I had previously blogged on the working of Kerberos and how to troubleshoot authentication issues with Kerberos when it fails. Then I thought it would be good if I can also document the basic steps we look into when configuring Kerberos for a site. Over here we look into step by step process of the changes we need to make when we want to setup Kerberos for a site.
Please go through the blog on how Kerberos works before going through the setup blog.
The below steps will take you through the setup of Kerberos for a site. Steps 1-8 should be sufficient when you want Kerberos for the site to be configured only for single HOP. The steps followed from Step 9 shows you the configuration when you want to configure double hop i.e delegate the logged in account to a backend server (for eg a sql service).
Configuration for single hop:
1) Click on the website, go to authentication and make sure that windows authentication is enabled.
2) Make sure that when you want to use windows authentication, anonymous authentication is not enabled, which is a common mistake I have observed. Because anonymous authentication takes more precedence than windows authentication. Below is the link which talks about precedence in authentication.
3) Enabling windows authentication doesn’t mean Kerberos protocol will be used. It might also use NTLM which is also a provider in windows authentication. In order to setup Kerberos for the site, make sure “Negotiate” is at the top of the list in providers section that you can see when you select windows authentication. Negotiate is a provider or container which supports Kerberos protocol and it also contains NTLM as a backup when Kerberos fails due to some reason. But one important thing to keep in mind over here is when we want to use Kerberos “Negotiate” should be at the top.
4) So above three steps should be sufficient when you want to browse your site with the machine name as http://machinename or http://FQDN of machine name and you need not create any SPN’s (concept of SPN is explained in my previous blog) as you will have a HOST SPN registered to your machine account by default when you join a machine to a domain. HOST SPN is similar to HTTP SPN’s and should be sufficient when you want to access a site over Kerberos.
For eg: If you have a machine with the name ‘illuminati’ a host SPN for illuminati will be present and it will be registered to your inbuilt machine account. You can confirm this through running the below command.
Setspn –l machineaccount
Setspn –l illuminati : this will query for all the SPN’S registered to the machine account illuminati.
5) If you want to access the site with a custom hostname we need to create appropriate SPN for the hostname and we need to register it either to the machine account or to the domain account.
We usually don’t register the SPN to a machine account and choose domain accounts when we have a web farm scenario (same site hosted in multiple servers behind a load balancer) and the same ticket from AD should be accessible in all the machines in the farm.
6) Let’s consider the below scenario with imaginary hostname, machine name and a domain account.
FQDN Machine name: illuminatiserver.domain.com
Domain account: domain\chiranth
Note: Be careful while choosing a hostname. The hostname shouldn’t have “www.” If we have www in the hostname Kerberos will fail, because when a client tries to access a site with hostname www in it, it will try to go over internet rather than intranet zone.
7) For the above requirements with a custom hostname we can create SPN’s in either one of the two ways. It can be chosen on your requirement and the policies you have.
Method 1: Registering a SPN to a machine account.
When you have a custom hostname and you want to register it to a machine account, you need to create an SPN as below.
Setspn –a HTTP/HOSTNAME machineaccount
Eg: setspn –a HTTP/Kerberos.com illuminatiserver
Method 2: Registering a SPN to a domain account.
When you have a custom hostname and you want to register it to a domain account, you need to create a SPN a below.
Setspn –a HTTP/HOSTNAME domainaccount
Eg: setspn –a HTTP/Kerberos.com domain\chiram
Note: These commands can be run on any machines within the domain but In order to create or delete SPN’s you need to be a domain admin privileges.
8) So once we have the proper SPN in place we need to modify the configuration of IIS such that we point IIS to the account to which we have the SPN registered and what account’s credentials IIS needs to use to decrypt the ticket forwarded by the client which obtained from AD. So again based on the above two variations, configuration settings will differ as below.
Method 1: Configuration when we have SPN registered to machine account.
a) Click on the site and go to configuration editor and traverse to the path system.webServer/security/authentication/windowsAuthentication
b) Make sure that usekernel mode is set to true. Usekernel mode setting tells IIS that it needs to use its machine account to decrypt the Kerberos token/ticket which was obtained from AD and forwarded by the client to the server to authenticate the user.
c) Also when have usekernel mode set to true the decryption of the ticket happens at the kernel level which is performance effective and a faster process.
Method 2: Configuration when we have SPN registered to the domain account.
a) Go to advanced settings of your application pool under which your website is running and change the identity to the domain account. In our case it will be domain\chiranth
b) Now Click on the site and go to configuration editor and traverse to the path system.webServer/security/authentication/windowsAuthentication
d) Make sure that you have “useAppPoolCredentials” set to true. When you have “useAppPoolCredentials” set to true you are telling IIS that it needs to use its application pool identity(which we have changed in the previous step to point to domain account) to decrypt the Kerberos token/ticket which was obtained from AD and forwarded by the client to the server to authenticate the user.
c) Also when we have “useAppPoolCredentials” set to true decryption happens at the user level.
Note: If we have both useAppPoolCredentials and kernel mode set to true useAppPoolCredentials takes precedence. Usekernelmode setting was introduced from IIS 7 and higher versions. In IIS 6 and lower version always the application pool identity was used for decryption of the token/ticket and it used to happen at the user level.
Configuration for double hop:
9) The above steps should be sufficient if you expect your site to work over a single Hop. But if you want to delegate the logged in credentials to the backend server, For e.g. if you are passing the logged in credentials to the backend database server and have integrated security = true /SSPI you need to continue following the below steps.
10) Click on site and in authentication section make sure that you have ASP.NET impersonation enabled along with windows authentication.
11) Now you need to specify in AD that the account to which your HTTP service/SPN is registered (for the hostname) is authorized to delegate the user logged in credentials to any backend service (for eg: MSSQL service). This setting again varies on the type of SPN you have registered and might fall under any one of the below categories.
Method 1: When SPN is registered to machine account.
a) Go to Active directory Users and Computers.
b) Click on computers.
c) Search for your computername (in our case illuminatiserver) and go to its properties.
d) Select the delegation tab and choose the second option (unconstrained delegation) ‘Trust this computer for delegation to any service’ where you are authorizing the machine account “illuminatiserver” with the power to delegate the logged in credentials of an user to any backend service running on any machine.
Method 2: When SPN is registered to a domain account.
b) Click on Users.
c) Search for your domain user account (in our case domain\chiranth) and go to its properties.
d) Select the delegation tab and choose the second option (unconstrained delegation) ‘Trust this account for delegation to any service’ where you are authorizing the domain account “illuminatiserver” with the power to delegate the logged in credentials of an user to any backend service running on any machine.
12) We might have policies where we don’t want to enable delegation to all the services i.e we don’t want to have unconstrained delegation setup due to some security policies in such cases we need to enable constrained delegation.
To enable constrained delegation on the delegation tab select the 3rd option where it says “Trust this account for delegation to specified service” and in the bottom windows you can add the list of backend services (MSSQLSVC, CIFS service) specific to the machines to which your SPN account can delegate the login credentials.
For eg: I have registered my HTTP SPN to domain\chiranth and in the delagtion tab of chiranth I have selected the third option “Trust this account for delegation to specified service” and in the list of service I have specified MSSQLSvc/MySQLServer:1433.
The above setting specifies that domain\chiranth account will be able to delegate the logged in credentials in IIS server to only MSSQLSvc running MySQLServer on port 1433 and no other services or machines.
Hope this helps J
thaks for you job. Very clearly explanation.
Very nice article.
Just to ask. Any reason why I don't have 'Provider' option when I choose "Windows Authentication"?.
i think your are using IIS 7 on on a windows 2008 SP2 machine. the providers option is only available in IIS 7.5 on windows 2008 R2 onwards. However there is a workaround, you can access the providers section through the UI using configuration editor. to get configuration editoe on windows 2008 SP2 machine, install the IIS 7 administration pack from www.iis.net/.../administration-pack . once you get the admin pack and config editor to access the providers section go to system.webServer/security/authentication/windowsAuthentication section inside configuration editor. please let me know if you have queries
Do we need to have additional configuration for kerberos if we use loadbalanced web farm using ARR ?
@Rajni: if we are using ARR as a load balancer there are some things wrt SPN's of ARR server we need to take care of. the below blog tells you the extra settings you need to configure when you have ARR as a load balancer
Let me know if you have any queries in particular wrt to the settings
Thanks fro your reply Chiranth,
I used the exact steps that you suggested to configure kerberos and the authentication works fine when i access the applciation using the servername , But when I access the application using the loadbalanced URL it gives error(Support personal can access the application usign loadbalanced URL but the end user cannot) we use netapp filer to store the configuration and application content, Do you think the kerberos needs to be configured at the filer end too ?
when i ask the end user the access the application usign loadbalanced URL adn When i enable failed request tracing in the server it gives the following error "Device attached to the system is not functioning" and he gets a 500 internal error
@Rajni: the way to troubleshoot this would be check what is the difference between the user accounts.check if the account has proper permissions. check accessing a simple html page without any DB access. if there is any intermediary device which might be adding some unwanted headers you might see this. collect fiddler to check the headers being sent from the client and collect network traces on the ARR server and IIS server to check the headers it is receiving. you can also collect fiddler on the ARR server rather than network traces to check the headers going to the backend server and the response coming from it by following the below steps in the troubleshooting section "Fiddler Tracing" of this article.
please let me know if you have any queries
Hi Chiranth, Excellent blog. Great information and very very well explained and written. Thank you for it.
I am a little confused about my use case.
I have been accessing the site with a custom hostname without setting up a SPN via windows authentication. This has been true for both IIS6 or IIS7.5. I never had issues with SPN or ant decryption etc. Is it because my usekernel mode is set to true?
@Anil: Thanks for the response. This might be because one of the two reasons.
1) As you dont have any spn's the authentication might be falling back to ntlm and not Kerberos
2) Or if your custom hostname is a CNAME or alias i.e if the hostname is mapped to the server name rather than directly to the IP address then the SPN will be fetched for the server name which will be present by default.
You can confirm if you are going over ntlm or Kerberos by taking fiddler traces and examining the tokene. below references can tell you the difference in fiddler tokens in ntlm and Kerberos
Please let me know in case of any queries