I'm experiencing inconsistent behaviour when using the .Net framework (C# as well as Powershell) to access a Kerberized HTTP service. It relates to our DNS configuration, and our use of CNAMEs instead of A-records for Kerberized services. The workaround suggested by Microsoft is to ensure that you're using A-records for your hostnames, but this is not an option in my corporate environment.
I need a solution that will allow me to force a specific SPN for a specific URL, ensuring that I use the same hostname for the SPN as for the URL. Alternatively, an option to force a consistent policy for resolving URLs to SPNs.
As always, once you know what you're looking for, the solution it quite easy to find ;-) In this example, I'm using a HTTPS web service on port 8080:
C#:
System.Net.AuthenticationManager.CustomTargetNameDictionary
.Add("https://my-service.tld:8080/", "HTTP/my-service.tld");
Powershell:
[System.Net.AuthenticationManager]::CustomTargetNameDictionary.
Add("https://my-service.tld:8080/", "HTTP/my-service.tld")
Do not forget the trailing slash. Remove :8080 if using port 80.
References: