Sign in
 
HomeOnline20132010Other VersionsRelated ProductsLibraryForumsGallery

none
Kerberos on https site

 > 

    Question

  • Question
    Sign In to Vote
    0
    Sign In to Vote

    Hi

    I have an web application that I can access on port 80 and 443.
    I went and enabled kerberos on the web application and set setspn's and all that for them both. Yes, HTTP/ no port number.

    Works great (correct kerberos ticket, no fall back to ntlm) when I access the site on port 80 but not on port 443. The certificate that I use is not an wildcard certificate and does not add an host name to the site binding for the site.

    So my question is, do I need a wildcard certificate where I can set my own Host name in IIS to get kerberos to work on port 443? If so, can\should I use appcmd.exe to manually set an host name for the SSL binding instead of using a wildcard certificate? -> http://sarafianalex.wordpress.com/2010/08/04/setting-host-name-on-ssl-binding-on-iis7/

    Thursday, November 29, 2012 10:05 AM
    |
    |

Answers

  • Question
    Sign In to Vote
    0
    Sign In to Vote

    Hi,

    if you are using Host Headers for the IIS Site and you have more than one site using PORT 443 on the same IP Address then you need to use a wildcard certificate. If you are using two separate IP Addresses you wouldn't need to use Host Headers and you could use two separate certificates...

    If Kerberos is setup properly then it does not matter if you are using HTTP or HTTPS when authenticating to the site.

    -Ivan

    Ivan Sanders My LinkedIn Profile, My Blog, @iasanders.

    Thursday, November 29, 2012 8:47 PM
    |
    |

All Replies

  • Question
    Sign In to Vote
    0
    Sign In to Vote
    Are you using a CNAME or A record for the SSL FQDN DNS entry?

    SharePoint - Nauplius Applications
    Microsoft SharePoint Server MVP - 2012

    Thursday, November 29, 2012 7:58 PM
    |
    |
    Moderator
  • Question
    Sign In to Vote
    0
    Sign In to Vote

    Hi,

    if you are using Host Headers for the IIS Site and you have more than one site using PORT 443 on the same IP Address then you need to use a wildcard certificate. If you are using two separate IP Addresses you wouldn't need to use Host Headers and you could use two separate certificates...

    If Kerberos is setup properly then it does not matter if you are using HTTP or HTTPS when authenticating to the site.

    -Ivan

    Ivan Sanders My LinkedIn Profile, My Blog, @iasanders.

    Thursday, November 29, 2012 8:47 PM
    |
    |
  • Question
    Sign In to Vote
    0
    Sign In to Vote

    Only A Records are used Trevor.
    In the "Bindings" for the site it looks like this:

    http     intranet  port80
    https                 port 443 (SSL certificate test.intranet.net)

    AAM is using both intranet and test.intranet.net and I can browse the sites.
    There is another site using SSL but on a different IP adress.

    For the intranet binding i used setspn -s HTTP/intranet domain\username and it works great. (event viewer and fiddler says kerberos).

    For the HTTPS binding i used setspn -s HTTP/test.intranet.net domain\username (event viewer says NTLM, fiddler says I get a kerberos ticket but then falls back to NTLM I guess since event viewer says the connection from that server is NTLM.

    Friday, November 30, 2012 12:19 AM
    |
    |
  • Question
    Sign In to Vote
    0
    Sign In to Vote

    links to support this:

    http://technet.microsoft.com/en-us/library/cc753195(v=ws.10).aspx

    http://support.microsoft.com/kb/929650

    Monday, December 03, 2012 7:20 AM
    |
    |
    Moderator
  • Question
    Sign In to Vote
    0
    Sign In to Vote

    Thanks GuYuming but I have all ready tried to set an host header manually on that binding.
    I created a binding with a host header with the same name as in the certificate. (appcmd)
    But still NTLM.

    https       test.intranet.net  port443 (and using the certificate)

    Kerberos on the http (intranet) binding works great. I have also tried to add a binding to test.intranet.net on http and that also works great with kerberos.

    So I guess it has something todo with the certificate.
    Do I need to use a wildcard certificate to get kerberos to work with SSL as stated in this article:
    http://technet.microsoft.com/en-us/library/cc263449(v=office.12).aspx (only article I have found that states that)

    woud like to know before we buy one.

    Monday, December 03, 2012 10:47 AM
    |
    |
  • Question
    Sign In to Vote
    0
    Sign In to Vote
    You do not need a Wildcard Cert (or a valid one, for that matter) to get Kerberos working.  Just make sure you're not testing on the server you're attempting to configure, as that will always be NTLM.  Also remember Kerberos does not work when a Domain Controller is unavailable (e.g. over the Internet).

    SharePoint - Nauplius Applications
    Microsoft SharePoint Server MVP - 2012

    Monday, December 03, 2012 4:00 PM
    |
    |
    Moderator