Kerberos Constrained Delegation – IIS Setup (Part 3 of 6)


In Part 2 of this series (Kerberos Constrained Delegation – Active Directory), I discussed user account and SPN setup as well as Delegation.  Next we need to look at setting up IIs and the required SQL services.

IIS

Application Pool – Proper User Account

The application pool that was created for your particular application probably was set up with “Network Service” out of the box.  You will want to change this setting to the proper user that was discussed in Part 1 (Kerberos Constrained Delegation – Setup Tools are Needed) of this series.  Repeat as necessary.

App_pool

Web Site – Integrated Authentication

Integrated Authentication can be thought of as “automatic authentication” between Microsoft aware applications.  The current windows user information is passed via the browser and ultimately allows you to log in without having to supply a userid and password.  To set up Integrated Authentication, you need to go to the appropriate web site(s) and make the “Authentication Methods” window look like the one below.

Web_Site

IIS Metabase

Depending on the product installed, the IIS Metabase may or may not have been properly set.  A good support article from Microsoft is KB215383.  It describes how to set the Metabase.  An example of how to check (get) and set the IIS Metabase (after you back it up), could look like:

cd C:\Inetpub\Adminscripts –> Typical Adminscripts location
cscript adsutil.vbs get w3svc/WebSite/root/NTAuthenticationProviders –> (WebSite is the Web site ID number) – checking for current value of the web site.  If it is “Negotiate,NTLM” you do not have to do the next step.
cscript adsutil.vbs set w3svc/WebSite/root/NTAuthenticationProviders “Negotiate,NTLM” –> this is the proper authentication protocol setting

SQL Server Service

In our example, we were using the SQL Server service for the Database box.  Notice in the example below, that this service is set up with the proper domain user account (domain\SQLService).

SQL

This section of the series describes how to set up IIS and SQL Server using the proper user accounts, SPNs, and Delegation from Part 1 (Kerberos Constrained Delegation – Setup Tools are Needed) and Part 2 (Kerberos Constrained Delegation – Active Directory).  Next, I will describe Internet Explorer (client) setup.

FUTURESULTS, LLC Blog and FUTURESULTS, LLC Web Site are both created by Robert Lambrecht.

del.icio.us Tags: , , , , , , , , , , , , , , , , , , , , ,
Advertisements
This entry was posted in Security and tagged , , , , , , , , , , , , , , , , , , , , , . Bookmark the permalink.

4 Responses to Kerberos Constrained Delegation – IIS Setup (Part 3 of 6)

  1. Pingback: Kerberos Constrained Delegation – Internet Explorer Setup (Part 4 of 6) | FUTURESULTS, LLC Blog

  2. Pingback: Kerberos Constrained Delegation – Wrap-up (Part 6 of 6) | FUTURESULTS, LLC Blog

  3. Pingback: Kerberos SPN Generation Setup Tool – PAS | FUTURESULTS, LLC Blog

  4. Pingback: Kerberos Constrained Delegation – Troubleshooting Tools (Part 5 of 6) | FUTURESULTS, LLC Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s