Register SPN

The correct SPN must be configured in order to bring Kerberos up and running. There is a strict coupling between the host header sent by Airlock Gateway to the back-end server and the registered SPN. The following example helps to explain that:

Airlock Gateway configuration	IIS webserver configuration
Host Header (sent to back-end server)	Machine name	Web Site binding				SPN
Host Header (sent to back-end server)	Machine name	IP	Port	Protocol	Hostname	SPN
webapp1.int.virtinc.com	server1	172.16.1.1	80	http	webapp1.int.virtinc.com	http/webapp1.int.virtinc.com
webapp2.int.virtinc.com	server1	172.16.1.1	443	https	webapp2.int.virtinc.com	http/webapp2.int.virtinc.com
webapp3.int.virtinc.com	server1	*	8080	http	webapp3.int.virtinc.com	http/webapp3.int.virtinc.com
webapp4	server2	172.16.1.2	80	http	-	http/webapp4
webapp.int.virtinc.com	server3	*	8443	https	-	http/webapp.int.virtinc.com

The example shows the following:
The SPN always starts with http/ and ends with the host header value sent by Airlock Gateway.
The SPN always starts with http/, no matter what protocol is used.
The port has no influence on the SPN.

Chapter-related warnings

HIGH – The SPN is derived directly from the host header.

Configure Airlock Gateway to rewrite the host header as described in KB - Verify Host Header sent corresponds to the IIS configuration. With Back-side Kerberos SSO Airlock Gateway will request a Kerberos ticket derived from the rewritten host header.

HIGH – Check the identity of the application pool which serves the IIS web site.

If the application pool serving the web site runs under a domain user (service account), follow the instructions described in "Register SPN for the service user".
If the application pool serving the web site runs under the machine account, follow the instructions described in "Register SPN for the machine account".

Chapter content

11.9.6.3.2.2.1. Register SPN for the service user

11.9.6.3.2.2.2. Register SPN for the machine account