Enabling Kerberos Authentication

Following the training course, its been put to me that we should really be using Kerberos for our authentication model, especially as its going to solve lots of the multi-hop authentication issues.

I need to look into how Service Principle Names (SPNs) are used.

The command:

setspn.exe -A HTTP/servername ADDomain\usernameidentityforapppool

Will enable kerberos authentication, once we’ve configured a web application that will utilise kerberos.

According to sources, NTLM and Kerberos will work together, with NTLM taking precidence when the Key Distribution Center (KDC) is unavailable or if a client machine has an unsyncronised clock.

There is a KB article on this subject:
Microsoft KB Article

SpittingCAML




You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “Enabling Kerberos Authentication”

  1. Late Civic Says:

    Very informative - I also understand a few things a bit better - e.g. SPN stuff, which I didn’t quite follow from the Win2003 textbooks.

    A dissertation in WSE - that’s why all this web stuff is so easy to you.

Leave a Reply