I have a webservice running in IIS hosted in a Windows 2016 Nano server. I can access the service just fine if I go through http://servername/service/health
However, if i were to access it via http://[IP Address here]/service/health
or http://service.company.com/service/health
, it would prompt for AD login credential.
I looked through the DNS record and the IIS ApplicationHost.config and I can't really tell what's wrong with it. I might have missed a setting or two. Can anyone figure out where to look or what to do?
Best Answer
This looks like a Kerberos issue; if I'm correct, then the server's AD computer account(*) has a registered SPN for
HTTP/SERVERNAME
(this can be verified with theSETSPN
command-line tool), thus automatic Kerberos authentication can happen when the web service is called using the computer's name; however, when calling the web service with any other name, this won't work.If you want to be able to call the web service using a different name, then you need to add another SPN to the same AD computer account(*), with a command such as
SETSPN -S HTTP/service.company.com SERVERNAME
.More info here.
(*) Or the user account which runs IIS's application pool, if you manually configured one.