IIS rejecting Kerberos authentication

  • Last Post 03 January 2017
RaviSabharanjakblackrockcom posted this 30 October 2011

Hello all,

Has anyone seen this before, and knows a solution?

Thanks in advance,

* IIS website listens on port 42 (not the usual port 80)

* IE 8 Client asks for a ticket and gets it for HTTP/servername.domainname.

* Client sends ticket to IIS.

* Server responds with errorcode: KRB5KRBAPERRMODIFIED and Server Name (Service and Host): host/servername.domainname

To me, it seems that IE is sending a ticket for the HTTP spn, but the server / IIS wants a ticket to the host spn. Is there a way to make IIS change it's mind?

THIS MESSAGE AND ANY ATTACHMENTS ARE CONFIDENTIAL, PROPRIETARY, AND MAY BE PRIVILEGED. If this message was misdirected, BlackRock, Inc. and its subsidiaries, ("BlackRock") does not waive any confidentiality or privilege. If you are not the intended recipient, please notify us immediately and destroy the message without disclosing its contents to anyone. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. The views and opinions expressed in this e-mail message are the author's own and may not reflect the views and opinions of BlackRock, unless the author is authorized by BlackRock to express such views or opinions on its behalf. All email sent to or from this address is subject to electronic storage and review by BlackRock. Although BlackRock operates anti-virus programs, it does not accept responsibility for any damage whatsoever caused by viruses being passed.

jkolenda posted this 03 January 2017

Just curious...Is the agent inventory Service Now?