Reputation: 788
Forcing specific SPN for URL in .Net
I'm experiencing inconsistent behaviour when using the .Net framework (C# as well as Powershell) to access a Kerberized HTTP service. It relates to our DNS configuration, and our use of CNAMEs instead of A-records for Kerberized services. The workaround suggested by Microsoft is to ensure that you're using A-records for your hostnames, but this is not an option in my corporate environment.
I need a solution that will allow me to force a specific SPN for a specific URL, ensuring that I use the same hostname for the SPN as for the URL. Alternatively, an option to force a consistent policy for resolving URLs to SPNs.
Upvotes: 2
Views: 961
Answers (1)
Reputation: 788
As always, once you know what you're looking for, the solution it quite easy to find ;-) In this example, I'm using a HTTPS web service on port 8080:
C#:
System.Net.AuthenticationManager.CustomTargetNameDictionary
.Add("https://my-service.tld:8080/", "HTTP/my-service.tld");
Powershell:
[System.Net.AuthenticationManager]::CustomTargetNameDictionary.
Add("https://my-service.tld:8080/", "HTTP/my-service.tld")
Do not forget the trailing slash. Remove :8080 if using port 80.
References:
Upvotes: 2
Related Questions
- setup kerberos constrained delegation powershell
- How to solve authentication failure with CNAME in url
- Where do I run the setspn command?
- Switching application to use Constraint based kerberos
- Query/Change SPNs on Windows Domain without SetSPN
- Kerberos Fully qualified domain name
- Kerberos/SPNEGO : multiple SPNs for the same AD account
- Kerberos delegation and port-specific SPNs
- Powershell SharePoint Kerberos New-SPWebApplication
- WCF and Setspn.exe