Reputation: 1132
Kerberos authentication for delegation in IIS 7.0
I'm trying to create a .net web page that uses UserPrinciple.Current to get details of the currently logged in user, and allow them to change their Active Directory password.
After a fair bit of head-bashing, I got it working (yay!). My only issue is that I want it working on our intranet site (http://intranet) but it only seems to work if I specify the fully qualified domain name (http://intranet.mydomain.co.uk).
Looking at this page (How to configure an ASP.NET application for a delegation scenario) the troubleshooting section at the bottom of the 'Summary' section seems to contain two conflicting pieces of advice:
3.For Kerberos to work correctly, you must use fully qualified domain names (FQDN) for all the communication.
5.If the Web server uses a fully qualified domain name, you must add the site is added to the list of intranet sites in Internet Explorer.
Note that item 5 starts with IF - suggesting that it doesn't HAVE to do so. But Item 3 states that a FQDN is necessary.
So the question is simple: can I set up delegation through IIS 7 without using a FQDN host name ?
Upvotes: 0
Views: 1960
Answers (1)
Reputation: 18430
You need both otherwise it won't work for a good reason and IE will fallback to NTLM. Jus a side-note, it is really pointless to write a webapp where a user can change his AD password. This should be done through the Windows change password dialog and not some third party tool.
Upvotes: 1
Related Questions
- Kerberos Authentication in IIS 7 Windows Server 2012
- End-to-end kerberos delegated authentication in ASP.NET
- Setting up Kerberos 2 hop authentication between Web App and API
- Kerberos Double Hop
- Kerberos authentication in IIS 7
- Implement Kerberos authentication using C# on IIS
- Kerberos double hop issue with ASP.NET web application to sharepoint
- Asp.net delegation
- Set up Kerberos Authentication with Delegation on IIS 7 w/ Windows Server 2008
- kerberos in asp.net