Register SPN

The correct SPN must be configured in order to bring Kerberos up and running. There is a strict coupling between the host header sent by Airlock Gateway to the back-end server and the registered SPN. The following example helps to explain that:

Airlock Gateway configuration
IIS webserver configuration
Host Header
(sent to back-end server)
Machine name
Web Site binding
SPN
IP
Port
Protocol
Hostname
webapp1.int.virtinc.com
server1
172.16.1.1
80
http
webapp1.int.virtinc.com
http/webapp1.int.virtinc.com
webapp2.int.virtinc.com
server1
172.16.1.1
443
https
webapp2.int.virtinc.com
http/webapp2.int.virtinc.com
webapp3.int.virtinc.com
server1
*
8080
http
webapp3.int.virtinc.com
http/webapp3.int.virtinc.com
webapp4
server2
172.16.1.2
80
http
-
http/webapp4
webapp.int.virtinc.com
server3
*
8443
https
-
http/webapp.int.virtinc.com
  • The example shows the following:
  • The SPN always starts with http/ and ends with the host header value sent by Airlock Gateway.
  • The SPN always starts with http/, no matter what protocol is used.
  • The port has no influence on the SPN.

Chapter-related warnings

HIGH – The SPN is derived directly from the host header.

HIGH – Check the identity of the application pool which serves the IIS web site.