The biggest mistake: ServicePrincipalName’s

re: The biggest mistake: ServicePrincipalName’s

brian-murphy-booth — Fri, 02 Jan 2009 15:09:23 GMT

David Reilly,

If the problem you are seeing effects only a particular user or perhaps a limited set of users, my first guess would be that they are part of too many groups. What I think I'd do first though is enable Kerberos logging on the client to see if that provides any clues.

A kerberos ticket contains all the security information about a user so the more groups a user is part of, the bigger the ticket gets. Eventually the user's workstation will block the ticket as being too big. I believe you'd want to increate the "MaxTokenSize" registry entry on the client if that's what is causing your problem. My guess on the intermittency of the problem may be that group membership changes are performed frequently and the user's ticket size fluctuates? My second guess on the cause of the problem is that during the ticket renewal there is a networking problem so the user doesn't get a ticket.

In either case, perhaps Kerberos logging will lead you to the solution.

re: The biggest mistake: ServicePrincipalName’s

David Reilly — Wed, 03 Dec 2008 10:12:02 GMT

Hi Brian,

I've been encountering a Kerberos issue that has me a bit puzzeled. I have used your delegconfig to assist with configuring SPN's and that helped identify config issues very clearly thank you!

I believe our DNS and SPN's and Kerberos config looks good now and works fine most of the time. However from time to time we see an XP client loosing all Kerberos tickets and/or not being granted any and the client defaults back to NTLM thereafter. Both Kerbtray and Klist confirm this. The only way for us to get Kerberos working on the client again is a full reboot. I'm at a loss as to what may cause this behaviour and why a reboot is required to fix. I would be grateful for your expert opinion or suggestion on this?

Thanks

David Reilly

Dublin, Ireland

re: The biggest mistake: ServicePrincipalName’s

Olaf Gradin — Wed, 15 Oct 2008 15:18:31 GMT

So what about when the log shows signs of a duplicate, but (now) three methods come up empty with the duplicate record? How frustrating is that?

re: The biggest mistake: ServicePrincipalName’s

Donna Kelly — Tue, 12 Aug 2008 10:59:38 GMT

(from AndyIIS)

"If I start a new browser session and go to myserver.mydomain.com/Kerberos I get a username/password login box. Without authenticating, I go to http://MyServer/Kerberos/ and the page loads "

I hope I'm not teaching Grandma to suck eggs, but I did notice that myserver.mydomain has a period in it. As I understand it, IE will by default assume that any URL with a period in it is in the Internet zone, and will not attempt to pass any form of credentials, including Kerberos. You then get that pesky modal dialog box asking for credentials. The resolution is to put myserver.mydomain in the list of Intranet sites (Internet Options -> Security tab -> Local Intranet -> Sites -> Advanced). IE will then submit the client credentials.

Also, to get WrkstaInfo to load, could you check your vDir execute permissions in IIS? The .dll only functioned properly for me when the permissions were set to Scripts Only (rather than Scripts and Executables).

Cheers,

Donna

p.s. I removed the apostrophe from the title of this thread :-)

re: The biggest mistake: ServicePrincipalName’s

brian-murphy-booth — Tue, 27 May 2008 12:59:35 GMT

When it comes to Kerberos, name resolution is very important. In particular, name resolution on the "client" is important. That is because the SPN that the client requests is based on the name that the client determines during a reverse DNS lookup. So to make DelegConfig more accurate I wrote a C# assembly that runs inside IE. It simply does that reverse lookup then appends "resolvedName=whatever" to the URL. That way the server-side code of DelegConfig understands what the client came up with on the reverse lookup. Unfortunately, IE security more often than not, blocks the loading of that C# "activeX control". So you have to manually determine the name that the client comes up with. In regards to you being redirected from the FQDN back to the NetBIOS name... that sounds like a bug in my redirect logic.

DelegConfig - A Tool To help resolve Kerberos authentication and delegation issues

Useful IIS/ASP.NET Information provided by Microsoft Support Teams — Wed, 23 Apr 2008 17:15:57 GMT

Overview I wanted to create this blog to address one of the IIS Support teams top support issues. The

re: The biggest mistake: ServicePrincipalName’s

AndyIIS — Fri, 11 Apr 2008 11:07:13 GMT

Thank you for the tool - it definitely helped me to diagnose my problem.

However (isn't there always...), I have found some interesting issues with authentication/Kerberos in my domain. The problem exhibits itself on all websites running on the webserver, including your DelegConfig tool.

[Background: the webserver is Server 2003 running IIS6; client browser is IE7 running on XP Professional SP2; all clients, workstations and servers are members of the same domain, a Windows 2003 domain running in Windows 2000 native mode. The website is set to Integrated Windows Authentication only, and NTAuthenticationProviders is set to "Negotiate".]

To summarise: I can start a new browser session, go to http://MyServer/Kerberos/ and the page loads, but DelegConfig complains "This tool is unable to verify that the proper SPNs are set because the WrkstaInfo.dll C# ActiveX control failed to load in Internet Explorer". If I add "resolvedName=MyServer", everything works fine. Any idea why adding "MyServer" to the resolvedName helps, when I am already browsing to the exact same server name?

If I start a new browser session and go to myserver.mydomain.com/Kerberos I get a username/password login box. Without authenticating, I go to http://MyServer/Kerberos/ and the page loads (but with same ActiveX error); I then go back to the FQDN page and everything works, including the SPN lookup!

As an attempted fix, I have created 2 new SPNs for NT AUTHORITY\NETWORK SERVICE, called HTTP/MyServer and HTTP/MyServer.MyDomain.com, but the strange behaviour remains. There were already 2 "HOST" SPNs, and the Application Pool Identity is NETWORK SERVICE, so this probably hasn't made any difference.

I fully accept that there might be some strange DNS happenings, but I cannot fathom why when first going to the FQDN I am refused all access, then going to just the ServerName gets me some access, and then returning to the FQDN gets me full access (all without entering any usernames/passwords).

Any ideas?

DelegConfig - A Tool To help resolve Kerberos authentication and delegation issues

Bret Bentzinger's Blog — Mon, 07 Apr 2008 22:00:49 GMT

Overview I wanted to create this blog to address one of the IIS Support teams top support issues. The

re: The biggest mistake: ServicePrincipalName’s

brian-murphy-booth — Mon, 10 Mar 2008 19:46:09 GMT

I'm not really sure how you can have a CIFS service on a domain user so I would start by deleting that one. CIFS is a built in service for the OS. Or if the front-end service is IIS then you can try running my DelegConfig tool that I have mentioned at the top of this blog.

re: The biggest mistake: ServicePrincipalName’s

Marco D'Amico — Mon, 10 Mar 2008 17:37:00 GMT

Hi, thanks for the this nice "documentation"! I have a related question: I found out that I have a duplicated SPN. The problem I have is that I don't know which one I have to delete. Everything began with these 2 errors:

"There are multiple accounts with name cifs/ipl-sbs.ipl.lan of type DS_SERVICE_PRINCIPAL_NAME." and

"There are multiple accounts with name cifs/IPL-SBS of type DS_SERVICE_PRINCIPAL_NAME."

After searching the duplicates using ldp, I found 2 enries: one is the HOST named IPL-SBS that is our domaincontroler and the second is the our DomainAdmin user. Which SPN can I remove? It's perhaps a stupid question, but I'm novice in this area... THANK, Marco

re: The biggest mistake: ServicePrincipalName’s

brian-murphy-booth — Wed, 20 Feb 2008 14:06:11 GMT

hitter - If you want to use Kerberos and NLB then you cannot use a built-in account. You must use a domain user as your AppPool identity. This is because Kerberos revolves around SPN's and a given SPN can only exist on a single AD account.

re: The biggest mistake: ServicePrincipalName’s

brian-murphy-booth — Wed, 20 Feb 2008 14:03:06 GMT

Short answer - There is a duplicate SPN.

Long answer - When a client asks for a ticket it just says "give me a ticket for HTTP/mywebsite.com". Active Directory searches through its accounts for that exact SPN. If it can't find it then it searches again for "HOST/mywebsite.com" instead. Let's say AD finds the SPN it is looking for on MYDOMAIN\web01$. It creates a ticket and then encrypts it with web01$'s NTLM hashed password. The client gets the ticket and sends it off to the web server. Let's say your web site is running under an AppPool Identity of MYDOMAIN\myserviceaccount. Well... we try to decrypt the ticket using the NTLM hashed password of myserviceaccount since that's what the w3wp.exe process knows about. But that fails since that wasn't what the ticket was encrypted with. That's when BADOPTION is logged.

If you haven't tried already, setup my DelegConfig tool and it should find who has the duplicate SPN. There is a limitaion in the tool currently where it will not search all the trusted domains, but as long as the IIS server and the accounts that you're using for the AppPools are all in the same domain, then it should work fine.

re: The biggest mistake: ServicePrincipalName’s

Steve — Wed, 20 Feb 2008 03:50:28 GMT

I have a related question - what's likely the cause of an error in the logs stating a krb_err_badoption logon event trying to connect to a server in server realm abcsteve.com, server name host/silver.abcsteve.com, but a target name of host/abcsteve.com@abcsteve.com

re: The biggest mistake: ServicePrincipalName’s

hitter — Tue, 22 Jan 2008 13:07:19 GMT

hello,

how i can configure constrain delegation for nlb iis(virtual name)? app pool must run under local system account.

re: The biggest mistake: ServicePrincipalName’s

Dan — Fri, 09 Nov 2007 19:20:44 GMT

Just wanted to say thanks for the DelegConfig tool. Very helpful for someone thats trying to learn about any type of delegation. Its straight forward, in plain english, and easy to use.

Sadly, I had to learn a few things the hard way before coming accross your posts. I did figure out most of the things you talk about here...but the new stuff put it all into perspective.

Simple. right?

Thanks again.