In Part 2 of this series (Kerberos Constrained Delegation – Active Directory), I discussed user account and SPN setup as well as Delegation. Next we need to look at setting up IIs and the required SQL services.
Application Pool – Proper User Account
The application pool that was created for your particular application probably was set up with “Network Service” out of the box. You will want to change this setting to the proper user that was discussed in Part 1 (Kerberos Constrained Delegation – Setup Tools are Needed) of this series. Repeat as necessary.
Web Site – Integrated Authentication
Integrated Authentication can be thought of as “automatic authentication” between Microsoft aware applications. The current windows user information is passed via the browser and ultimately allows you to log in without having to supply a userid and password. To set up Integrated Authentication, you need to go to the appropriate web site(s) and make the “Authentication Methods” window look like the one below.
Depending on the product installed, the IIS Metabase may or may not have been properly set. A good support article from Microsoft is KB215383. It describes how to set the Metabase. An example of how to check (get) and set the IIS Metabase (after you back it up), could look like:
|cd C:\Inetpub\Adminscripts||–> Typical Adminscripts location|
|cscript adsutil.vbs get w3svc/WebSite/root/NTAuthenticationProviders||–> (WebSite is the Web site ID number) – checking for current value of the web site. If it is “Negotiate,NTLM” you do not have to do the next step.|
|cscript adsutil.vbs set w3svc/WebSite/root/NTAuthenticationProviders “Negotiate,NTLM”||–> this is the proper authentication protocol setting|
SQL Server Service
In our example, we were using the SQL Server service for the Database box. Notice in the example below, that this service is set up with the proper domain user account (domain\SQLService).
This section of the series describes how to set up IIS and SQL Server using the proper user accounts, SPNs, and Delegation from Part 1 (Kerberos Constrained Delegation – Setup Tools are Needed) and Part 2 (Kerberos Constrained Delegation – Active Directory). Next, I will describe Internet Explorer (client) setup.