|Subject:||Kerberos Hostname mapping|
|Posted by:||spconsultant (gfpilot20…@yahoo.com)|
|Date:||Thu, 30 Oct 2008|
I have a web server called portal.myc.local
I must implement Kerberos Constrained Delegation,
to impersonate the end user in a downsteram application (on another
I am using kerberos, to authenticate users (for SharePoint).
I have my SPN as HTTP/portal.myc.local MYC\apppoolaccount
This is working well.
For external access, public DNS has mycompany.com registered to me,
and I have
my public DNS pointing to portal.mycomany.com and for testing right
now to my webserver
I have created a wildcard SSL certificate for *.mycompany.com (Using
(When I move along, this will be secured via ISA server in my DMZ, the
be self signed)
Through Kerberos, my internal connections work properly.
Externally, kerberos fails, and authenticates me via NTLM
Even if I do this from the lan by using a host file entry to point to
my internal web server
it still falls back to NTLM
I believe what i need to do is map mycompany.com to myc.local so that
domain controller on myc.local sees these as members of the same
realm. How do I accomplish this?
Is this correct? Can I authenticate like this?
Any documentation source reccomendations?