IIS to IIS using kerberos and non-standard web port

I have implemented kerberos in 3 tiers environnmnet where IIS 6.0 access a
web services on a separate IIS server. I have properly setup all my SPNs,
service account etc.. and it work fine. My problem is I have a requirement to
run my webservices server on 8080 web port. I try every combination and I
can't make it success full. It work if I ran my front-end on 8080 but not the
back-end. I found the following article:
http://support.microsoft.com/kb/908209/ mentionning that IE:

"the Wininet.dll file does not pass the port number of the target Web site
when it calls the InitializeSecurityContext function to build the Kerberos
ticket. This prevents Internet Explorer 6 from using the Kerberos protocol to
connect to multiple Web sites that run on different ports under different
identities. "

Is IIS doing the same thing as IE when an IIS server contact another IIS
server on a non-standard port?

Re: IIS to IIS using kerberos and non-standard web port

IIS itself doesn't use any particular library - that is dependant on your
calling code (e.g. whether it uses WinInet or some other library)

When you created the SPN for the backend server, did you specift
http/servername:8080 for your SPN?

Cheers
Ken


"Pom" wrote in message
news:CA1D3836-C881-4896-8560-221EC269A28B@microsoft.com...
>I have implemented kerberos in 3 tiers environnmnet where IIS 6.0 access a
> web services on a separate IIS server. I have properly setup all my SPNs,
> service account etc.. and it work fine. My problem is I have a requirement
> to
> run my webservices server on 8080 web port. I try every combination and I
> can't make it success full. It work if I ran my front-end on 8080 but not
> the
> back-end. I found the following article:
> http://support.microsoft.com/kb/908209/ mentionning that IE:
>
> "the Wininet.dll file does not pass the port number of the target Web site
> when it calls the InitializeSecurityContext function to build the Kerberos
> ticket. This prevents Internet Explorer 6 from using the Kerberos protocol
> to
> connect to multiple Web sites that run on different ports under different
> identities. "
>
> Is IIS doing the same thing as IE when an IIS server contact another IIS
> server on a non-standard port?

Re: IIS to IIS using kerberos and non-standard web port

Yes I tried 8080.

I Have an aspx program on machine a calling a web method on machine b

"Ken Schaefer" wrote:

> IIS itself doesn't use any particular library - that is dependant on your
> calling code (e.g. whether it uses WinInet or some other library)
>
> When you created the SPN for the backend server, did you specift
> http/servername:8080 for your SPN?
>
> Cheers
> Ken
>
>
> "Pom" wrote in message
> news:CA1D3836-C881-4896-8560-221EC269A28B@microsoft.com...
> >I have implemented kerberos in 3 tiers environnmnet where IIS 6.0 access a
> > web services on a separate IIS server. I have properly setup all my SPNs,
> > service account etc.. and it work fine. My problem is I have a requirement
> > to
> > run my webservices server on 8080 web port. I try every combination and I
> > can't make it success full. It work if I ran my front-end on 8080 but not
> > the
> > back-end. I found the following article:
> > http://support.microsoft.com/kb/908209/ mentionning that IE:
> >
> > "the Wininet.dll file does not pass the port number of the target Web site
> > when it calls the InitializeSecurityContext function to build the Kerberos
> > ticket. This prevents Internet Explorer 6 from using the Kerberos protocol
> > to
> > connect to multiple Web sites that run on different ports under different
> > identities. "
> >
> > Is IIS doing the same thing as IE when an IIS server contact another IIS
> > server on a non-standard port?
>
>

Re: IIS to IIS using kerberos and non-standard web port

can you provide a complete list of all SPNs that were originally registered,
and that you have now added? Your can use ldifde.exe to query AD

If you have created duplicate SPNs, it won't work.

Cheers
Ken

"Pom" wrote in message
news:962ACC05-2278-4401-88E2-F7EFD3DE81EC@microsoft.com...
> Yes I tried 8080.
>
> I Have an aspx program on machine a calling a web method on machine b
>
> "Ken Schaefer" wrote:
>
>> IIS itself doesn't use any particular library - that is dependant on your
>> calling code (e.g. whether it uses WinInet or some other library)
>>
>> When you created the SPN for the backend server, did you specift
>> http/servername:8080 for your SPN?
>>
>> Cheers
>> Ken
>>
>>
>> "Pom" wrote in message
>> news:CA1D3836-C881-4896-8560-221EC269A28B@microsoft.com...
>> >I have implemented kerberos in 3 tiers environnmnet where IIS 6.0 access
>> >a
>> > web services on a separate IIS server. I have properly setup all my
>> > SPNs,
>> > service account etc.. and it work fine. My problem is I have a
>> > requirement
>> > to
>> > run my webservices server on 8080 web port. I try every combination and
>> > I
>> > can't make it success full. It work if I ran my front-end on 8080 but
>> > not
>> > the
>> > back-end. I found the following article:
>> > http://support.microsoft.com/kb/908209/ mentionning that IE:
>> >
>> > "the Wininet.dll file does not pass the port number of the target Web
>> > site
>> > when it calls the InitializeSecurityContext function to build the
>> > Kerberos
>> > ticket. This prevents Internet Explorer 6 from using the Kerberos
>> > protocol
>> > to
>> > connect to multiple Web sites that run on different ports under
>> > different
>> > identities. "
>> >
>> > Is IIS doing the same thing as IE when an IIS server contact another
>> > IIS
>> > server on a non-standard port?
>>
>>