Windows OS Hub
  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange

 Windows OS Hub / Windows Server 2012 R2 / Configuring Kerberos Authentication on IIS Website

September 20, 2016 Windows Server 2012 R2

Configuring Kerberos Authentication on IIS Website

Here is a step-by-step guide on how to configure the transparent SSO (Single Sign-On) Kerberos domain user authentication on the IIS website running Windows Server 2012 R2.

Start IIS Manager on your Web server, select the necessary website and go to the Authentication section. As you can see, only Anonymous Authentication is enabled by default. Disable it and enable Windows Authentication (First of all IIS always tries to perform anonymous authentication).

IIS - Windows Authentication

Open the list of providers, available for Windows authentication (Providers). By default, two providers are available: Negotiate and NTLM. Negotiate is a container that uses Kerberos as the first authentication method, and if the authentication fails, NTLM is used. It is required that Negotiate comes first in the list of providers.

IIS Negotiate (Kerberos) providers

The next step includes the registration of Service Principal Name (SPN) entries for the name of the website, which will be accessed by the users. If the IIS website has to be available only by the name of the server, on which it is located (http://server-name or http://server-name.adatum.loc), you don’t need to create additional SPN entries (SPN entries already exist in the server account in AD). If the website address differs from the host name or if you are building a webfarm with load balancing, you will have to connect additional SPN entries to a server or user account.

Suppose, we have a farm of IIS servers. In this case, it’s better to create a separate AD account and bind SPN entries to it. The target Application Pool of our website will be started from this account.

Create a domain account iis_service. Make sure that SPN entries are not assigned for this object (servicePrincipalName attribute is empty).

servicePrincipalName attribute

Suppose, that the website has to respond at http://webportal and http://webportal.adatum.loc. We have to specify these addresses in the SPN attribute of the service account.

Setspn /s HTTP/webportal adatum\iis_service
Setspn /s HTTP/webportal.adatum.loc adatum\iis_service

Setspn

Thus, we allow this account to decrypt Kerberos tickets, when users access these addresses, and authenticate sessions.

You can check SPN settings of the account like this:

setspn /l iis_service

check spn records

Tip. Kerberos won’t work correctly if the same SPNs are used by different domain entries. Using the following command, make sure that there are no duplicate SPNs in the domain: setspn –x

The next step is the configuration of IIS Application Pool to launch it from the account created earlier.

Select the Application Pool of your website (in our example, it is DefaultAppPool).

DefaultAppPool

Open the Advanced Settings and go to the Identity.

Application Pool Identity

Change it from ApplicationPoolIdentity to adatum\iis_service.

change applicationpool identity

Then go to your website in IIS Manager and select Configuration Editor.

In the dropdown menu select system.webServer > security > authentication > windowsAuthentication

useAppPoolCredentials

Change useAppPoolCredentials to True.

Thus we allow IIS to use the domain account to decrypt Kerberos tickets from the clients.

Reset IIS using this command:

iisreset

iisreset

The same has to be configured on all web farm servers.

Let’s test Kerberos authentication. To do it, open http://webportal.adatum.loc in the client’s browser.

Note. In my case, I couldn’t authenticate at once in IE11. I had to add the address to the list of trusted websites and specify Automatic logon with current user name and password in User Authentication -> Logon in Trusted Zones Sites settings.ie11 Automatic logon with current user name and password

You can make sure that Kerberos authentication is used on your website by means of monitoring HTTP traffic using Fiddler (we mentioned this tool earlier).

Start Fiddler and open the target website in the browser. In the left part of the window, find the line of website access. Go to the Inspectors tab in the right part of the window. The line “Authorization Header (Negotiate) appears to contain a Kerberos ticket” shows that Kerberos has been used to authenticate on the IIS website.

Fiddler  - Authorization Header (Negotiate) appears to contain a Kerberos ticket

 

3 comments
0
Facebook Twitter Google + Pinterest
previous post
Remote Computer Management Using LiteManager
next post
Fix Disk Is Write Protected Error in Windows 10

Related Reading

Remote Session Disconnected: No Remote Desktop License Servers/Client...

March 12, 2021

Using TSADMIN.msc and TSCONFIG.msc Snap-Ins on Windows Server...

February 2, 2021

Updating the PowerShell Version on Windows

December 24, 2020

Zerologon (CVE-2020-1472): Critical Active Directory Vulnerability

December 4, 2020

How to Run CMD/Program under SYSTEM (LocalSystem) in...

December 3, 2020

3 comments

David Chivers October 16, 2017 - 11:14 pm

Thanks for sharing this, it saved me a bunch of time.

Just one comment on IE zones. I add sites that use my Windows credentials to the Local Intranet zone only, where the automatic logon setting is already applied by default. Sites in the Trusted zone are only trusted for their content – I don’t trust them with my Windows credentials.

Reply
RICHARD HARRIS June 22, 2019 - 2:23 pm

Great article. I don’t know if this will fix my problem. I am trying to use ‘Impersonation’ to authenticate the AD logon user to the SQL Server instance used in my web app. So I put some information on the home screen detailing the System.Security.Principal Identity.Name information and the AuthenticationType and the authentication name comes back as NTLM. I have specified ‘Windows Integrated’ security on the site with impersonation turned on and anonymous access turned off.

Reply
shine August 15, 2019 - 6:31 am

how i can set kerberos authentication if multiple service accounts are used on iis server websites?

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • PowerShell
  • VMWare
  • MS Office

Recent Posts

  • How to Run Windows File Explorer Elevated (as Administrator)?

    April 16, 2021
  • Using Malicious Software Removal Tool (MRT.exe) on Windows

    April 15, 2021
  • How to Clean Up Large System Volume Information Folder on Windows?

    April 15, 2021
  • Read and Write Data to Excel File with PowerShell

    April 14, 2021
  • How to Disable NetBIOS and LLMNR Protocols in Windows Using GPO?

    April 9, 2021
  • Enable Windows Lock Screen after Inactivity via GPO

    April 8, 2021
  • How to Create and Manage Scheduled Tasks with PowerShell?

    April 7, 2021
  • Updating Windows VM Templates on VMWare with PowerShell

    April 5, 2021
  • Running Multiple IIS Websites on the Same Port or IP Address

    April 1, 2021
  • Can’t Copy and Paste via Remote Desktop (RDP) Clipboard

    March 31, 2021

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Granting Remote Access on SCManager to Non-admin Users
  • Schedule Task to Start When Another Task Finishes
  • Fix: Server Stuck on “Preparing to Configure Windows”
  • Printer Pooling: How to Configure a Printer Pool in Windows Server 2012 R2
  • How to Install TFTP Server on Windows Server 2012 R2
  • How to Obtain SeDebugPrivilege when Debug Program Policy is Enabled
  • Windows 10: WSUS Error 0x8024401c
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top