Use A Records for SharePoint Sites When Using Kerberos |

OMFG how many times must this happen in one project?! SharePoint (actually .NET Framework) does not work properly for Kerberos security resolution if you try and use CName records. Also they are a bad idea for a site anyway… because you cannot load-balance a Cname (a Cname just says “This Name maps to this server name” – gah!). I’m not sure why there’s such a high preference for Sysadmins to use Cnames. I suppose there must be an architecture reason, but it causes soooooo many problems! Here’s the info from someone at Microsoft…

Use A Records for SharePoint Sites When Using Kerberos

Posted on 12. Jul, 2011 by bryan in SharePoint

When given the choice between using an A DNS record or a CNAME DNS record for your SharePoint web applications, favor an A record particularly if you are using Kerberos authentication.  Reference the following TechNet article:

http://technet.microsoft.com/en-us/library/gg502606.aspx

Of particular interest in this article is the following passage:

Kerberos authentication and DNS CNAMEs

There is a known issue with some Kerberos clients (Internet Explorer 7 and 8 included) that attempt to authenticate with Kerberos enabled services that are configured to resolve using DNS CNAMEs instead of A Records. The root of the problem is the client does not correctly form the SPN in the TGS request by creating it using the host name (A Record) instead of the alias name (CNAME).

Example:

A Record: wfe01.contoso.com

CNAME: intranet.contoso.com (aliases wfe01.contoso.com)

If the client attempts to authenticate with http://intranet.contoso.com, the client does not correctly form the SPN and requests a Kerberos ticket for http/wfe01.contoso.com instead of http/intranet.contoso.com

Details regarding the issue can be found in the following articles:

http://support.microsoft.com/kb/911149/en-us

http://support.microsoft.com/kb/938305/en-us

To work around this issue, configure Kerberos enabled services using DNS A records instead of CNAME aliases. The hotfix mentioned in KB article will correct this issue for Internet Explorer but will not correct the issue for the .NET framework (which is used by Microsoft Office SharePoint Server for web service communication).

What me and my team experienced is that a customer had a customization which interfaced with Exchange.  The browser authentication to the web application appeared to be working fine, but the double-hop to Exchange was failing with a 401 error.  All SPNs appeared to be correct.  We changed the DNS records from CNAME records to A records and the authentication began to work as expected.

Use A Records for SharePoint Sites When Using Kerberos |

Advertisements

About Brad Saide

I'm a SharePoint consultant. I'm also slowly going bald, seem to have a permanent spare tyre around my waist and enjoy socialising with friends over a beer or 10. The last 2 may possibly be related. Started working with SharePoint when the first version was in limited beta release (participated in the Technology Adoption Program while at Woolworths) and have been committed to the adoption of the technology as a business enabler ever since.
This entry was posted in Uncategorized. Bookmark the permalink.

2 Responses to Use A Records for SharePoint Sites When Using Kerberos |

  1. Eric Xue says:

    Hi chief, you must be quite busy there to pump out so many goodies to us while we are busy with the client projects 🙂

    Keep all coming, just never had enough with your blogs!

  2. Brad Saide says:

    Had 8 in Draft state, finally pushed them out.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s