delegation and multiple host name

[Pom]

I'am running asp.net 2.0 on a 2003 serveur using a a domain service account
for my application pool. I'm trying to connect to a serveur that have my
webservices. My chalenge is that server have 3 IP address, one for each web
site I need. The web services I try to access will be on the second web site
(but there is also a copy on the first web site) . So I defined a different
host name in DNS for each web site and I also assign it to each web site as a
host heade. My challenge is in the ADUC it only allow usto add a computer
name as a "trust this user for delegation to specified services only". When I
called my web services with the "server name" kerberos authenfication work
but when I use the host name, it fall over NTLM. So could we delegate to a
host name different from a server name?

 

[Joe Kaplan]

You need to create additional servicePrincipalName values for the additional
services with the alternate hostnames. Then you can delegate to them.

For example, if the alternate website is called althost1.domain.com, then
add an SPN to the account that runs its app pool (the machine account if you
run as the default "network service") with the value
HTTP/althost1.domain.com. Once you have an appropriate SPN for the
additional service, you will be able to do Kerb auth and then delegation is
also possible as well.

Joe K.

 

[Consultant]

do you have an SPN setup for the host name?

 

[Pom]

Thanks

I was wrong, I I set the SPN to the web services server instead of the
"services account" of the apps pool running the web services.