Register SPN
The correct SPN must be configured in order to bring Kerberos up and running. There is a strict coupling between the host header sent by Airlock Gateway to the back-end server and the registered SPN. The following example helps to explain that:
Airlock Gateway configuration | IIS webserver configuration | |||||
|---|---|---|---|---|---|---|
Host Header (sent to back-end server) | Machine name | Web Site binding | SPN | |||
IP | Port | Protocol | Hostname | |||
webapp1.int.virtinc.com | server1 | 172.16.1.1 | 80 | http | webapp1.int.virtinc.com | http/webapp1.int.virtinc.com |
webapp2.int.virtinc.com | server1 | 172.16.1.1 | 443 | https | webapp2.int.virtinc.com | http/webapp2.int.virtinc.com |
webapp3.int.virtinc.com | server1 | * | 8080 | http | webapp3.int.virtinc.com | http/webapp3.int.virtinc.com |
webapp4 | server2 | 172.16.1.2 | 80 | http | - | http/webapp4 |
webapp.int.virtinc.com | server3 | * | 8443 | https | - | http/webapp.int.virtinc.com |
The example shows the following:
- The SPN always starts with http/ and ends with the host header value sent by Airlock Gateway.
- The SPN always starts with http/, no matter what protocol is used.
- The port has no influence on the SPN.
Chapter-related warnings
HIGH – The SPN is derived directly from the host header.
- Configure Airlock Gateway to rewrite the host header as described in KB - Verify Host Header sent corresponds to the IIS configuration. With Back-side Kerberos SSO Airlock Gateway will request a Kerberos ticket derived from the rewritten host header.
HIGH – Check the identity of the application pool which serves the IIS web site.
- If the application pool serving the web site runs under a domain user (service account), follow the instructions described in “Register SPN for the service user”.
- If the application pool serving the web site runs under the machine account, follow the instructions described in “Register SPN for the machine account”.