none
Kerberos with two IIS-hosted sites on the same server RRS feed

  • Question

  • Hello,

    I have the following issue. I have a remote server (part of the domain) with two IIS sites - one ASP.NET MVC and one WCF RESTful. From my local computer I am browsing the ASP.NET site and authenticating with my Windows credentials, which should be delegated to the WCF application. Unfortunately, this is not happening. I read about the loopback issue, which I have fixed according to the provided guidelines. If I move the WCF to another server, it works all (I have configured all necessary SPNs). It seems like if they are on the same server, only NTLM is possible. Does anyone have have idea how to solve this?  :)

    Best,
    Boyan


    Freedom Has Its Own Style

    Tuesday, December 1, 2015 3:40 PM

All replies

  • Hi Boyan Mihaylov,

    According to this case, I guess that is a Ip address issue. Because, when we host two web site

    on IIS with one static Ip address, to run web sites on two servers, each server needs an

    IP address, so you move the WCF to another server, it works  all.

    Best Regards,

    Grady

    Wednesday, December 2, 2015 5:33 AM
    Moderator
  • Hi Grady,

    Thanks for the reply. Do you know if there is a way to force Kerberos between the two sites even though the they are on the same server?

    Best,
    Boyan


    Freedom Has Its Own Style

    Wednesday, December 2, 2015 5:46 AM
  • Hi Boyan Mihaylov,

    <copied>

    By default, Internet Explorer doesn't include the port number information in the SPN

    used to request a Kerberos ticket. This can be a problem you use IIS to host multiple

    sites under different ports and identities. In this configuration, Kerberos authentication

    may only work for specific sites even if all SPNs have been correctly declared in Active

    Directory.

    To resolve this issue, you'll need to set the FEATURE_INCLUDE_PORT_IN_SPN_KB908209

    registry value (as perhttp://support.microsoft.com/kb/908209). This will force Internet

    Explorer to include the port number in the SPN used to request the Kerberos ticket.

    <copied>

    May be you can refer to the following articles:

    1.Things to check when Kerberos authentication fails using IIS/IE…

    Best Regards,

    Grady


    Wednesday, December 2, 2015 6:04 AM
    Moderator
  • Hi Grady,

    Let me explain a bit better. I have the following set-up. I have to transfer my credentials from my computer to the Self-hosted WCF service on Server 2 via Kerberos. The Kerberos auth between my computer and the MVC app works fine, however the MVC app uses NTLM when authenticating with the WCF service on the same server. The MVC app pool runs under a local identity, so the server itself has delegation enabled. The WCF app pool runs under an AD account, which also has delegation enabled.

    Using Network Monitor I can see I get error KDC_ERR_BADOPTION there for some reason. If I directly call the WCF service from my computer, it works fine. I use standard 80 port and I have configured the correct SPNs, I believe :-)

    Best,
    Boyan


    Freedom Has Its Own Style


    • Edited by Boyan Mihaylov Wednesday, December 2, 2015 10:28 AM Added more info
    Wednesday, December 2, 2015 10:26 AM
  • Hi Boyan Mihaylov,

    As far as I know, when we used windows authentication with Kerberos in a domain.

    Perhaps you can try add the MVC app in the same domain, then try used the Kerberos

    to validate.

    For more information, maybe you can refer to the following articles:

    1.WCF on intranet with windows authentication: Kerberos or NTLM (Part 1)

    Best Regards,

    Grady

    Friday, December 4, 2015 5:49 AM
    Moderator
  • Hi Grady,

    Thank you very much for your help. All computers are in the same domain. Unfortunately, it seems like you cannot perform Kerberos authentication on the same computer as it defaults to NTLM. These are my observations from what I read around (which is not much).

    Best,
    Boyan


    Freedom Has Its Own Style

    Sunday, December 6, 2015 11:06 AM