Re: Kerberos Delegation of Authentication

The SPN I would use is the DNS the web browser would use,
internal.mysite.local. Thus you should be able to do:

HOST/internal.mysite.local

and be done with it. You can also do HTTP/internal.mysite.local and that
should work, but HOST is an alias for a bunch of different services in
windows including HTTP.

Then, as long as each app pool is configured with that identity, you should
be able to get Kerberos auth via IWA with no problem.

Depending on how the load balancer works, you might need to also set the
machine-specific DNS names. I've not had to do that before though. The
negotation is based on what the client thinks it is contacting.

I use a tool from the IIS6 Resource Kit for testing this. It is a low level
graphical tool for creating HTTP requests and getting responses back. You
can specify different authentication options, including negotiate. A
Kerberos negotiation looks different from an NTLM one, especially when you
supply specific credentials, as the response is MUCH larger. Sniffing the
network traffic is also helpful.

In IIS, as long as the metabase is configured to use Negotiate, you are
fine. It is possible to also set it to specifically use Kerberos, but that
may not be necessary. You might consider that though if NTLM will not be
acceptable (which it sounds like it won't).

Joe K.

"Chris Geier" <chris.geier at gmail.com> wrote in message
news:E93B6070-2CC9-4495-9B01-E56D0281B75C@xxxxxxxxxxxxxxxx
>
> Joe I need to clairfy your subte caveat commnets. Here is how I
> understand
> it.
>
>
> So lets say
>
> I have 3 load balanced webservers, load balanced by a hardware load
> balancer.
>
> Server1
> Server2
> Server3
>
> The websites on these 3 servers are obviously accessed through the
> loadbalancer and this is setup as a DNS name of internal.mysite.local. I
> have
> some code on this website that needs to access a backend resource so I
> need
> to make sure Kerberos and the delegation of authentication is working
> properly. The identity that the app pool is working under is
> internal\website "Domain\username" So my first step is to make sure that
> the
> websites themselves are setup for kerberos by using adsutil. Once I do
> that
> I need to set the spn for each server as follows
>
> setspn -A HTTP/server1 internal\website
> setspn -A HTTP/internal.mysite.local internal\website
>
> Now I should not need to repeat the second command since it will be
> identical on all 3 servers I just need to do the other 2 servers as
> follows.
>
> setspn -A HTTP/server2 internal\website
> setspn -A HTTP/server3 internal\website
>
> Once I do all of this and trust for delegation for the account we should
> be
> good. There are no duplicate issues here correct?
> "Joe Kaplan (MVP - ADSI)" wrote:
>
>> No, just the SPSAdmin account. Delegation belongs to the service account
>> that runs the process. Since the machine account isn't running the app
>> pool, it isn't delegating anything.
>>
>> The other subtle caveat is that the SPSAdmin account needs the SPNs
>> registered corresponding to the DNS name you are using to hit the site.
>> Accounts cannot share SPNs, so you may need to take them away from the
>> machine account in this case. This is the primary reason why I see IWA
>> fail
>> over to NTLM. Kerberos requires that the service account have an SPN
>> registered corresponding to the DNS (or NETBIOS) name used to access the
>> service.
>>
>> Generally, we set up new static IP addresses and DNS aliases to help
>> avoid
>> conflicts. This also allows us to use the same service account to run
>> multiple instances of a service behind a load balancer or something.
>>
>> Joe K.
>>
>> "Chris Geier" <chris.geier at gmail.com> wrote in message
>> news:4E99D323-A669-4E58-8B01-C3528ABACDB1@xxxxxxxxxxxxxxxx
>> > So that means if I have a sharepoint site running under SPSadmin user
>> > account. I have to trust that user account for delegation as well as
>> > the
>> > machine account.
>> >
>> > "Chris Geier" wrote:
>> >
>> >> My question as well. I would love to have some definate answer. I
>> >> would
>> >> think that this will be a very important piece of information for a
>> >> lot
>> >> of
>> >> people.
>> >>
>> >> "Joe Kaplan (MVP - ADSI)" wrote:
>> >>
>> >> > That's helpful for my question. Thanks for reading the docs for me,
>> >> > Lee.
>> >> > :)
>> >> >
>> >> > Does that imply that normal delegation will work across forests if a
>> >> > two way
>> >> > trust is in place? It seems to, but I could not find that
>> >> > explicitly
>> >> > mentioned.
>> >> >
>> >> > Joe K.
>> >> >
>> >> > "Lee Flight" <lef@xxxxxxxxxxxxxxx> wrote in message
>> >> > news:O95W0eHHGHA.3700@xxxxxxxxxxxxxxxxxxxxxxx
>> >> > > "When you use protocol transition across Active Directory forests,
>> >> > > both forests must be operating at the Windows Server 2003 forest
>> >> > > functional level and two-way forest trust must be established
>> >> > > between the forests."
>> >> > >
>> >> > > "You cannot use constrained delegation across a domain boundary.
>> >> > > Constrained delegation is restricted to services in a single
>> >> > > domain.
>> >> > > All domain controllers in the domain must be running Windows
>> >> > > Server
>> >> > > 2003,and the domain must be operating at the Windows Server 2003
>> >> > > functional level."
>> >> > >
>> >> > > Quoted from the summary at the end of
>> >> > >
>> >> > > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/constdel.mspx
>> >> > >
>> >> > >
>> >> > > A great Technet bookmark for Kerberos is:
>> >> > >
>> >> > > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/featured/kerberos/default.mspx
>> >> > >
>> >> > >
>> >> > > Lee Flight
>> >> > >
>> >> > >
>> >> > >
>> >> >
>> >> >
>> >> >
>>
>>
>>


.

Relevant Pages

  • Re: second keytab for similar service (but different SPN/IP) breaks the first
    ... as Kerberos is concerned. ... keytab for the SPN which gets configured for JAAS on the service host ... keytab tools included in both Microsfot AD and Apple Open Directory ... the same directory service account) breaks the authentication of the ...
    (comp.protocols.kerberos)
  • Re: IIS integrated authentification file share permission problem
    ... How is the second name "test" configured in DNS? ... My experience with Kerberos is that when using DNS-based names, ... record name and build the SPN based on it. ... (In the network configuration I added the second adress to the adapter ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Howto refresh IIS 6 Application pool identity credential info
    ... You already have 80% of the work setup (DNS Aliases and HostHeaders) on the ... domain accounts (one for each layer) should be sufficient. ... The Application Servers are load balanced clustered, ... as the account name and SPN alias is correctly defined on both nodes. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Number of GC servers
    ... Are you using the Restricted Groups GPO?? ... That might give you an indication as to why labserver works on one server ... DNS is handled by corporate servers. ... If I logon to cmpq02,cmpq04, as "labserver" (a generic account, that is ...
    (microsoft.public.windows.server.active_directory)
  • Re: Integrated Windows Authentication Timeout?
    ... I think you can probably fix that problem by adding the SPN that is being ... queried for to the account running the service. ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.dotnet.framework.aspnet.security)