Sharepoint Forum

Ask Question   UnAnswered
Home » Forum » Sharepoint       RSS Feeds

SPN's and Application Pools

  Asked By: Ray    Date: May 30    Category: Sharepoint    Views: 21414

We have 4 different web applications on one server and we're using
kerberos authentication. I've read recommendations to use separate
application pool accounts for each web application. However, I've been
told by my Network Admin that there can only be one SPN entry with the
HTTP service class per server. Since all of these accounts are on the
same server, how would I register the SPN's? Without registering the
SPN, the authentication to these applications does not work.

I don't really understand Kerberos and SPN's beyond what I've
explained above. Am I on the right track, or should I be doing
something different. I'm trying to implement best practices.



10 Answers Found

Answer #1    Answered By: Davon Henson     Answered On: May 30

The spn  isn't against the server  iys against the service  account

To set up you enter

Setspn -A http/servername domain\account

As you can see you can have one server and multiple accounts

To prove the spn is against the account rather than the server you run

Setspn -L domain\account

This will list the spns for the account and you will see your server there

If you run

Setspn -L servername

You will see the spns for the server which will not include the ones you set

Ask them to do this and it should put their minds at rest

Answer #2    Answered By: Faith Delgado     Answered On: May 30

I stand corrected then..............

Answer #3    Answered By: Dara Hobbs     Answered On: May 30

Hope you are well. You can have multiple application  Pools
with different SPN's pointing to them on the same server. Each of your web
applications must have a different web  URL in order for this to work. Once
that is done, you simply need to create all the application pool  accounts
and then edit each one using ADSI edit and add the SPN for that Application.

AppPool1 - SPN = HTTP/webapp1.domain.com

AppPool2 - SPN = HTTP/webapp2.domain.com

AppPool3 - SPN = HTTP/webapp2.domain.com

You can even have different port numbers if you sites are hosted that way.

AppPool1 - SPN = HTTP/webapp1.domain.com:1010

AppPool2 - SPN = HTTP/webapp2.domain.com:1011

AppPool3 - SPN = HTTP/webapp2.domain.com:1012

Answer #4    Answered By: Abhinivesh Suvarna     Answered On: May 30

Do I still use this syntax to register:
-A HTTP/webapp1.domain.com DOMAIN\UserName

Or is the username insignificant? Still not quite sure how
everything works together.

Answer #5    Answered By: Micheal Knight     Answered On: May 30

My post about the spn  being recorded against the service  account was
correct so you can follow that - I just didn't realise (as stupid as
that seems) that you could put the URL against the HTTP service.

Answer #6    Answered By: Yvonne Rodriquez     Answered On: May 30

This is all new to me, and it's been a bit confusing.

Answer #7    Answered By: Elisha Abbott     Answered On: May 30

Yes you do add the URL you are using against the SPN for the
application pool  account. Phil's explanation was correct in his procedure
for adding them. You can either use the command line of use ADSI Edit and
browse the AD Structure and use the GUI to do it. Either way will do it.
Have fun.

Answer #8    Answered By: Naimish Ranganekar     Answered On: May 30

And a big well done to Liam on being only the 3rd sharepoint mvp in the UK.

Answer #9    Answered By: Caleb Gordon     Answered On: May 30

It also helps me to understand  the product better so we're both winners

Answer #10    Answered By: Goran Ljubic     Answered On: Dec 15

i used command setspn -S http/mysite:81 domain\administrator and i can access to my site just from server on whom is sharepoint 2010. i can't access from client workstation why? what i do?

Didn't find what you were looking for? Find more on SPN's and Application Pools Or get search suggestion and latest updates.