I was trying to set up a Java service using the SPNEGO servlet filter and a listen port of 8080 for authentication on a host that is also running web applications hosted in IIS7.
I followed the SPNEGO installation instructions and created an SPN for HTTP/canonical.host.name, bound to the user performing the authentication for the Java service.
After this change, the Java service is able to authenticate clients via SPNEGO, but IIS7 application pools running with custom identities (i.e. user names instead of ApplicationPoolIdentity) are suddenly unable to authenticate.
What I don't understand here:
- How does Kerberos authentication work for IIS when there is no SPN for
HTTP/canonical.host.namedefined using (as checked viasetspn -Q)? Clients still request and receive tickets for exactly this SPN. - Out of interest, we tried running the application pools with the identity of the Java service that successfully authenticates. It still did not work as long as the SPN was defined - attempts to authenticate with a Kerberos ticket failed with a
KRB_AP_ERR_MODIFIEDreturned. Running the application pool as the user that the SPN was registered to did not change this behaviour. - Microsoft specifies SPNs to include a port number, but IE does not conform to this and never sends a port number in the SPN (Firefox and Chrome follow in this behaviour).
So, is there any way to have multiple independent SPNEGO authenticated services on the same host?