We have in house IIS apps built on ASP .Net 2.0 running on IIS 7.5- Server 2008 R2 x64. Back end is SQL 2005. It uses Kerberos (Windows integrated) authentication. Once in a while we need to change SPNs that map the site name to the server, when a new server is put into production or a site is moved to a different server.
Most recent change required me to reboot the IIS & SQL servers for the SPN change to take effect. Before reboot, users get authentication errors in IE.
Is there a less intrusive way to get the SPN changes to take effect? These are 24/7 production sites, so service restarts and/or server reboots are difficult.
Best Answer
You can use klist on each of your server instances to clear the cached tickets:
http://technet.microsoft.com/en-us/library/hh134826.aspx
My problem is with cached tickets on the client side, which can also cause problems.
Adding new SPNs to existing service ids