Simple IIS Kerberos Q&A
Posting a hopefully-useful tidbit.
Do you have by any chance a guide on how to set up IIS for kerberos auth? I'm helping my customer and I'm a beginner with IIS.
It is a farm of 6 IIS servers, they will be using a service acct.
DNS is configured to do the following resolution:
Websvr -> CNAME -> IP
So for instance the web site is webapp.example.net and points to a CName. The CName obviously is an fqdn (app-prod-vip.example.net) that points to an IP.
The IP points to the VIP of a load balancer that ultimately connects to the IIS server farm.
When setting the SPN do we use the websvr or the CName?
Also, does it matter the browser I'm using on the client for kerberos auth (such as chrome)
Anything special on the web server, besides configuring Windows authentication?
Here’s what I replied with:
Couple of moving parts there – it (a different name, i.e. the load balancer name) won’t work with the default configuration.
You’ll need to ensure that the SPN for the CNAME is only assigned to the service account running the App Pool. If it’s on more than one account, it’s broken.
A DA needs to run:
SetSPN -S http/cname-of-app.fqdn.com DOMAIN\AppPoolAccountName
Where DOMAIN\AppPoolAccountName is the service account you set up for the application.
And that should get kerb where it needs to be from an SPN perspective. If other SPNs have been tried already, they need to be removed (and SetSPN -S should tell you that).
(Once you’ve established an SPN for the account, the Delegation tab should appear for it in ADUC. This allows you to configure constraints or delegation, which you might not be doing, so we’ll cover that last.)
Next, you need to ensure the App Pool Account is set to DOMAIN\AppPoolAccountName (i.e. the same “custom” domain account) on all the boxes. (ApplicationPoolIdentity or NetworkService or LocalSystem or anything other than a Domain account won’t work for load-balanced Kerberos authentication.)
Then, you need to either
- disable Kernel-mode authentication, or
- set useAppPoolCredentials=true
on them all.
There’s a tickbox for K-mode auth under Windows Authentication in IIS; or useAppPoolCredentials goes (I think) in web.config so might be preferable. What either of these does is to move from using the box identity (machine account) to validate tickets, to using the App Pool Account to validate tickets. This is required for a farm scenario, but for a single-box scenario, it’s not necessary (only SPN registration).
Once that’s done, Kerb should work to the websites, which can be validated with a network trace, or by looking at logs. (let’s throw in a reboot after k-mode auth is toggled off for good measure) (Picking Kerb in logs – short version: single 401 www-auth:negotiate/request with long ticket/200 is Kerb, 401/401/200 is NTLM).
I’d always test with IE, I *think* if IE works then Chrome has a good chance. If it doesn’t, no chance
Always test from a remote box (avoids reflection protection), and use klist purge (and a closed browser) to reset between tests.
If Kerb works to the site, you can then configure the App Pool Account in ADUC for constrained delegation to the next hop in the same way. Hit Add, browse for the process identity it’s connecting to (i.e. often the service account if the process is running as a domain identity, not the box name, but if not, the box name) and then pick the right SPN from the list.