Checklist for Using Windows Authentication

Use the following checklist to configure secure deployment that uses Microsoft Windows Authentication in a distributed environment that includes domain controllers. For a diagram of a secure deployment and detailed instructions about how to deploy a sample secure Web site, see "Deploying a Secure Site" on the Microsoft TechNet Web site, located at https://go.microsoft.com/fwlink/?LinkId=8487.

Domain Controllers

  • Install Active Directory in native mode.

  • Run the executable setspn.exe to set Service Principle Name (SPN). You can find setspn.exe in the Microsoft Windows 2000 Resource Kit at:

    https://www.microsoft.com/windows2000/techinfo/reskit/tools/default.asp

  • Run setspn –L to verify that host/WebServerNetbios and host/WebServerDNSName exist.

  • Run setspn -L SQLnetbiosName to verify that the SQL Service Principle Name exists.

Web Server

  • Configure for medium isolation (OOB) using IWAM\<computer_name>. No extra credentials for IWAM are required.

    High isolation mode is required in multi-site deployments.

  • Verify TCP/IP is an enabled protocol/net lib for SQL Client connections.

  • On a Windows Server 2003 computer, in Internet Information Services (IIS) 6.0, configure the identity for the IIS worker process. The identity of the IIS worker process is determined by the application pool to which the Web service application belongs.

SQL Server

  • Configure for mixed-mode authentication.

    Ee798231.note(en-US,CS.20).gifNote

    • In mixed mode, SQL Server-based authentication is used between the Web and SQL servers. Only one port must be open on a firewall that separates these servers.
  • Enable TCP/IP protocol for the server. If you are using a named instance, provide a port number and SQL should add a Service Principle Name (that is, mssqlsvc/dnsname:port) when restarting the service (MSSQLSVC).

Business Desk Client

  • The computer on which the Business Desk client is installed must be in same domain (forest) as the Data tier computers, or in a trusted domain.
  • Use Internet Explorer 5.5 or later. If you install Internet Explorer 6.0, by default, "Use Windows Integrated Authentication" is disabled. You must enable it.

Copyright © 2005 Microsoft Corporation.
All rights reserved.