About SPN’s for SQL iis driven pages (ssrs/ mds).
sooo… it seems that if you host multiple webpage drivven SQL technologies (http/ ) on the same machine the initial handshake for kerberos tends to use the default spn. If you set a spn for http/serverordns.fqdn.Com:1234 and for http/serverordns.fqdn.Com:80 and another for http/serverordns.fqdn.Com (thus hosting 2 different web apps on the same machine, one on the default web port and one on 1234) even the request for the 1234 app will use the SPN for the default port .This app pools should use different accounts (if you want it to be secure that is ) and this behaviour fails all kerberos requests for the app pool account on 1234 since it uses the spn account on the default.
Solve this by :
creating DNS alliases for you different webservices
= MDSACCEPTANCE.FQDN.COM
= SSRSACEPTANCE.FQDN.COM
Create host headers on you sql box pointing to the correct Apps..
Create separate SPN’s for using the DNS pointers with and without port notation!
http/MDSACCEPTANCE.FQDN.COM:1234
http/MDSACCEPTANCE.FQDN.COM
http/SSRSACCEPTANCE.FQDN.COM:80
http/SSRSACCEPTANCE.FQDN.COM
If you need more info , drop me a line at Kristof.dm at Outlook.com
Image may be NSFW.
Clik here to view.
Image may be NSFW.Clik here to view.
