Why would an IIS hosted site prompt for AD account credential if accessed through a hostname or IP, but not through servername?IIS6 Virtual Directory 500 Error on Remote ShareIIS Won't authenticate domain user: 401.2IIS asks for login/pass when accessed using hostname but not when 'localhost' is used. Why?IIS7 Hosted Site Accessable Unique Port But Not Host HeaderPHP not working when accessed through a domain name, but works fine when accessed through IPChange to RS 2008R2 configuration stopped IIS site receiving traffic through load balancer (and its still not working after backing it out)Windows Server 2012 R2 port 443 open, stopping IIS doesn't workCan't connect to site in IIS through DNS Alias, but can connect through localhost

Why would an IIS hosted site prompt for AD account credential if accessed through a hostname or IP, but not through servername?

Why did they avoid parodying Martian Manhunter?

Why is there so little discussion / research on the philosophy of precision?

Was there ever a treaty between 2 entities with significantly different translations to the detriment of one party?

Algorithms vs LP or MIP

Anatomically Correct Whomping Willow

I don't have the theoretical background in my PhD topic. I can't justify getting the degree

Immutable builder and updater

Is there any way to keep a player from killing an NPC?

What do these triangles above and below the staff mean?

Is there any practical application for performing a double Fourier transform? ...or an inverse Fourier transform on a time-domain input?

Is using a hyperlink to close a modal a poor design decision?

Architectural feasibility of a tiered circular stone keep

What would be the challenges to taking off and landing a typical passenger jet at FL300?

How would one country purchase another?

antonym of "billable"

What is the difference between computational complexity and time complexity?

Did a flight controller ever answer Flight with a no-go?

Who was president of the USA?

What is the difference between Major and Minor Bug?

Numbers Decrease while Letters Increase

Avoiding racist tropes in fantasy

Disambiguation of "nobis vobis" and "nobis nobis"

If all stars rotate, why was there a theory developed that requires non-rotating stars?



Why would an IIS hosted site prompt for AD account credential if accessed through a hostname or IP, but not through servername?


IIS6 Virtual Directory 500 Error on Remote ShareIIS Won't authenticate domain user: 401.2IIS asks for login/pass when accessed using hostname but not when 'localhost' is used. Why?IIS7 Hosted Site Accessable Unique Port But Not Host HeaderPHP not working when accessed through a domain name, but works fine when accessed through IPChange to RS 2008R2 configuration stopped IIS site receiving traffic through load balancer (and its still not working after backing it out)Windows Server 2012 R2 port 443 open, stopping IIS doesn't workCan't connect to site in IIS through DNS Alias, but can connect through localhost






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








3















I have a webservice running in IIS hosted in a Windows 2016 Nano server. I can access the service just fine if I go through http://servername/service/health



However, if i were to access it via http://[IP Address here]/service/health or http://service.company.com/service/health, it would prompt for AD login credential.



I looked through the DNS record and the IIS ApplicationHost.config and I can't really tell what's wrong with it. I might have missed a setting or two. Can anyone figure out where to look or what to do?






domain-name-system iis windows-nano-server







share|improve this question







New contributor



Frosteeze is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.



























    3















    I have a webservice running in IIS hosted in a Windows 2016 Nano server. I can access the service just fine if I go through http://servername/service/health



    However, if i were to access it via http://[IP Address here]/service/health or http://service.company.com/service/health, it would prompt for AD login credential.



    I looked through the DNS record and the IIS ApplicationHost.config and I can't really tell what's wrong with it. I might have missed a setting or two. Can anyone figure out where to look or what to do?






    domain-name-system iis windows-nano-server







    share|improve this question







    New contributor



    Frosteeze is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.























      3












      3








      3








      I have a webservice running in IIS hosted in a Windows 2016 Nano server. I can access the service just fine if I go through http://servername/service/health



      However, if i were to access it via http://[IP Address here]/service/health or http://service.company.com/service/health, it would prompt for AD login credential.



      I looked through the DNS record and the IIS ApplicationHost.config and I can't really tell what's wrong with it. I might have missed a setting or two. Can anyone figure out where to look or what to do?






      domain-name-system iis windows-nano-server







      share|improve this question







      New contributor



      Frosteeze is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      I have a webservice running in IIS hosted in a Windows 2016 Nano server. I can access the service just fine if I go through http://servername/service/health



      However, if i were to access it via http://[IP Address here]/service/health or http://service.company.com/service/health, it would prompt for AD login credential.



      I looked through the DNS record and the IIS ApplicationHost.config and I can't really tell what's wrong with it. I might have missed a setting or two. Can anyone figure out where to look or what to do?






      domain-name-system iis windows-nano-server




      domain-name-system iis windows-nano-server






      share|improve this question







      New contributor



      Frosteeze is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.










      share|improve this question







      New contributor



      Frosteeze is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.








      share|improve this question




      share|improve this question






      New contributor



      Frosteeze is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.








      asked 8 hours ago









      FrosteezeFrosteeze

      1163 bronze badges




      1163 bronze badges




      New contributor



      Frosteeze is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.




      New contributor




      Frosteeze is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.

























          2 Answers
          2






          active

          oldest

          votes


















          3















          This looks like a Kerberos issue; if I'm correct, then the server's AD computer account(*) has a registered SPN for HTTP/SERVERNAME (this can be verified with the SETSPN command-line tool), thus automatic Kerberos authentication can happen when the web service is called using the computer's name; however, when calling the web service with any other name, this won't work.



          If you want to be able to call the web service using a different name, then you need to add another SPN to the same AD computer account(*), with a command such as SETSPN -S HTTP/service.company.com SERVERNAME.



          More info here.



          (*) Or the user account which runs IIS's application pool, if you manually configured one.






          share|improve this answer

























          • When i do "setspn -L servername" I do see the servername in the list and I added HTTP/service.company.com, but it still won't work. Another thing I noticed is that servername.companyname.com is listed under the same service classes as servername, but using that will give me a prompt for credential.

            – Frosteeze
            6 hours ago


















          2















          Service.company.com would need to be a registered Service Principal Name on the IIS server.



          Also, Kerberos integrated authentication by default will not work with an IP address unless the system is configured to do so, and the IP address is a registered Service Principal Name.



          https://docs.microsoft.com/en-us/windows-server/security/kerberos/configuring-kerberos-over-ip






          share|improve this answer



























            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "2"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );






            Frosteeze is a new contributor. Be nice, and check out our Code of Conduct.









            draft saved

            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f980476%2fwhy-would-an-iis-hosted-site-prompt-for-ad-account-credential-if-accessed-throug%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown

























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            3















            This looks like a Kerberos issue; if I'm correct, then the server's AD computer account(*) has a registered SPN for HTTP/SERVERNAME (this can be verified with the SETSPN command-line tool), thus automatic Kerberos authentication can happen when the web service is called using the computer's name; however, when calling the web service with any other name, this won't work.



            If you want to be able to call the web service using a different name, then you need to add another SPN to the same AD computer account(*), with a command such as SETSPN -S HTTP/service.company.com SERVERNAME.



            More info here.



            (*) Or the user account which runs IIS's application pool, if you manually configured one.






            share|improve this answer

























            • When i do "setspn -L servername" I do see the servername in the list and I added HTTP/service.company.com, but it still won't work. Another thing I noticed is that servername.companyname.com is listed under the same service classes as servername, but using that will give me a prompt for credential.

              – Frosteeze
              6 hours ago















            3















            This looks like a Kerberos issue; if I'm correct, then the server's AD computer account(*) has a registered SPN for HTTP/SERVERNAME (this can be verified with the SETSPN command-line tool), thus automatic Kerberos authentication can happen when the web service is called using the computer's name; however, when calling the web service with any other name, this won't work.



            If you want to be able to call the web service using a different name, then you need to add another SPN to the same AD computer account(*), with a command such as SETSPN -S HTTP/service.company.com SERVERNAME.



            More info here.



            (*) Or the user account which runs IIS's application pool, if you manually configured one.






            share|improve this answer

























            • When i do "setspn -L servername" I do see the servername in the list and I added HTTP/service.company.com, but it still won't work. Another thing I noticed is that servername.companyname.com is listed under the same service classes as servername, but using that will give me a prompt for credential.

              – Frosteeze
              6 hours ago













            3














            3










            3









            This looks like a Kerberos issue; if I'm correct, then the server's AD computer account(*) has a registered SPN for HTTP/SERVERNAME (this can be verified with the SETSPN command-line tool), thus automatic Kerberos authentication can happen when the web service is called using the computer's name; however, when calling the web service with any other name, this won't work.



            If you want to be able to call the web service using a different name, then you need to add another SPN to the same AD computer account(*), with a command such as SETSPN -S HTTP/service.company.com SERVERNAME.



            More info here.



            (*) Or the user account which runs IIS's application pool, if you manually configured one.






            share|improve this answer













            This looks like a Kerberos issue; if I'm correct, then the server's AD computer account(*) has a registered SPN for HTTP/SERVERNAME (this can be verified with the SETSPN command-line tool), thus automatic Kerberos authentication can happen when the web service is called using the computer's name; however, when calling the web service with any other name, this won't work.



            If you want to be able to call the web service using a different name, then you need to add another SPN to the same AD computer account(*), with a command such as SETSPN -S HTTP/service.company.com SERVERNAME.



            More info here.



            (*) Or the user account which runs IIS's application pool, if you manually configured one.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered 7 hours ago









            MassimoMassimo

            54k45 gold badges172 silver badges289 bronze badges




            54k45 gold badges172 silver badges289 bronze badges















            • When i do "setspn -L servername" I do see the servername in the list and I added HTTP/service.company.com, but it still won't work. Another thing I noticed is that servername.companyname.com is listed under the same service classes as servername, but using that will give me a prompt for credential.

              – Frosteeze
              6 hours ago

















            • When i do "setspn -L servername" I do see the servername in the list and I added HTTP/service.company.com, but it still won't work. Another thing I noticed is that servername.companyname.com is listed under the same service classes as servername, but using that will give me a prompt for credential.

              – Frosteeze
              6 hours ago
















            When i do "setspn -L servername" I do see the servername in the list and I added HTTP/service.company.com, but it still won't work. Another thing I noticed is that servername.companyname.com is listed under the same service classes as servername, but using that will give me a prompt for credential.

            – Frosteeze
            6 hours ago





            When i do "setspn -L servername" I do see the servername in the list and I added HTTP/service.company.com, but it still won't work. Another thing I noticed is that servername.companyname.com is listed under the same service classes as servername, but using that will give me a prompt for credential.

            – Frosteeze
            6 hours ago













            2















            Service.company.com would need to be a registered Service Principal Name on the IIS server.



            Also, Kerberos integrated authentication by default will not work with an IP address unless the system is configured to do so, and the IP address is a registered Service Principal Name.



            https://docs.microsoft.com/en-us/windows-server/security/kerberos/configuring-kerberos-over-ip






            share|improve this answer





























              2















              Service.company.com would need to be a registered Service Principal Name on the IIS server.



              Also, Kerberos integrated authentication by default will not work with an IP address unless the system is configured to do so, and the IP address is a registered Service Principal Name.



              https://docs.microsoft.com/en-us/windows-server/security/kerberos/configuring-kerberos-over-ip






              share|improve this answer



























                2














                2










                2









                Service.company.com would need to be a registered Service Principal Name on the IIS server.



                Also, Kerberos integrated authentication by default will not work with an IP address unless the system is configured to do so, and the IP address is a registered Service Principal Name.



                https://docs.microsoft.com/en-us/windows-server/security/kerberos/configuring-kerberos-over-ip






                share|improve this answer













                Service.company.com would need to be a registered Service Principal Name on the IIS server.



                Also, Kerberos integrated authentication by default will not work with an IP address unless the system is configured to do so, and the IP address is a registered Service Principal Name.



                https://docs.microsoft.com/en-us/windows-server/security/kerberos/configuring-kerberos-over-ip







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered 7 hours ago









                Greg AskewGreg Askew

                29.8k3 gold badges38 silver badges70 bronze badges




                29.8k3 gold badges38 silver badges70 bronze badges























                    Frosteeze is a new contributor. Be nice, and check out our Code of Conduct.









                    draft saved

                    draft discarded


















                    Frosteeze is a new contributor. Be nice, and check out our Code of Conduct.












                    Frosteeze is a new contributor. Be nice, and check out our Code of Conduct.











                    Frosteeze is a new contributor. Be nice, and check out our Code of Conduct.














                    Thanks for contributing an answer to Server Fault!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f980476%2fwhy-would-an-iis-hosted-site-prompt-for-ad-account-credential-if-accessed-throug%23new-answer', 'question_page');

                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

                    Image
                    Would it be easier to colonise a living world or a dead world? Postal services in Italy - Poste Italiane vs. Friendpost vs. GPS What is /dev/null and why can't I use hx on it? Why are engines with carburetors hard to start in cold weather? How to make a gift without seeming creepy? Without exposing his identity, did Roy help his parents with money so that they can afford to stay in their home? Does the Creighton Method of Natural Family Planning have a failure rate of 3.2% or less? How do I break the broom in Untitled Goose Game? Had there been instances of national states banning harmful imports before the mid-19th C Opium Wars? D&D Monsters and Copyright Is sleeping on the groud in cold weather better than on an air mattress? Transiting through Switzerland by coach with lots of cash quadratic equations on 2 by 2 matrices Always Lubricate Skewers? I pay for a service, but I miss the broadcast Iron-age tools, is there a way to extract heavy metals ...
                    Read more

                    Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

                    Image
                    Internet forum softwarePHP software Internet communityPHPMySQLdatabase management systemInternet forumCharles WarnerMatt MechamJarvis Entertainment GroupIkonboardInvisionFreeAjaxIPS Community ForumsIPS Community Forumsthis blog entry Invision Community From Wikipedia, the free encyclopedia Jump to navigation Jump to search Invision Community Developer(s) Invision Power Services Stable release 4.4.6 / August 19, 2019 ; 34 days ago  ( 2019-08-19 ) Platform PHP / MySQL Type Forum software License Proprietary Website invisioncommunity.com Invision Community (previously known as IPS Community Suite ) is primarily an Internet community software produced by Invision Power Services, Inc. It is written in PHP and uses MySQL as a database management system. Invision Power Services sell applications that each can be bought and installed separately in addition to the Suite, the most widely known being the Internet forum software Invision Power Boar...
                    Read more

                    François Viète Contents Biography Work and thought Bibliography See also Notes Further reading External links Navigation menup. 21Google Bookspp. 75–77Google BooksDe thou (from University of Saint Andrews)ArchivedGoogle BooksGoogle BooksGoogle BooksGoogle booksGoogle Bookscc-parthenay.frL'histoire universelle (fr)Universal History (en)ArchivedAdsabs.harvard.eduPagesperso-orange.frArchive.orgChikara Sasaki. Descartes' mathematical thought p.259Google BooksGoogle BooksGoogle Bookspp. 152 and onwardGoogle BooksGoogle BooksScribd.comGoogle Books1257-7979Google BooksGoogle BooksGoogle BooksGoogle BooksGoogle BooksGoogle BooksGallica.bnf.frGoogle BooksGoogle Books"François Viète"Francois Viète: Father of Modern Algebraic NotationThe Lawyer and the GamblerAbout TarporleySite de Jean-Paul GuichardL'algèbre nouvelle"About the Harmonicon"cb120511976(data)1188044800000 0001 0913 5903n82164680ola2013766880073431702w6vt1sb70287374827140948071409480

                    Image
                    1540 births1603 deathsPeople from Fontenay-le-ComtePre-19th-century cryptographers16th-century French mathematiciansAlgebraistsFrench cryptographersUniversity of Poitiers alumni LatinSeigneurFrenchmathematicianprivy councillorHenry IIIHenry IVFontenay-le-ComteVendéeLa RochelleLe BusseauBarnabé BrissonmagistrateCatholic League of France.FranciscanPoitiersBachelor of LawsKing Francis I of FranceMary, Queen of ScotsHuguenotLyonJacques of Savoy, 2nd Duke of NemoursMouchampsVendéeCatherine de ParthenayastronomytrigonometryStevinKeplerGiordano BrunoCharles IX of FranceParthenayColignyCondéQueen Jeanne d’Albret of NavarreHenry IV of FranceJacques de ThouSt. Bartholomew's Day massacreAdmiral ColignyJacques, Duke of NemoursParliament of BrittanyRennesHenri, duc de Rohanmaître des requêtesHenry of NavarreHenry III of FranceFontenayBeauvoir-sur-MerNew AlgebraJoseph Juste ScaligerToursSpanishcipherWars of ReligionAloysius LiliusChristopher ClaviusAdriaan van Room...
                    Read more