:06:23 -0700 >Thanks Ken, that's exactly what I was looking for. BTW, I have been at your >site before, it was very informative, good job! [quoted text clipped - 59 lines] >> >> Thanks so much. I'll try to hold a day or 2 before cross posting in other >> >> security newsgroups. Stephen, Were any other possible ways of getting this to work discussed? If so, I'm curious to know what they are. Are there any limitations/drawbacks to this approach that you are aware of? Thanks Cheers Ken > Hi Mike, > [quoted text clipped - 102 lines] > other >>> >> security newsgroups. Thanks for your reply Ken. Yes, currently what I got is the same solution as you mentioned. Also, this issue is not quite IIS specific so that I involve some windows kerberos engineers when discussing on this. Anyway, if there is any other information on this, I'd be glad to post here. Thanks again for your input here. Sincerely, Steven Cheng Microsoft MSDN Online Support Lead Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msdnmg@microsoft.com. ================================================== Get notification to my posts through email? Please refer to http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif ications. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. -------------------- >From: "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> >Subject: Re: Kerberos - Multi-domain SPN problem >Date: Wed, 16 Jul 2008 19:31:50 +1000 >Stephen, > [quoted text clipped - 30 lines] >> ================================================== >> Get notification to my posts through email? Please refer to http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif >> ications. >> [quoted text clipped - 79 lines] >> other >>>> >> security newsgroups. |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.