Non-standard port numbers hotfix for Kerberos

In September 2007 I implemented a 4-layer Kerberos solution at a client’s site. Back then, there was only a couple of people who’d done it and there was not much information around on it (and it nearly killed me… well, it wasn’t that bad, but it was pretty stressful). Since then, lots of people have started to implement Kerberos authentication-based sites and it’s become a bit more mainstream. Certainly I look around and there’s lots of people with info.

One of the things I noticed while troubleshooting was that when you browsed sites the ticket that was generated never appended the port number when attempting to authenticate. Well apparently this was a "feature" of IE6 when used on XP or 2003 server and has carried over to current versions as a result. Now it’s possible to fix this – You can download the patch for 2003 server or XP from this KB Article 908209.

Just a warning: If you have SPN’s set up to not use the port number and this patch is applied to a client, YOUR SITES WILL STOP USING KERBEROS TO AUTHENTICATE. For example:

  • You have a site
  • You have an SPN set up for the service account on this site eg setspn -a http/ serviceAccount
  • Everything works fine and dandy because IE builds a poor Kerberos request without the port number.
  • You apply the patch & reg key. Suddenly, everyone starts getting the "3 prompts and you’re out" authentication request, because now the port number forms part of the request.
  • Whoopsie! The fix is to register another 2 SPN’s for the site that uses a port number, against the Web App pool account (2 spn’s – one DNS prefix and one FQDN – in our example, one for http/mybeautiful:8000 and one for http/

Anyway, hope this helps!



About Brad Saide

I'm a SharePoint consultant. I'm also slowly going bald, seem to have a permanent spare tyre around my waist and enjoy socialising with friends over a beer or 10. The last 2 may possibly be related. Started working with SharePoint when the first version was in limited beta release (participated in the Technology Adoption Program while at Woolworths) and have been committed to the adoption of the technology as a business enabler ever since.
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s