Kerberos Constrained Delegation – IIS Setup (Part 3 of 6)

In Part 2 of this series (Kerberos Constrained Delegation – Active Directory), I discussed user account and SPN setup as well as Delegation.  Next we need to look at setting up IIs and the required SQL services.


Application Pool – Proper User Account

The application pool that was created for your particular application probably was set up with “Network Service” out of the box.  You will want to change this setting to the proper user that was discussed in Part 1 (Kerberos Constrained Delegation – Setup Tools are Needed) of this series.  Repeat as necessary.


Web Site – Integrated Authentication

Integrated Authentication can be thought of as “automatic authentication” between Microsoft aware applications.  The current windows user information is passed via the browser and ultimately allows you to log in without having to supply a userid and password.  To set up Integrated Authentication, you need to go to the appropriate web site(s) and make the “Authentication Methods” window look like the one below.


IIS Metabase

Depending on the product installed, the IIS Metabase may or may not have been properly set.  A good support article from Microsoft is KB215383.  It describes how to set the Metabase.  An example of how to check (get) and set the IIS Metabase (after you back it up), could look like:

cd C:\Inetpub\Adminscripts –> Typical Adminscripts location
cscript adsutil.vbs get w3svc/WebSite/root/NTAuthenticationProviders –> (WebSite is the Web site ID number) – checking for current value of the web site.  If it is “Negotiate,NTLM” you do not have to do the next step.
cscript adsutil.vbs set w3svc/WebSite/root/NTAuthenticationProviders “Negotiate,NTLM” –> this is the proper authentication protocol setting

SQL Server Service

In our example, we were using the SQL Server service for the Database box.  Notice in the example below, that this service is set up with the proper domain user account (domain\SQLService).


This section of the series describes how to set up IIS and SQL Server using the proper user accounts, SPNs, and Delegation from Part 1 (Kerberos Constrained Delegation – Setup Tools are Needed) and Part 2 (Kerberos Constrained Delegation – Active Directory).  Next, I will describe Internet Explorer (client) setup.

FUTURESULTS, LLC Blog and FUTURESULTS, LLC Web Site are both created by Robert Lambrecht. Tags: , , , , , , , , , , , , , , , , , , , , ,
This entry was posted in Security and tagged , , , , , , , , , , , , , , , , , , , , , . Bookmark the permalink.

4 Responses to Kerberos Constrained Delegation – IIS Setup (Part 3 of 6)

  1. Pingback: Kerberos Constrained Delegation – Internet Explorer Setup (Part 4 of 6) | FUTURESULTS, LLC Blog

  2. Pingback: Kerberos Constrained Delegation – Wrap-up (Part 6 of 6) | FUTURESULTS, LLC Blog

  3. Pingback: Kerberos SPN Generation Setup Tool – PAS | FUTURESULTS, LLC Blog

  4. Pingback: Kerberos Constrained Delegation – Troubleshooting Tools (Part 5 of 6) | FUTURESULTS, LLC Blog

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s