KERBEROS - Inside OUT
General Kerberos scenario
- Client logs in to the KDC using the domain account.
- The KDC responds with the TGT. (Provided by the TGS within the KDC).
- Now the client sends the TGT and a session request for the particular middle tier machine to the KDC.
- The KDC issues back the Session ticket for the middle tier back to the client.
- The client uses the Session ticket to communicate with the Middle tier machine.
- All computers should be running on Windows 2000 and above.
- All the IE should be > V 6.0.
- All the computers should be in the same domain / trusted domain.
- AD should not be in the Load Balancing architectures.
- All the machines should be MDAC 2.6 or later.
- Ping the middle tier and the Back end servers and see if it resolves the FQDN properly.
- Check the following in the IE of the client machine.
i. Enable windows integrated authentication in the IE tools.
ii. Check the bypass proxy settings for the local address.
iii. Middle tier in the Trusted sites.
Check if the middle tier is configured for EMPTY STRING or “Negotiate,NTLM”.
From the command prompt run the following,
Go to the AdminScripts folder in the inetpub.
C:\Inetpub\AdminScripts>cscript adsutil.vbs get
- Check if it returns the following output,
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
NTAuthenticationproviders : (STRING) "Negotiate,NTLM"
- If not use the set "Negotiate,NTLM" to set it manually.
cscript adsutil.vbs set w3svc/1/root/Vdir/NTAuthenticationProviders "Negotiate, NTLM"
Active Directory specific check lists
1. Check if the SPN’s are properly set for the middle tier (IIS) for the account under which your Application Pool is running. (If website is in non-default port, include the port number as well separated by “ : ” from the machine name / FQDN )
Only HOST SPN’s are required (created by default) when your Application Pool is running under Local System account or Network Service.
Required SPN’s: (for the account under which your Application Pool is running)
When your website is using HOST Headers:
Only HOST SPN’s are required (created by default) when your Application Pool is running under Local System account.
For Application Pool running under Network Service, we need the HTTP SPN’s for the computer name.
If the Application pools are running under Domain account then we need the HTTP SPN’s for that Domain account.
For IIS 7.0 running under the Kernel authentication mode:
No SPN’s are required when you browse the website using the machine name / FQDN and your application pool runs under Local System / Network Service / Domain account.
When your website is using HOST Headers:
When your application pool runs under Local System / Network Service / Domain account the following SPN’s have to be set for the Machine Name.
2. Check the SPN’s for SQL Server for the account under which your SQL Server service is running.
SPN’s are automatically set for the Local System account and Network Service account.
Stand alone SQL Server:
- MSSQLsvc/machinename:1433 (Port number on which SQL is listening)
- MSSQLsvc/machinename.domain.com:1433 (Port number on which SQL is listening)
SQL Server in a cluster: (SPN is to be set for the FQDN of the virtual name)
- MSSQLsvc/virtualname.domain.com:1433 (Port number on which the SQL is listening)
3. Verify there are no duplicate SPN’s present.
4. Make sure the USER account is NOT marked “Account is sensitive and not trusted for delegation”.
5. Middle tier computer must be trust for delegation “Trust computer for delegation”.
6. Middle tier service account should be trusted for delegation “Account is trusted for delegation”.
7. Middle tier service account should be in the following groups.
i. Act as part of operating system.
ii. Impersonate a client after authentication.
Middle tier check list
- IIS account SPN’s are created.
- IIS account is trusted for delegation.
- IIS virtual directories are set for windows integrated authentication.
- The application connection string should contain Integrated Security = SSPI.
- The ASP.NET web application should contain <Identity Impersonate = true/> in the web.config.
- The USER must have appropriate permissions.
SQL Server check list
- SPN’s should be properly created.
- The account should be given permissions in the DB.
- The SQL Server should be listening either in TCP or Named pipes.
KB 811899 – How to troubleshoot cannot generate SSPI context.
KB 294382 – Authentication may fail with ‘401.3’ Error if the web sites HOST HEADER differs from servers NETBIOS name.
KB 262177 – How to enable Kerberos event logging.
KB 817384 – How to use Kerberos authentication for Microsoft SQL Server 2000 Analysis Services.
KB 326985 – How to troubleshoot Kerberos related issues IIS.
KB280830 - Kerberos Authentication May Not Work If User Is in Many Groups
Each group user is a member of makes Kerberos SSPI token bigger Many programs written to use SSPI (like our SQL Server drivers) did not anticipate such large SSPI tokens
KB324914 - SQL Server Connection Fails When RC4 Encryption Is Disabled (we fixed large token issue with this hotfix and later builds of ssnetlib.dll) “Communication link failure” during initial connection is the error you will see when this problem occurs.
HTTP.SYS Overview: https://msdn.microsoft.com/en-us/library/aa364510.aspx
Reporting Service 2008 URL reservations: https://msdn.microsoft.com/en-us/library/bb677364.aspx