Kerberos Constrained Delegation – Internet Explorer Setup (Part 4 of 6)

In Part 3 of this series (Kerberos Constrained Delegation – IIS Setup), I discussed IIS Setup (application pool, web site, and IIS Metabase) and gave and example for SQL Server setup.  In order for Kerberos to work, you have to get the local client information to pass to IIS.  In our example we wanted to use Integrated Security or “automatic authentication” between Microsoft aware applications.  To set up Internet Explorer, make sure that the follow three items are set correctly.

Enable Integrated Windows Authentication*

Make sure to enable the checkbox.


Trusted or Local Security Zone

Go to the appropriate zone for your particular setup (either Trusted or Local) and make sure to enable “Automatic logon with current user name and password” for this zone.  The recommended zone is Trusted; however, if you try to open a second tab (and your first tab is in the Trusted zone), it will either give the user a warning or open in a new window.  This is the expected behavior of the browser.  You may want to use Local to avoid this issue.  In the example below, we defined a policy to make sure this was setup correctly.


Add Servers to the appropriate Security zone

Add the servers that you have involved in your Kerberos trust to the appropriate zone.  In the case shown below, I am adding the Reporting Server and the MOSS 2007 server.  See the note under “Trusted or Local Security Zone” above to help you make your decision on which zone to use.


This part of the series describes several setup items for Internet Explorer.  In Part 1 of this series (Kerberos Constrained Delegation – Setup Tools are Needed), I described an example scenario and a tool requirements list that would be fantastic if it could be integrated into a single setup tool.  Next, I will describe troubleshooting tools for Kerberos.

FUTURESULTS, LLC Blog and FUTURESULTS, LLC Web Site are both created by Robert Lambrecht. Tags: , , , , , , , , , , , , , , , , , , , , ,
This entry was posted in Security and tagged , , , , , , , , , , , , , , , , , , , , , , . Bookmark the permalink.

2 Responses to Kerberos Constrained Delegation – Internet Explorer Setup (Part 4 of 6)

  1. Pingback: Kerberos Constrained Delegation – Troubleshooting Tools (Part 5 of 6) | FUTURESULTS, LLC Blog

  2. Pingback: Kerberos Constrained Delegation – Wrap-up (Part 6 of 6) | FUTURESULTS, LLC Blog

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s