blogging about…… Microsoft, Cloud Computing and all other things I find interesting
If you’re in the middle of implementing Kerberos for something, remember that Kerberos authentication fails whenever you use CNAME records in DNS, instead of A-Records.
Why is this?
This is because whenever for example IE asks AD: “which account has a SPN registration for kerberos.marcvalk.net”, and kerberos.marcvalk.net is an CNAME for IIS_Server.marcvalk.net, the reply will be IIS_Server.marcvalk.net and not the service account.
So you’ll probably see an pop-up authentication box, with a title of IIS_Server.marcvalk.net and not the correct hostheader kerberos.marcvalk.net.
2 Responses to Kerberos fails when using CNAME records
Doug
August 24th, 2010 at 14:37
Ok, but if your service account is attached to IIS_Server.marcvalk.net, will this then work, or will it not because it doesn’t match the header within the request?
I’m thinking HOSTA.mydomain.com and HOSTB.mydomain.com and a CNAME record for MYDNSNAME.mydomain.com that points to HOSTA.mydomain.com when its up, and switches to HOSTB.mydomain.com when HOSTA.mydomain.com is down.
If each HOSTA.mydomain.com and HOSTB.mydomain.com have independent Kerberos stuff setup, will it work?
mvalk
August 27th, 2010 at 15:06
Hi Doug,
You want to use Load Balancing?
This might help you: http://support.microsoft.com/kb/325608
or this:
http://blogs.msdn.com/b/joelo/archive/2007/01/05/nlb-network-load-balancing-and-sharepoint-troubleshooting-and-configuration-tips.aspx