When developing an ASP.NET solution for a customer, I run the application locally on my laptop (IIS 5.1, Win XP). For a realistic test scenario I had set up a separate host name for my local computer in my hosts file. I then enabled my application for Integrated Windows Authentication, and was a bit puzzled by why it did not work.
Internet Explorer did not automatically authenticate me when wisiting the web application. The problem turned out to be that there was no Service Principal Name registered in Active Directory that associated the hostname with my computer. Hence, the client could not request a Kerberos service ticket for my web application.
The solution was to run the setspn.exe tool (available in the Windows Server 2003 Support Tools package) to create the desired SPN entry in Active Directory. For example:
setspn -A HOST/my.fake.hostname.com MYCOMPUTER(where MYCOMPUTER is the network computer name for my workstation). You have to be a domain administrator to run this command.
The effect of running this command is that ‘HOST/my.fake.hostname.com’ will be added to the multi value field ‘servicePrincipalName’ on my computer’s entry in Active Directory.