EPiServer Authentication using Kerberos and Custom App Pool Identity
I recently had a hard time to get Windows authentication working properly.
I installed a standard EPiServer CMS SP3, with Authentication mode "windows", and configured the site to use integrated security against the Sql Server.
This was going to be the intranet site, or at least the test site for the intranet.
The window dialog appeared and despite supplying all kinds of usernames and passwords, the site refused to accept my credentials.
What has happened? This is usually working fine out of the box with a minimum of necessary brain activity.
It took half a day before I found the solution, and I hope that anyone that encounter the same problem, will find some help here.
The problem was that the site (Application pool) was running under a custom identity, and that browsing was against the computer name, which means that Kerberos authentication is being used.
Browsing with the IP or the DNS alias, was no problem at all, since NTLM handshake works fine. Single sign on without any hesitation.
Log on the webserver using a domain admin account.
Download the SPN tool, and install it.
Start command prompt in the same directory as you installed setspn.
Use the setspn command to authenticate the account on the server/domain.
setspn -A HTTP/<servername> <domain>\<account>
"setspn -A HTTP/srv01 domain1\episervice"
"setspn -A HTTP/srv01.mycomppany.com domain1\episervice"
You must authenticate all hosts, otherwise it won't work.
You can list all hosts with "setspn -l <servername>"
Note that this is only necessary to do when you run the website under a pre configured account, in other more common scenarios, the Kerberos authentication will work just fine.