Kerberos fails when accessing site by IP address

Question

Problems appear when accessing Kerberos protected site by IP address. For example:

http:/10.10.1.x:3001/ gives failure.

http:/my-host:3001

Answer 1

I realize this is a very old thread, but it is a top choice for any related searches. I think it's worth noting that Microsoft has recently added Kerberos client support using IPv4 and IPv6.

Beginning with Windows 10 version 1507 and Windows Server 2016, Kerberos clients can be configured to support IPv4 and IPv6 hostnames in SPNs.

To reduce the impact of disabling NTLM a new capability was introduced that lets administrators use IP addresses as hostnames in Service Principal Names. This capability is enabled on the client through a registry key value.

Since this is a client-side fix, your Kerberos client must be running an appropriate version of Windows and receive the TryIPSPN registry entry. Your service must also have an IP-based SPN registered to it in Active Directory.

Answer 2

In a Microsoft KB article it says that is by design:

https://support.microsoft.com/en-ca/kb/322979

The title of the above KB is: Kerberos is not used when you connect to SMB shares by using IP address

Answer 3

Kerberos does not work with IP adresses, it relies on domain names and correct DNS entries only.