I have a very strange problem. It is not fiddler related, but fiddler actually fixes it! But I hope someone here can shed some light on what is going on.
I am trying to have a client (Internet Explorer) connect to a webserver (IIS) with Kerberos authentication. I access the website with the DNS name for the server (myapp.domain.net) as URL. When fiddler is NOT running on the client machine this happens:
Client sends GET request to webserver
Webserver responds with 401 and WWW-authenticate set to Negotiate
Client sends AS request to domain controller
Domain controller sends AS response ticket
Client sends TGS request to domain controller. Inside the request is the
FQDN(iisservermachinename.domain.net) of the webserver.
Domain controller sends S_PRINCIPAL_UNKNOWN to client
Client sends GET request to webserver with an NTLM NEGOTIATE MESSAGE inside
Webserver sends 401 with an NTLM CHALLENGE MESSAGE
Client sends GET request to webserver with NTLM AUTHENTICATE MESSAGE inside
Webserver replies with HTML
This gives NTLM authentication and not the Kerberos authentication I want.
The strange thing is step 5). When fiddler IS running, it puts myapp.domain.net in the TGS ticket instead of iisservermachinename.domain.net. And then everything works because then it hits my AD SPN's.
Can anyone tell something about what is going on here?