Kerberos Hostname mapping

Giganews Newsgroups
Subject: Kerberos Hostname mapping
Posted by:  spconsultant (gfpilot20…
Date: Thu, 30 Oct 2008


I have a web server called portal.myc.local
I must implement Kerberos Constrained Delegation,
to impersonate the end user in a downsteram application (on another

I am using kerberos, to authenticate users (for SharePoint).
I have my SPN as  HTTP/portal.myc.local MYC\apppoolaccount
This is working well.

For external access, public DNS has registered to me,
and I have
my public DNS pointing to and for testing right
now to my webserver
I have created a wildcard SSL certificate for * (Using

(When I move along, this will be secured via ISA server in my DMZ, the
certifacate will
be self signed)


Through Kerberos, my internal connections work properly.
Externally, kerberos fails, and authenticates me via NTLM
Even if I do this from the lan by using a host file entry to point to
my internal web server
it still falls back to NTLM


I believe what i need to do is map to myc.local so that
active directory
domain controller on myc.local sees these as members of the same
realm. How do I accomplish this?
Is this correct? Can I authenticate like this?
Any documentation source reccomendations?