tomcat+waffle+webdav strange behavior with dns aliases

Mar 2, 2012 at 9:14 PM

I have a web UI and WebDAV provider running on Tomcat 6 (as separate apps) and protected by waffle's NegotiateAuthenticator.  Tomcat runs as a service under the system account.  Everything works beautifully hitting the web UI and WebDAV apps when I use the machine name or the machine name + AD domain name.  After a bunch of head bashing, and setting the appropriate SPN, using the machine name + external domain name also works perfectly.


However, I am running into problems when I try to use a DNS alias for the machine.  In my case, the DNS alias is used to select servers that are physically close to the user (as opposed to a typical load balancing setup).  What happens is that although the web UI works just fine, all the file edit WebDAV functionality breaks (PUT calls).  Oddly, I can still create directories (MKCOL operation) without issue.  Looking at the NegotiateAuthenticator, I can see all the requests are coming across apparently fine.  Paired with Fiddler logs captured from Windows Explorer talking WebDAV, the DNS aliased setup isn't sending any content along with the PUT while the machine name setup does.  I can also see that there are FAR more 401 negotiates going back and forth when hitting the app via the DNS alias.


So what I need help with is to see if there is something that I can do to get my app working correctly when assessed with the different namings AND without having to set a SPN on a single machine to match the DNS name (I tried that but it broke all of the location based servers since a SPN can only be attached to a single AD object).


For illustration, my setup is like this....

server name: server1 (

AD domain name:

external domain name:

alias name:

added an extra SPN for server 1:   setspn -A HOST/ server1

web ui (each one works perfectly)



http://server1:8090/webdav  (THIS ONE DOESN'T WORK with at least PUTs)


Finally, the really weird part is that when I do an install of the WebDAV layer with the corresponding IIS components, every permutation works.


Any thoughts are appreciated.  We're limping along with IIS, but it isn't as fast or easy to maintain as the Tomcat setup.




Mar 7, 2012 at 12:30 PM

Honestly I don't know. I am sure IIS does something way smarter in its code, but there's no way to know. 

Maybe you'll have a chance on the list?