I recently received a few questions from the blog. I usually ask if the person minds if I post the question and reply, and in this case the person said he didn’t mind.
Special thanks to Matt Sinfield for his good question. Hopefully this will help everyone’s understanding of this. Here it is:
Thanks for the informative blog posts. I've been reading your entries from the viewpoint of healthy background stuff. Now on my current project I'm thrust into the limelight of trying to fix some authentication issues we're having in the scenario of IE-IIS-NAS and constrained delegation - it's fun but hard work.
However, while performing diagnosis I keep asking myself if having multiple NIC's in a machine (whether IIS or NAS) matters. From what I've seen it shouldn't as long as you cover the various names the service can be known by through appropriate SPN setting but I've not yet discovered the right docs that explicitly state this. For example say the IIS box has 1 NIC for Management, 1 NIC (teamed with another) for data etc. should I really care?
It just feels 'odd' that my colleagues have the AD DNS name as firstname.lastname@example.org for IIS using the Management NIC IP yet the same server accessed via it's www.server.com http address (using a Unix DNS that AD DNS integrates with just to make it easy) have it resolving to the data NIC. I believe the key is SPN rather than IP but just wanted to run it past an expert....!
…and here’s my reply:
Sorry for the delayed reply. There is no document that I'm aware of which discusses multiple NICs and the impact on SPN creation and usage.
Simple answer: it does matter. It is not necessarily a bad thing however. It's just good to keep in mind in making sure that the correct SPN is being asked for and it's getting a ticket (that can be used successfully to gain access to resources).
The common concern is that an incorrect SPN is being registered by server, or requested by client, and it is either not given to the client who requested or not used by the destination that holds the resource a client wants access to. Having multiple NICs, and more pertinently, different or multiple domain suffixes on them, can complicate matters in that the client or server may use the incorrect NIC or suffix when doing SPN related functions.
Bottom line is that two things will tell you of a potential problem. First is a trace-if an error is present in the Kerberos traffic requesting a service ticket it's as obvious as a slap in the face. Second is to see if whatever is supposed to happen (like-I'm guessing-a web page on client that is actually a remote access to a file share via a web server) is working as expected. If you see no trouble in the above then you should be in the clear.
As far as the name being UPN format for SPN, if I recall correctly there is some code which deals well with using slightly different formats like that so it doesn't shout out to me offhand as being a problem. If you see otherwise, please let me know.
Hopefully I haven't muddied the waters for you. Also, would you mind if I posted your email below and the reply on the blog? I would post it without your name unless you state otherwise.
These postings are provided "AS IS" with no warranties, and confer no rights.
Please feel free to send me your questions. I may not be the quickest in replying, but I promise to reply as soon as I can. Have a great week everyone!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.