Why would an IIS hosted site prompt for AD account credential if accessed through a hostname or IP, but not through servername?

I have a webservice running in IIS hosted in a Windows 2016 Nano server. I can access the service just fine if I go through http://servername/service/health

However, if i were to access it via http://[IP Address here]/service/health or http://service.company.com/service/health, it would prompt for AD login credential.

I looked through the DNS record and the IIS ApplicationHost.config and I can't really tell what's wrong with it. I might have missed a setting or two. Can anyone figure out where to look or what to do?


Solution 1:

This looks like a Kerberos issue; if I'm correct, then the server's AD computer account(*) has a registered SPN for HTTP/SERVERNAME (this can be verified with the SETSPN command-line tool), thus automatic Kerberos authentication can happen when the web service is called using the computer's name; however, when calling the web service with any other name, this won't work.

If you want to be able to call the web service using a different name, then you need to add another SPN to the same AD computer account(*), with a command such as SETSPN -S HTTP/service.company.com SERVERNAME.

More info here.

(*) Or the user account which runs IIS's application pool, if you manually configured one.

Solution 2:

Service.company.com would need to be a registered Service Principal Name on the IIS server.

Also, Kerberos integrated authentication by default will not work with an IP address unless the system is configured to do so, and the IP address is a registered Service Principal Name.

https://docs.microsoft.com/en-us/windows-server/security/kerberos/configuring-kerberos-over-ip