Fun with the Kerberos Delegation Web Site
Hi, Rob here. First I want to thank you guys for reading and participating in our blogging efforts. I had one of you e-mail us and ask about the web site I used in the Kerberos Authentication Troubleshooting blogs and if they could get a copy of it.
The web site was created by our IIS support counterparts and it turns out it was released to the web as DelegConfig. Brian Murphy-Booth has a blog about the web site here. We at AskDS do not support the DelegConfig web site, so if you have questions or comments about it leave your feedback at that blog location.
With this web site you can test Kerberos double hop configurations and the newer delegation types of constrained delegation and constrained delegation with protocol transition from IIS to the following services: SQL, File Server, OLAP Server, or another web server. The reason why this documentation exists is to help customers configure Kerberos delegation to become familiar with all the tasks involved to configure the environment correctly.
- Active Directory Domain Functional Level must be Windows Server 2003 if you want to test constrained delegation.
- Name resolution (WINS or DNS) is properly working in the environment.
- All computers are within five minutes of time to each other.
- All service accounts and server computer accounts (IIS and backend) must exist in the same domain if you are going to configure constrained delegation. Note that the user accessing the resource can be in any domain where Kerberos functions to the domain where the IIS and backend servers exist.
- If you are going to test cross-forest Kerberos authentication or delegation then a working two-way forest trust must exist.
- The test user account that is going to be delegated must not have the account option Account is sensitive and cannot be delegated configured. You will find this in the Active Directory Users and Computers on the user’s Account tab under the Account options heading.
- The default web site in IIS allows Kerberos authentication to be used. If you are not sure review KB 215383.
- You are using IIS 6 with the ASP.NET component installed.
- You have installed the backend application or service that you want to test.
NOTE: Review Setup and Known issues.txt from the DelegConfig.zip file for proper ASP.NET version to be installed on the IIS Server.
Configuring the Web site and Web Application Pool Account
Extract the zip file to a directory on a server running IIS 6. You can specify any location you wish. According to the DelegConfig blog it can be used with IIS 7 however, we are only going to be showing how to configure it with IIS 6.
- When you extract the web site, you need to preserve the folder structure.
- The server running IIS and back-end service should be installed on separate boxes.
- You need to have the ASP.NET component checked in Application Server when you install IIS.
Open Active Directory Users and Computers to create the application pool account.
- We need to create a domain account that will be used for the application pool in IIS. You can name the account anything you wish, for this document we will use the account IISKerbSvc.
- You will need to configure a password for the service account. Also, you should configure the account’s password to never expire. This is configured under the Account tab.
Open IIS Manager to add a virtual directory.
- With the Default Web Site highlighted, right-click and select New, then select Virtual Directory.
- The Virtual Directory Creation Wizard will start, click Next and specify an Alias. For this demo I used KerbDeleg. Then click Next.
- Navigate to the path folder where you extracted the files for DelegConfig.zip, then click Next.
- Choose the defaults and click Next then click Finish.
Now that you have a Virtual Directory named KerbDeleg you need to create an application pool for the web site to use.
Right-click Application Pools and select New then select Application Pool.
The Application Pool ID canbe anything and does not have to match the virtual directory name. For this demo I used KerbDeleg. Just name it something unique.
Once you have the virtual directory and the application pool created, you need to make modifications to the virtual directory that we created in Step 3.
Right-click the virtual directory you created in Step 4 (KerbDeleg).
On the Virtual Directory tab click Create.
Change the Application Pool used via the drop-down menu to the one created in Step 4 (KerbDeleg). Note that by default it will be DefaultAppPool.
Make sure Execute permissions is set to Scripts only.
Click the Documents tab, and select Add.
Type Default.aspx in the dialog box and click OK.
Select the Directory Security tab.
Under Authentication and access control click Edit button.
Uncheck Enable anonymous access, and check Integrated Windows authentication.
Click OK twice.
Now we need to change the Identity used by the application pool that we created in Step 4 (KerbDeleg).
Right click on the application Pool you created. In this documentation it is "KerbDeleg", and select "Properties"
Select the Identity tab.
Select Configurable and find the account we created in Step 3 (IISKerbSvc).
Once you have selected the user account and typed in the password for the account, click OK.
Now, we need to add the user account from Step 2 (IISKerbSvc) to the computer local group IIS_WPG.
If the server running IIS is a member server, use Compmgmt.msc (Computer Management).
If the server running IIS is a domain controller, use Dsa.msc (Active Directory Users and Computers) and this group is located in the Users container.
Figure 6 - Adding application pool account to the IIS_WPG group
This step is done to allow the IISKerbSvc (application pool identity) the ability to impersonate the user on the web server. If you look at the computer’s user right assignments you will see Impersonate a client after authentication and the IIS_WPG group is added there by default.
We now need to configure the user account for delegation within the domain. So we need the Setspn tool in the Windows Support Tools, and access to Active Directory Users and Computers.
At a command prompt type the following to find out what Service Principal Names (SPNs) are already associated with your IIS application pool service account:
setspn -L <Domain Name>\<Account from Step 2>
What we want to see is similar to the following:
http/<IIS Web site Address>
http/<IIS Web site Address FQDN>
Note There is no colon (":") anywhere in here when we use HTTP. This is a common mistake that can happen when creating SPNs for web sites.
If you do not see any of the above listed for the application pool service account then we need to add them one at a time via the following command:
setspn -A http/<Web site Address > <Domain Name\<Account from Step 2>
setspn -A http/<Web site Address FQDN> <Domain Name\<Account from Step 2>
setspn -A http/webserver01 Contoso\IISKerbSvc
setspn -A http/webserver01.contoso.com Contoso\IISKerbSvc
setspn –A http/www Contoso\IISKerbSvc
setspn –A http/www.contoso.com Contoso\IISKerbSvc
For more information on this topic as it relates to IIS you can review the below web site location:
Configuring Constrained Delegation for Kerberos (IIS 6.0)http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/df979570-81f6-4586-83c6-676bb005b13e.mspx?mfr=true
Configuring the SQL Backend
So that this blog is not too long (yeah, I know I am not known for short blogs) we are only going to show you how to configure the SQL server as the backend and how to test it since this is the most common situation where Kerberos delegation is configured. Keep in mind that for learning how Kerberos multi-hop works you do not need to install the full version of SQL. You can use SQL Express, and it can be installed on any operating system.
Registering a Service Principal Name
Kerberos Authentication and SQL Server
The SQL Server Service can run under basically two types of accounts.
- The Local System also known as the SYSTEM account.
- A domain user account configured as a service account that the customer creates.
The web site can verify either of these configurations, but there are different steps that need to be followed dependant on which configuration the SQL Server Service is running. Of course with all these configurations it is very important that we have the correct SPNs registered to the correct computer or user account.
User Account (Service Account) SPN Configuration
If the SQL Server Service is running as a user account, then we need to make sure that the MSSQLSvc SPN for the computer is not registered to the computer. You can run the following command to determine this:
setspn –L <SQL Server Computer Name>
If this does come back with a MSSQLSvc SPN registered then you will need to delete that SPN from the computer account, by typing the following command:
setspn –D MSSQLSvc/<Computer Name>:<Port> <Computer Name>
setspn –D MSSQLSvc/<Computer FQDN>:<Port> <Computer Name>
Here is an example:
setspn –D MSSQLSvc/SQLSrv1:1433 SQLSrv1
setspn –D MSSQLSvc/SQLSrv1.contoso.com:1433 SQLSrv1
Then you will want to verify that all SPNs are no longer registered by running SetSPN –L command again.
Once that has been verified, we will need to register the MSSQLSvc SPN to the SQL Server service account being used to run the SQL Server by typing the following:
setspn –A MSSQLSvc/<SQL Server Name>:<Port> <Domain Name>\<User Account>
setspn –A MSSQLSvc/<SQL Server Name FQDN>:<Port> <Domain Name>\<User Account>
Here is an example:
setspn –A MSSQLSvc/SQLSrv1:1433 CONTOSO\MSSQLSvc
setspn –A MSSQLSvc/SQLSrv1.contoso.com:1433 CONTOSO\MSSQLSvc
Local System SPN Configuration
If the SQL Server service account is running as Local System (which is not common today), then we need to make sure that the MSSQLSvc SPN for the computer is registered. You can run the following command to determine this:
setspn –L <SQL Server Name>
If this does NOT come back with a MSSQLSvc SPN registered then you will need to add the SPN for the computer, by typing the following command:
setspn –A MSSQLSvc/<Computer Name>:<Port> <Computer Name>
setspn –A MSSQLSvc/<Computer FQDN>:<Port> <Computer Name>
Here is an example:
setspn –A MSSQLSvc/SQLSrv1:1433 SQLSrv1
setspn –A MSSQLSvc/SQLSrv1.contoso.com:1433 SQLSrv1
Finishing the Configuration for Delegation to Work
Open Active Directory Users and Computers.
Find the user account that the IIS Web site is using for the web application pool and double-click it.
If you are in 2000 native mode for the domain, click on the Account tab and check the box Account is trusted for delegation.
If you are in 2003 domain functional mode, click on the Delegation tab.
NOTE This tab does not exist if you are not in Windows Server 2003 domain functional level or the user account does not have a SPN already defined on the account.
To enable open delegation select: Trust this user for delegation to any service (Kerberos only) .
To enable constrained delegation by selecting: Trust this user for delegation to specified services only.
Click the Add button, and then click on the Users or Computers button.
If the SQL Service was configured to start as Local System then type in the SQL Servers computer name, and click Check Names. Click OK.
If the SQL Service was configured to start as a domain user account then type in the user account name, and then click Check Names. Click OK.
For this discussion remote computer name refers to the backend server that the IIS web site needs to hand the users Kerberos ticket to.
You will see all available SPNs on the remote system. Select the SPN associated with MSSQLSvc then click OK.
Click OK on the user properties dialog box.
Restart the IIS service.
How to Test the Web Site
Open Internet Explorer, and type in the address of the http://<web site name>/kerbdeleg
Then click on the Add Backend button. Then you will get the web page to configure the backend you want to talk to.
Remote address - this should be the SQL Server with which you want to test Kerberos delegation.
MEMBER1 or MEMBER1.contoso.com
Service type - this needs to be set to SQL Server.
Listening port - for SQL Server access this port needs to match where SQL Server is listening. By default this is port 1433.
Service account: If the SQL Server service was configured as Local System then this needs to be set to Preferred and Local System. If the SQL Server service was configured for a domain account then this needs to be set to Configured and type in the <domain>\<SQL service account> .
Configuring for Protocol Transition
You will first need to make sure that constrained delegation is configured and working in your lab environment. Once this has been accomplished then you should be able to continue.
Bring up Active Directory Users and Computers.
- Find the user account that is being used for the IIS application pool and Edit the user.
- Click on the Delegation tab, which you can review in Figure 8.
- And select Use any authentication protocol.
- Click OK.
Restart the IIS service.
Common Problems When Configuring the Site
Prompted for user credentials over and over again – check to make sure that the application pool is correctly configured on the virtual directory. Review Step 5 from above.
Directory Listing Denied error – Check to make sure Execute permissions is to Scripts only under Virtual Directory tab. Review Step 5 from above.
403 error – check to make sure default.aspx has been added as a default content page. Review Step 5 from above.
404 error – check to make sure that you have installed support for ASP.NET. Look in Add/Remove Windows Components under Application Server and verify that ASP.NET is checked.
- Next in IIS Manager select Web Service Extensions and make sure that ASP.NET is allowed.
- Right-click the Virtual Directory and select Properties.
- Click on the ASP.NET tab, and select an ASP.NET version that is installed.
I hope that you have been able to learn some new things. All the steps outlined here need to be done when configuring Kerberos delegation and this site will definitely help engineers to understand how Kerberos delegation works.
Have fun learning and testing all the different configurations that are possible with this application!
- Rob Greene