Website SPN issue for a Subdomain

TheMSsForum.com: The Microsoft Software Forum

I use kerberos and SPN's all the time but have currently found myself in a
boggle with this setup. Usually if I have a website that has a host header of
let's say msdn.microsoft.com which runs under say a service account named
svc-dev-website then for that service account I would set the SPN as:

http/msdn
http/msdn.microsoft.com

and kerberos would work with no problems.

Now I have a host header on my website like this one.msdn.microsoft.com and
it runs under a service account so for this I would think to set the SPN's
like above so I would end up with

http/one
http/one.msdn.microsoft.com

But this is not working! If anyone has done an SPN for a grandchild DNS
entry like above please let me! Thanks!
Top

Re: Website SPN issue for a Subdomain by Ken

Ken
Wed Jun 25 01:14:11 CDT 2008

There should not be any problem doing what you are doing.

Unless "msdn" is actually an Active Directory domain (and "one" is a host in
the msdn.microsoft.com subdomain). Because then your client would get a
referral.

Cheers
Ken


"You Big Dummy" <YouBigDummy@discussions.microsoft.com> wrote in message
news:B4C0BD1A-118A-4450-A223-0E9EA7556514@microsoft.com...
>I use kerberos and SPN's all the time but have currently found myself in a
> boggle with this setup. Usually if I have a website that has a host header
> of
> let's say msdn.microsoft.com which runs under say a service account named
> svc-dev-website then for that service account I would set the SPN as:
>
> http/msdn
> http/msdn.microsoft.com
>
> and kerberos would work with no problems.
>
> Now I have a host header on my website like this one.msdn.microsoft.com
> and
> it runs under a service account so for this I would think to set the SPN's
> like above so I would end up with
>
> http/one
> http/one.msdn.microsoft.com
>
> But this is not working! If anyone has done an SPN for a grandchild DNS
> entry like above please let me! Thanks!
>
>

Top

Re: Website SPN issue for a Subdomain by YouBigDummy

YouBigDummy
Wed Jun 25 08:57:01 CDT 2008

To answer your question "msdn" is not a domain and and "one" is not a domain.

What we have is a domain called "X" and in "X" there is a dns entry called
"Y" that points to a server so it can be used as a host header for a website.

Now they created a subdomain under "X" called "Y"

Now inside of the subdomain "Y" they created an dns entry called "Z" that
will point to a server to be used as a host header. So do you think that
since the Subdomain "Y" has the same name as the dns entry that is in the
parent domain "X" would cause this problem. I know it sounds a little
confusing os maybe this below will help.

Domain "X" There is a DNS entry in this domain named "Y" so you have urls
like Y.X.com
Child Domain "Y" In this domain there is an entry named "one" so you
have urls like one.Y.X.com
So again my question is could it be an issue that the subdomain has the same
name as a DNS entry in the root domain.

"Ken Schaefer" wrote:

> There should not be any problem doing what you are doing.
>
> Unless "msdn" is actually an Active Directory domain (and "one" is a host in
> the msdn.microsoft.com subdomain). Because then your client would get a
> referral.
>
> Cheers
> Ken
>
>
> "You Big Dummy" <YouBigDummy@discussions.microsoft.com> wrote in message
> news:B4C0BD1A-118A-4450-A223-0E9EA7556514@microsoft.com...
> >I use kerberos and SPN's all the time but have currently found myself in a
> > boggle with this setup. Usually if I have a website that has a host header
> > of
> > let's say msdn.microsoft.com which runs under say a service account named
> > svc-dev-website then for that service account I would set the SPN as:
> >
> > http/msdn
> > http/msdn.microsoft.com
> >
> > and kerberos would work with no problems.
> >
> > Now I have a host header on my website like this one.msdn.microsoft.com
> > and
> > it runs under a service account so for this I would think to set the SPN's
> > like above so I would end up with
> >
> > http/one
> > http/one.msdn.microsoft.com
> >
> > But this is not working! If anyone has done an SPN for a grandchild DNS
> > entry like above please let me! Thanks!
> >
> >
>
>
Top

Re: Website SPN issue for a Subdomain by YouBigDummy

YouBigDummy
Wed Jun 25 12:37:00 CDT 2008

We figured this issue out. the dns entry for the host header needed to be an
A-Record instead of a C-Name

"Ken Schaefer" wrote:

> There should not be any problem doing what you are doing.
>
> Unless "msdn" is actually an Active Directory domain (and "one" is a host in
> the msdn.microsoft.com subdomain). Because then your client would get a
> referral.
>
> Cheers
> Ken
>
>
> "You Big Dummy" <YouBigDummy@discussions.microsoft.com> wrote in message
> news:B4C0BD1A-118A-4450-A223-0E9EA7556514@microsoft.com...
> >I use kerberos and SPN's all the time but have currently found myself in a
> > boggle with this setup. Usually if I have a website that has a host header
> > of
> > let's say msdn.microsoft.com which runs under say a service account named
> > svc-dev-website then for that service account I would set the SPN as:
> >
> > http/msdn
> > http/msdn.microsoft.com
> >
> > and kerberos would work with no problems.
> >
> > Now I have a host header on my website like this one.msdn.microsoft.com
> > and
> > it runs under a service account so for this I would think to set the SPN's
> > like above so I would end up with
> >
> > http/one
> > http/one.msdn.microsoft.com
> >
> > But this is not working! If anyone has done an SPN for a grandchild DNS
> > entry like above please let me! Thanks!
> >
> >
>
>
Top

Re: Website SPN issue for a Subdomain by Ken

Ken
Wed Jun 25 21:02:47 CDT 2008

DNS record types have nothing to do with a client contacting a KDC for a
service ticket.

Cheers
Ken

"You Big Dummy" <YouBigDummy@discussions.microsoft.com> wrote in message
news:F65F5595-4F1D-4324-A260-E646996B09A1@microsoft.com...
> We figured this issue out. the dns entry for the host header needed to be
> an
> A-Record instead of a C-Name
>
> "Ken Schaefer" wrote:
>
>> There should not be any problem doing what you are doing.
>>
>> Unless "msdn" is actually an Active Directory domain (and "one" is a host
>> in
>> the msdn.microsoft.com subdomain). Because then your client would get a
>> referral.
>>
>> Cheers
>> Ken
>>
>>
>> "You Big Dummy" <YouBigDummy@discussions.microsoft.com> wrote in message
>> news:B4C0BD1A-118A-4450-A223-0E9EA7556514@microsoft.com...
>> >I use kerberos and SPN's all the time but have currently found myself in
>> >a
>> > boggle with this setup. Usually if I have a website that has a host
>> > header
>> > of
>> > let's say msdn.microsoft.com which runs under say a service account
>> > named
>> > svc-dev-website then for that service account I would set the SPN as:
>> >
>> > http/msdn
>> > http/msdn.microsoft.com
>> >
>> > and kerberos would work with no problems.
>> >
>> > Now I have a host header on my website like this one.msdn.microsoft.com
>> > and
>> > it runs under a service account so for this I would think to set the
>> > SPN's
>> > like above so I would end up with
>> >
>> > http/one
>> > http/one.msdn.microsoft.com
>> >
>> > But this is not working! If anyone has done an SPN for a grandchild DNS
>> > entry like above please let me! Thanks!
>> >
>> >
>>
>>

Top

Re: Website SPN issue for a Subdomain by YouBigDummy

YouBigDummy
Wed Jun 25 21:08:00 CDT 2008

Under no means am I underestimating your abilites but I have read 2 articles
in the past 2 days that state otherwise. I will post the links to the
articles.

"Ken Schaefer" wrote:

> DNS record types have nothing to do with a client contacting a KDC for a
> service ticket.
>
> Cheers
> Ken
>
> "You Big Dummy" <YouBigDummy@discussions.microsoft.com> wrote in message
> news:F65F5595-4F1D-4324-A260-E646996B09A1@microsoft.com...
> > We figured this issue out. the dns entry for the host header needed to be
> > an
> > A-Record instead of a C-Name
> >
> > "Ken Schaefer" wrote:
> >
> >> There should not be any problem doing what you are doing.
> >>
> >> Unless "msdn" is actually an Active Directory domain (and "one" is a host
> >> in
> >> the msdn.microsoft.com subdomain). Because then your client would get a
> >> referral.
> >>
> >> Cheers
> >> Ken
> >>
> >>
> >> "You Big Dummy" <YouBigDummy@discussions.microsoft.com> wrote in message
> >> news:B4C0BD1A-118A-4450-A223-0E9EA7556514@microsoft.com...
> >> >I use kerberos and SPN's all the time but have currently found myself in
> >> >a
> >> > boggle with this setup. Usually if I have a website that has a host
> >> > header
> >> > of
> >> > let's say msdn.microsoft.com which runs under say a service account
> >> > named
> >> > svc-dev-website then for that service account I would set the SPN as:
> >> >
> >> > http/msdn
> >> > http/msdn.microsoft.com
> >> >
> >> > and kerberos would work with no problems.
> >> >
> >> > Now I have a host header on my website like this one.msdn.microsoft.com
> >> > and
> >> > it runs under a service account so for this I would think to set the
> >> > SPN's
> >> > like above so I would end up with
> >> >
> >> > http/one
> >> > http/one.msdn.microsoft.com
> >> >
> >> > But this is not working! If anyone has done an SPN for a grandchild DNS
> >> > entry like above please let me! Thanks!
> >> >
> >> >
> >>
> >>
>
>
Top

Re: Website SPN issue for a Subdomain by YouBigDummy

YouBigDummy
Wed Jun 25 21:17:02 CDT 2008

Here are the articles saying to use a-record versus cname. One is from MSDN
blogs.
There's also a KB article with a hotfix from MS stating that cname will
cause the issue. So dns record types do have something to do with the KDC.

http://support.microsoft.com/kb/911149

http://blogs.msdn.com/vijaysk/archive/2007/10/19/orchestrating-kerberos-authentication-spn-cheat-sheet.aspx

http://www.identitychaos.com/2008/03/problem-with-kerberos-delegation.html

http://blogs.technet.com/askds/archive/2008/05/14/troubleshooting-kerberos-authentication-problems-name-resolution-issues.aspx

"Ken Schaefer" wrote:

> DNS record types have nothing to do with a client contacting a KDC for a
> service ticket.
>
> Cheers
> Ken
>
> "You Big Dummy" <YouBigDummy@discussions.microsoft.com> wrote in message
> news:F65F5595-4F1D-4324-A260-E646996B09A1@microsoft.com...
> > We figured this issue out. the dns entry for the host header needed to be
> > an
> > A-Record instead of a C-Name
> >
> > "Ken Schaefer" wrote:
> >
> >> There should not be any problem doing what you are doing.
> >>
> >> Unless "msdn" is actually an Active Directory domain (and "one" is a host
> >> in
> >> the msdn.microsoft.com subdomain). Because then your client would get a
> >> referral.
> >>
> >> Cheers
> >> Ken
> >>
> >>
> >> "You Big Dummy" <YouBigDummy@discussions.microsoft.com> wrote in message
> >> news:B4C0BD1A-118A-4450-A223-0E9EA7556514@microsoft.com...
> >> >I use kerberos and SPN's all the time but have currently found myself in
> >> >a
> >> > boggle with this setup. Usually if I have a website that has a host
> >> > header
> >> > of
> >> > let's say msdn.microsoft.com which runs under say a service account
> >> > named
> >> > svc-dev-website then for that service account I would set the SPN as:
> >> >
> >> > http/msdn
> >> > http/msdn.microsoft.com
> >> >
> >> > and kerberos would work with no problems.
> >> >
> >> > Now I have a host header on my website like this one.msdn.microsoft.com
> >> > and
> >> > it runs under a service account so for this I would think to set the
> >> > SPN's
> >> > like above so I would end up with
> >> >
> >> > http/one
> >> > http/one.msdn.microsoft.com
> >> >