Why would an IIS hosted site prompt for AD account credential if accessed through a hostname or IP, but not...
Does Norwegian overbook flights?
Very slow boot time and poor perfomance
How do the Etherealness and Banishment spells interact?
Why are non-collision-resistant hash functions considered insecure for signing self-generated information
What should come first—characters or plot?
How can I unambiguously ask for a new user's "Display Name"?
Architectural feasibility of a tiered circular stone keep
"Sorry to bother you" in an email?
Could George I (of Great Britain) speak English?
Compelling story with the world as a villain
Add newline to prompt if it's too long
Did a flight controller ever answer Flight with a no-go?
Obtaining the intermediate solutions in AMPL
Notepad++ cannot print
Are the A380 engines interchangeable (given they are not all equipped with reverse)?
Why do banks “park” their money at the European Central Bank?
Is MOSFET active device?
How do proponents of Sola Scriptura address the ministry of those Apostles who authored no parts of Scripture?
New Math Formula?
Why did Khan ask Admiral James T. Kirk about Project Genesis?
Sum ergo cogito?
If two Lore Bards used the Cutting Words feature on an ability check or attack, would they stack?
How do I get toddlers to stop asking for food every hour?
Numbers Decrease while Letters Increase
Why would an IIS hosted site prompt for AD account credential if accessed through a hostname or IP, but not through servername?
IIS6 Virtual Directory 500 Error on Remote ShareIIS Won't authenticate domain user: 401.2IIS asks for login/pass when accessed using hostname but not when 'localhost' is used. Why?IIS7 Hosted Site Accessable Unique Port But Not Host HeaderPHP not working when accessed through a domain name, but works fine when accessed through IPChange to RS 2008R2 configuration stopped IIS site receiving traffic through load balancer (and its still not working after backing it out)Windows Server 2012 R2 port 443 open, stopping IIS doesn't workCan't connect to site in IIS through DNS Alias, but can connect through localhost
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
I have a webservice running in IIS hosted in a Windows 2016 Nano server. I can access the service just fine if I go through http://servername/service/health
However, if i were to access it via http://[IP Address here]/service/health or http://service.company.com/service/health, it would prompt for AD login credential.
I looked through the DNS record and the IIS ApplicationHost.config and I can't really tell what's wrong with it. I might have missed a setting or two. Can anyone figure out where to look or what to do?
domain-name-system iis windows-nano-server
asked yesterday
FrosteezeFrosteeze
1263 bronze badges
New contributor
Frosteeze is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I have a webservice running in IIS hosted in a Windows 2016 Nano server. I can access the service just fine if I go through http://servername/service/health
However, if i were to access it via http://[IP Address here]/service/health or http://service.company.com/service/health, it would prompt for AD login credential.
I looked through the DNS record and the IIS ApplicationHost.config and I can't really tell what's wrong with it. I might have missed a setting or two. Can anyone figure out where to look or what to do?
domain-name-system iis windows-nano-server
asked yesterday
FrosteezeFrosteeze
1263 bronze badges
New contributor
Frosteeze is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I have a webservice running in IIS hosted in a Windows 2016 Nano server. I can access the service just fine if I go through http://servername/service/health
However, if i were to access it via http://[IP Address here]/service/health or http://service.company.com/service/health, it would prompt for AD login credential.
I looked through the DNS record and the IIS ApplicationHost.config and I can't really tell what's wrong with it. I might have missed a setting or two. Can anyone figure out where to look or what to do?
domain-name-system iis windows-nano-server
asked yesterday
FrosteezeFrosteeze
1263 bronze badges
New contributor
Frosteeze is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I have a webservice running in IIS hosted in a Windows 2016 Nano server. I can access the service just fine if I go through http://servername/service/health
However, if i were to access it via http://[IP Address here]/service/health or http://service.company.com/service/health, it would prompt for AD login credential.
I looked through the DNS record and the IIS ApplicationHost.config and I can't really tell what's wrong with it. I might have missed a setting or two. Can anyone figure out where to look or what to do?
domain-name-system iis windows-nano-server
domain-name-system iis windows-nano-server
asked yesterday
FrosteezeFrosteeze
1263 bronze badges
New contributor
Frosteeze is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked yesterday
FrosteezeFrosteeze
1263 bronze badges
New contributor
Frosteeze is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked yesterday
FrosteezeFrosteeze
1263 bronze badges
New contributor
Frosteeze is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked yesterday
FrosteezeFrosteeze
1263 bronze badges
asked yesterday
FrosteezeFrosteeze
1263 bronze badges
1263 bronze badges
New contributor
Frosteeze is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Frosteeze is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
This looks like a Kerberos issue; if I'm correct, then the server's AD computer account(*) has a registered SPN for HTTP/SERVERNAME (this can be verified with the SETSPN command-line tool), thus automatic Kerberos authentication can happen when the web service is called using the computer's name; however, when calling the web service with any other name, this won't work.
If you want to be able to call the web service using a different name, then you need to add another SPN to the same AD computer account(*), with a command such as SETSPN -S HTTP/service.company.com SERVERNAME.
More info here.
(*) Or the user account which runs IIS's application pool, if you manually configured one.
answered yesterday
MassimoMassimo
54k45 gold badges172 silver badges289 bronze badges
When i do "setspn -L servername" I do see the servername in the list and I added HTTP/service.company.com, but it still won't work. Another thing I noticed is that servername.companyname.com is listed under the same service classes as servername, but using that will give me a prompt for credential.
– Frosteeze
yesterday
1
The other thing is, the actual web application should be configured to accept that hostname; f.e. SharePoint needs a manual configuration for this. But I don't know your application, so I can't voice for that.
– Massimo
yesterday
add a comment |
Service.company.com would need to be a registered Service Principal Name on the IIS server.
Also, Kerberos integrated authentication by default will not work with an IP address unless the system is configured to do so, and the IP address is a registered Service Principal Name.
https://docs.microsoft.com/en-us/windows-server/security/kerberos/configuring-kerberos-over-ip
answered yesterday
Greg AskewGreg Askew
29.9k3 gold badges38 silver badges70 bronze badges
add a comment |
One other check - it is possible your browser isn't passing credentials, forcing the login prompt.
In Internet Options, there is a security zone for Local Intranet; this zone will automatically pass your Windows credentials without the need for the AD dialog. The default setting will detect the server name as part of your network, but the full domain name is probably considered Internet zone and doesn't send the credentials. In the configuration page for Local Intranet, you can add the FQDN to no longer be prompted (or set it via Group Policy).
This all assumes you intend the site to run with Windows Credentials, and you are running internally; I'm not a security expert but personally, I wouldn't want to send my credentials automatically to a site across the internet.
answered 16 hours ago
Dave SimioneDave Simione
1136 bronze badges
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Frosteeze is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f980476%2fwhy-would-an-iis-hosted-site-prompt-for-ad-account-credential-if-accessed-throug%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
This looks like a Kerberos issue; if I'm correct, then the server's AD computer account(*) has a registered SPN for HTTP/SERVERNAME (this can be verified with the SETSPN command-line tool), thus automatic Kerberos authentication can happen when the web service is called using the computer's name; however, when calling the web service with any other name, this won't work.
If you want to be able to call the web service using a different name, then you need to add another SPN to the same AD computer account(*), with a command such as SETSPN -S HTTP/service.company.com SERVERNAME.
More info here.
(*) Or the user account which runs IIS's application pool, if you manually configured one.
answered yesterday
MassimoMassimo
54k45 gold badges172 silver badges289 bronze badges
When i do "setspn -L servername" I do see the servername in the list and I added HTTP/service.company.com, but it still won't work. Another thing I noticed is that servername.companyname.com is listed under the same service classes as servername, but using that will give me a prompt for credential.
– Frosteeze
yesterday
1
The other thing is, the actual web application should be configured to accept that hostname; f.e. SharePoint needs a manual configuration for this. But I don't know your application, so I can't voice for that.
– Massimo
yesterday
add a comment |
This looks like a Kerberos issue; if I'm correct, then the server's AD computer account(*) has a registered SPN for HTTP/SERVERNAME (this can be verified with the SETSPN command-line tool), thus automatic Kerberos authentication can happen when the web service is called using the computer's name; however, when calling the web service with any other name, this won't work.
If you want to be able to call the web service using a different name, then you need to add another SPN to the same AD computer account(*), with a command such as SETSPN -S HTTP/service.company.com SERVERNAME.
More info here.
(*) Or the user account which runs IIS's application pool, if you manually configured one.
answered yesterday
MassimoMassimo
54k45 gold badges172 silver badges289 bronze badges
When i do "setspn -L servername" I do see the servername in the list and I added HTTP/service.company.com, but it still won't work. Another thing I noticed is that servername.companyname.com is listed under the same service classes as servername, but using that will give me a prompt for credential.
– Frosteeze
yesterday
1
The other thing is, the actual web application should be configured to accept that hostname; f.e. SharePoint needs a manual configuration for this. But I don't know your application, so I can't voice for that.
– Massimo
yesterday
add a comment |
This looks like a Kerberos issue; if I'm correct, then the server's AD computer account(*) has a registered SPN for HTTP/SERVERNAME (this can be verified with the SETSPN command-line tool), thus automatic Kerberos authentication can happen when the web service is called using the computer's name; however, when calling the web service with any other name, this won't work.
If you want to be able to call the web service using a different name, then you need to add another SPN to the same AD computer account(*), with a command such as SETSPN -S HTTP/service.company.com SERVERNAME.
More info here.
(*) Or the user account which runs IIS's application pool, if you manually configured one.
answered yesterday
MassimoMassimo
54k45 gold badges172 silver badges289 bronze badges
This looks like a Kerberos issue; if I'm correct, then the server's AD computer account(*) has a registered SPN for HTTP/SERVERNAME (this can be verified with the SETSPN command-line tool), thus automatic Kerberos authentication can happen when the web service is called using the computer's name; however, when calling the web service with any other name, this won't work.
If you want to be able to call the web service using a different name, then you need to add another SPN to the same AD computer account(*), with a command such as SETSPN -S HTTP/service.company.com SERVERNAME.
More info here.
(*) Or the user account which runs IIS's application pool, if you manually configured one.
answered yesterday
MassimoMassimo
54k45 gold badges172 silver badges289 bronze badges
answered yesterday
MassimoMassimo
54k45 gold badges172 silver badges289 bronze badges
answered yesterday
MassimoMassimo
54k45 gold badges172 silver badges289 bronze badges
answered yesterday
MassimoMassimo
54k45 gold badges172 silver badges289 bronze badges
54k45 gold badges172 silver badges289 bronze badges
When i do "setspn -L servername" I do see the servername in the list and I added HTTP/service.company.com, but it still won't work. Another thing I noticed is that servername.companyname.com is listed under the same service classes as servername, but using that will give me a prompt for credential.
– Frosteeze
yesterday
1
The other thing is, the actual web application should be configured to accept that hostname; f.e. SharePoint needs a manual configuration for this. But I don't know your application, so I can't voice for that.
– Massimo
yesterday
add a comment |
When i do "setspn -L servername" I do see the servername in the list and I added HTTP/service.company.com, but it still won't work. Another thing I noticed is that servername.companyname.com is listed under the same service classes as servername, but using that will give me a prompt for credential.
– Frosteeze
yesterday
1
The other thing is, the actual web application should be configured to accept that hostname; f.e. SharePoint needs a manual configuration for this. But I don't know your application, so I can't voice for that.
– Massimo
yesterday
When i do "setspn -L servername" I do see the servername in the list and I added HTTP/service.company.com, but it still won't work. Another thing I noticed is that servername.companyname.com is listed under the same service classes as servername, but using that will give me a prompt for credential.
– Frosteeze
yesterday
When i do "setspn -L servername" I do see the servername in the list and I added HTTP/service.company.com, but it still won't work. Another thing I noticed is that servername.companyname.com is listed under the same service classes as servername, but using that will give me a prompt for credential.
– Frosteeze
yesterday
1
1
The other thing is, the actual web application should be configured to accept that hostname; f.e. SharePoint needs a manual configuration for this. But I don't know your application, so I can't voice for that.
– Massimo
yesterday
The other thing is, the actual web application should be configured to accept that hostname; f.e. SharePoint needs a manual configuration for this. But I don't know your application, so I can't voice for that.
– Massimo
yesterday
add a comment |
Service.company.com would need to be a registered Service Principal Name on the IIS server.
Also, Kerberos integrated authentication by default will not work with an IP address unless the system is configured to do so, and the IP address is a registered Service Principal Name.
https://docs.microsoft.com/en-us/windows-server/security/kerberos/configuring-kerberos-over-ip
answered yesterday
Greg AskewGreg Askew
29.9k3 gold badges38 silver badges70 bronze badges
add a comment |
Service.company.com would need to be a registered Service Principal Name on the IIS server.
Also, Kerberos integrated authentication by default will not work with an IP address unless the system is configured to do so, and the IP address is a registered Service Principal Name.
https://docs.microsoft.com/en-us/windows-server/security/kerberos/configuring-kerberos-over-ip
answered yesterday
Greg AskewGreg Askew
29.9k3 gold badges38 silver badges70 bronze badges
add a comment |
Service.company.com would need to be a registered Service Principal Name on the IIS server.
Also, Kerberos integrated authentication by default will not work with an IP address unless the system is configured to do so, and the IP address is a registered Service Principal Name.
https://docs.microsoft.com/en-us/windows-server/security/kerberos/configuring-kerberos-over-ip
answered yesterday
Greg AskewGreg Askew
29.9k3 gold badges38 silver badges70 bronze badges
Service.company.com would need to be a registered Service Principal Name on the IIS server.
Also, Kerberos integrated authentication by default will not work with an IP address unless the system is configured to do so, and the IP address is a registered Service Principal Name.
https://docs.microsoft.com/en-us/windows-server/security/kerberos/configuring-kerberos-over-ip
answered yesterday
Greg AskewGreg Askew
29.9k3 gold badges38 silver badges70 bronze badges
answered yesterday
Greg AskewGreg Askew
29.9k3 gold badges38 silver badges70 bronze badges
answered yesterday
Greg AskewGreg Askew
29.9k3 gold badges38 silver badges70 bronze badges
answered yesterday
Greg AskewGreg Askew
29.9k3 gold badges38 silver badges70 bronze badges
29.9k3 gold badges38 silver badges70 bronze badges
add a comment |
add a comment |
One other check - it is possible your browser isn't passing credentials, forcing the login prompt.
In Internet Options, there is a security zone for Local Intranet; this zone will automatically pass your Windows credentials without the need for the AD dialog. The default setting will detect the server name as part of your network, but the full domain name is probably considered Internet zone and doesn't send the credentials. In the configuration page for Local Intranet, you can add the FQDN to no longer be prompted (or set it via Group Policy).
This all assumes you intend the site to run with Windows Credentials, and you are running internally; I'm not a security expert but personally, I wouldn't want to send my credentials automatically to a site across the internet.
answered 16 hours ago
Dave SimioneDave Simione
1136 bronze badges
add a comment |
One other check - it is possible your browser isn't passing credentials, forcing the login prompt.
In Internet Options, there is a security zone for Local Intranet; this zone will automatically pass your Windows credentials without the need for the AD dialog. The default setting will detect the server name as part of your network, but the full domain name is probably considered Internet zone and doesn't send the credentials. In the configuration page for Local Intranet, you can add the FQDN to no longer be prompted (or set it via Group Policy).
This all assumes you intend the site to run with Windows Credentials, and you are running internally; I'm not a security expert but personally, I wouldn't want to send my credentials automatically to a site across the internet.
answered 16 hours ago
Dave SimioneDave Simione
1136 bronze badges
add a comment |
One other check - it is possible your browser isn't passing credentials, forcing the login prompt.
In Internet Options, there is a security zone for Local Intranet; this zone will automatically pass your Windows credentials without the need for the AD dialog. The default setting will detect the server name as part of your network, but the full domain name is probably considered Internet zone and doesn't send the credentials. In the configuration page for Local Intranet, you can add the FQDN to no longer be prompted (or set it via Group Policy).
This all assumes you intend the site to run with Windows Credentials, and you are running internally; I'm not a security expert but personally, I wouldn't want to send my credentials automatically to a site across the internet.
answered 16 hours ago
Dave SimioneDave Simione
1136 bronze badges
One other check - it is possible your browser isn't passing credentials, forcing the login prompt.
In Internet Options, there is a security zone for Local Intranet; this zone will automatically pass your Windows credentials without the need for the AD dialog. The default setting will detect the server name as part of your network, but the full domain name is probably considered Internet zone and doesn't send the credentials. In the configuration page for Local Intranet, you can add the FQDN to no longer be prompted (or set it via Group Policy).
This all assumes you intend the site to run with Windows Credentials, and you are running internally; I'm not a security expert but personally, I wouldn't want to send my credentials automatically to a site across the internet.
answered 16 hours ago
Dave SimioneDave Simione
1136 bronze badges
answered 16 hours ago
Dave SimioneDave Simione
1136 bronze badges
answered 16 hours ago
Dave SimioneDave Simione
1136 bronze badges
answered 16 hours ago
Dave SimioneDave Simione
1136 bronze badges
1136 bronze badges
add a comment |
add a comment |
Frosteeze is a new contributor. Be nice, and check out our Code of Conduct.
Frosteeze is a new contributor. Be nice, and check out our Code of Conduct.
Frosteeze is a new contributor. Be nice, and check out our Code of Conduct.
Frosteeze is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f980476%2fwhy-would-an-iis-hosted-site-prompt-for-ad-account-credential-if-accessed-throug%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
