Kerberos Hostname mapping

Giganews Newsgroups
Subject: Kerberos Hostname mapping
Posted by:  spconsultant (gfpilot20…@yahoo.com)
Date: Thu, 30 Oct 2008

BackGround

I have a web server called portal.myc.local
I must implement Kerberos Constrained Delegation,
to impersonate the end user in a downsteram application (on another
server).

I am using kerberos, to authenticate users (for SharePoint).
I have my SPN as  HTTP/portal.myc.local MYC\apppoolaccount
This is working well.

For external access, public DNS has mycompany.com registered to me,
and I have
my public DNS pointing to portal.mycomany.com and for testing right
now to my webserver
I have created a wildcard SSL certificate for *.mycompany.com (Using
SELFSSL)

(When I move along, this will be secured via ISA server in my DMZ, the
certifacate will
be self signed)

Status

Through Kerberos, my internal connections work properly.
Externally, kerberos fails, and authenticates me via NTLM
Even if I do this from the lan by using a host file entry to point to
my internal web server
it still falls back to NTLM

Question:

I believe what i need to do is map mycompany.com to myc.local so that
active directory
domain controller on myc.local sees these as members of the same
realm. How do I accomplish this?
Is this correct? Can I authenticate like this?
Any documentation source reccomendations?

Replies