Databases
StackOverflow2013
Postsdbo
POKerberos delegation and port-specific SPNs
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POKerberos delegation and port-specific SPNs
    text
    copied!<p>I have a system in which I use Kerberos with simple delegation to have an AD user's credentials forwarded from a website to a downstream HTTP REST service using integrated Windows authentication. All servers are Windows Server 2012 R2.</p> <p>This works great.</p> <p>The issue comes when I started doing Powershell remoting to the same servers that my backend HTTP service runs on. <code>Enter-PSSession</code> makes a Kerberos auth request for the WSMan service on the target machine. AD sees this request, and encrypts the requested ticket with the identity that my custom HTTP service runs as, which the WSMan service obviously cannot use, and remoting fails.</p> <p>I know it's possible to force IE to do port-specific SPN requests (via <a href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;908209" rel="nofollow">KB908209</a>), but I have not been able to have the 2nd hop (i.e. the IIS-brokered request) to do a port-specific request. Nor have I been able to get powershell to make a port-specific request on 5985 for WSMan.</p> <p>To make things more concrete:</p> <ol> <li>Client browser makes a request to ServerA. Browser makes a Kerberos ticket request to AD for HTTP/ServerA, which is granted and then sent to ServerA.</li> <li>ServerA wants to make a delegated request to <code>http://ServerB:15200</code>.</li> <li>ServerA makes a request to AD for a Kerberos ticket for SPN HTTP/ServerB. It does <em>not</em> make a request for SPN HTTP/ServerB:15200. I want it to.</li> </ol> <p>If I have my SPN set up as HTTP/ServerB:15200, simple delegation in IIS fails, but powershell remoting works. If I have my SPN set up as HTTP/ServerB, simple delegation works but powershell remoting fails. If I have my SPN set up as HTTP/ServerB:5985, nothing works.</p> <p>I am totally stumped at this point -- doesn't seem like delegation and per-port SPNs play nicely together?</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload