re: Kerberos Authentication with IIS

Roy Assaly — Wed, 02 Nov 2005 22:49:26 GMT

Hi,

Thanks for this. I'm exactly in this situation. We've rummaged through all the help documents and used the test page you provided. And just like you said, the IIS servers returned:

"The Negotiate method was used!
The user was logged on using NTLM."

The server that works returned Kerberos. But the problem server doesn't. Setspn is correct, but I'm worried about the app pools.

You see, on the same IIS server in question, someone is also using a web project that relies on kerberos delegation. They created a user on the domain, let's call it domain\specialuser and created a new app work pool, called specialpool and associated it using Setspn. Meantime, mine is still using the default app pool that is running under the default "NetworkService" account. We've already ran the cscript script. I'm now worried that the app pool is messing things up. Either that or someone messed around in the metafile.

I've also verified that we are not running any proxies and that we are using FQDN.

If your web application URL is http://machinea/webappba, and the other party's web application URL is http://machinea/webappb, provided that http://machinea/webappb is correctly authenticating users via Kerberos, the following are simple options you can take that may resolve the matter:

1) Run your web application under the same application pool as the third party, or
2) Create your own application pool and set the identity to domain\specialuser.

This is because the necessary SPNs are assigned to the domain\specialuser account which include:

HTTP/machinea
HTTP/<machinea FQDN>

Keberos authentication will not work against http://machinea unless the host process is running under the security context of domain\specialuser account.

If you wish to maintain the application pool identity as Network Service, and require keberos authentication against your web application, arrange for a domain administrator to give the server an alternative different DNS designation. This is such that you may browse your web application with http://specialdnsdesignation/webappa as well as http://machinea/webappa.

The next step is to add the following SPNs to machinea account:-

HTTP/specialdnsdesignation
HTTP/<specialdnsdesignation FQDN>

Hence, when you run setspn -l machinea the following must be the result:-

HTTP/specialdnsdesignation
HTTP/<specialdnsdesignation FQDN>
HOST/machinea
HOST/<machinea FQDN>

3 Simple Rules to Kerberos Authentication/Delegation SPNs

Blog du Tristank — Mon, 08 May 2006 13:14:28 GMT

The one where I try to boil Kerb down to three simple rules, and then decide that's probably impossible without sub-rules and perhaps a nine article series, and then get bored and go home.

Dog Training » Kerberos Authentication with IIS

Dog Training » Kerberos Authentication with IIS — Sun, 20 Apr 2008 20:07:18 GMT

PingBack from http://dogs-pets.info/dog-training/?p=436