In September 2007 I implemented a 4-layer Kerberos solution at a client’s site. Back then, there was only a couple of people who’d done it and there was not much information around on it (and it nearly killed me… well, it wasn’t that bad, but it was pretty stressful). Since then, lots of people have started to implement Kerberos authentication-based sites and it’s become a bit more mainstream. Certainly I look around and there’s lots of people with info.
One of the things I noticed while troubleshooting was that when you browsed sites the ticket that was generated never appended the port number when attempting to authenticate. Well apparently this was a "feature" of IE6 when used on XP or 2003 server and has carried over to current versions as a result. Now it’s possible to fix this – You can download the patch for 2003 server or XP from this KB Article 908209.
Just a warning: If you have SPN’s set up to not use the port number and this patch is applied to a client, YOUR SITES WILL STOP USING KERBEROS TO AUTHENTICATE. For example:
- You have a site http://mybeautiful.site.liveshere:8000
- You have an SPN set up for the service account on this site eg setspn -a http/mybeautiful.site.liveshere serviceAccount
- Everything works fine and dandy because IE builds a poor Kerberos request without the port number.
- You apply the patch & reg key. Suddenly, everyone starts getting the "3 prompts and you’re out" authentication request, because now the port number forms part of the request.
- Whoopsie! The fix is to register another 2 SPN’s for the site that uses a port number, against the Web App pool account (2 spn’s – one DNS prefix and one FQDN – in our example, one for http/mybeautiful:8000 and one for http/mybeautiful.site.liveshere:8000)
Anyway, hope this helps!