In Part 3 of this series (Kerberos Constrained Delegation – IIS Setup), I discussed IIS Setup (application pool, web site, and IIS Metabase) and gave and example for SQL Server setup. In order for Kerberos to work, you have to get the local client information to pass to IIS. In our example we wanted to use Integrated Security or “automatic authentication” between Microsoft aware applications. To set up Internet Explorer, make sure that the follow three items are set correctly.
Enable Integrated Windows Authentication*
Make sure to enable the checkbox.
Trusted or Local Security Zone
Go to the appropriate zone for your particular setup (either Trusted or Local) and make sure to enable “Automatic logon with current user name and password” for this zone. The recommended zone is Trusted; however, if you try to open a second tab (and your first tab is in the Trusted zone), it will either give the user a warning or open in a new window. This is the expected behavior of the browser. You may want to use Local to avoid this issue. In the example below, we defined a policy to make sure this was setup correctly.
Add Servers to the appropriate Security zone
Add the servers that you have involved in your Kerberos trust to the appropriate zone. In the case shown below, I am adding the Reporting Server and the MOSS 2007 server. See the note under “Trusted or Local Security Zone” above to help you make your decision on which zone to use.
This part of the series describes several setup items for Internet Explorer. In Part 1 of this series (Kerberos Constrained Delegation – Setup Tools are Needed), I described an example scenario and a tool requirements list that would be fantastic if it could be integrated into a single setup tool. Next, I will describe troubleshooting tools for Kerberos.