The correct SPN must be configured in order to bring Kerberos up and running. There is a strict coupling between the host header sent by Airlock Gateway to the back-end server and the registered SPN. The following example helps to explain that:
Airlock Gateway configuration | IIS webserver configuration | |||||
---|---|---|---|---|---|---|
Host Header (sent to back-end server) | Machine name | Web Site binding | SPN | |||
IP | Port | Protocol | Hostname | |||
webapp1.int.virtinc.com | server1 | 172.16.1.1 | 80 | http | webapp1.int.virtinc.com | http/webapp1.int.virtinc.com |
webapp2.int.virtinc.com | server1 | 172.16.1.1 | 443 | https | webapp2.int.virtinc.com | http/webapp2.int.virtinc.com |
webapp3.int.virtinc.com | server1 | * | 8080 | http | webapp3.int.virtinc.com | http/webapp3.int.virtinc.com |
webapp4 | server2 | 172.16.1.2 | 80 | http | - | http/webapp4 |
webapp.int.virtinc.com | server3 | * | 8443 | https | - | http/webapp.int.virtinc.com |
- The example shows the following:
- The SPN always starts with http/ and ends with the host header value sent by Airlock Gateway.
- The SPN always starts with http/, no matter what protocol is used.
- The port has no influence on the SPN.