Ping a Specific Port

Question

Luke Puplett

Asked: 2013-08-20 06:42:16 +0800 CST2013-08-20 06:42:16 +0800 CST 2013-08-20 06:42:16 +0800 CST

What SPNs are needed for an intranet web service that reads remote registries

772

Imagine a website that shows the value of a remote registry key, live, such as the version of the anti-virus definitions on a remote PC. To be clear, there are 3 computers involved, the web server acting as a go-between.

The website uses Windows Authentication, so from a browser on Windows, your AD credentials are passed through and IIS authenticates the user (in ASP.NET, the user token is attached and can programmatically checked).

We're running on IIS 7.5 with kernel-mode authentication, does an SPN need setting-up in AD to allow the Kerberos part of the Windows Authentication to happen??

The site runs under an Application Pool under AD account DOMAIN\AV1, this account is a member of a group that has rights to the computers on the LAN.

The code in the site does not perform impersonation, for it doesn't want to assume the ID of the site user (who doesn't have remote reg rights), so it simply makes a remote registry call.

Does the web server machine account or the DOMAIN\AV1 account need an SPN to negotiate and perform Kerberos auth to the remote computers??

1 Answers

Voted

Greg Askew · Answer 1 · 2013-08-20T07:15:34+08:00

Yes, you cannot authenticate in Kerberos without an SPN. A checklist for setting up the SPN for the machine account is here:

http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx

If it is only a single web server, the standard two SPN's for the machine account. If it is a web farm, you probably want to opt for a domain account and ensure that account has the required SPN's.

When you state "The code in the site does not perform impersonation", you need to keep in mind that if the IIS machine account is not performing the access to the remote systems, it needs to be delegated the capability to authenticate on behalf of other accounts such as the DOMAIN\AV1 account. If you are using unconstrained delegation, the configuration is straightforward.

You may want test with the DelegConfig tool that you can drop onto a web site and configure an application folder for. It provides a simple GUI that performs the necessary checks for you.

http://blogs.iis.net/brian-murphy-booth/archive/2007/03/09/delegconfig-delegation-configuration-reporting-tool.aspx

http://blogs.iis.net/brian-murphy-booth/archive/2007/03/09/the-biggest-mistake-serviceprincipalname-s.aspx

What SPNs are needed for an intranet web service that reads remote registries

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?