Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Windows Server 2012 R2 / Configuring Kerberos Authentication on IIS Website

September 20, 2016 Windows Server 2012 R2

Configuring Kerberos Authentication on IIS Website

Here is a step-by-step guide on how to configure the transparent SSO (Single Sign-On) Kerberos domain user authentication on the IIS website running Windows Server 2012 R2.

Start IIS Manager on your Web server, select the necessary website and go to the Authentication section. As you can see, only Anonymous Authentication is enabled by default. Disable it and enable Windows Authentication (First of all IIS always tries to perform anonymous authentication).

IIS - Windows Authentication

Open the list of providers, available for Windows authentication (Providers). By default, two providers are available: Negotiate and NTLM. Negotiate is a container that uses Kerberos as the first authentication method, and if the authentication fails, NTLM is used. It is required that Negotiate comes first in the list of providers.

IIS Negotiate (Kerberos) providers

The next step includes the registration of Service Principal Name (SPN) entries for the name of the website, which will be accessed by the users. If the IIS website has to be available only by the name of the server, on which it is located (http://server-name or http://server-name.adatum.loc), you don’t need to create additional SPN entries (SPN entries already exist in the server account in AD). If the website address differs from the host name or if you are building a webfarm with load balancing, you will have to connect additional SPN entries to a server or user account.

Suppose, we have a farm of IIS servers. In this case, it’s better to create a separate AD account and bind SPN entries to it. The target Application Pool of our website will be started from this account.

Create a domain account iis_service. Make sure that SPN entries are not assigned for this object (servicePrincipalName attribute is empty).

servicePrincipalName attribute

Suppose, that the website has to respond at http://webportal and http://webportal.adatum.loc. We have to specify these addresses in the SPN attribute of the service account.

Setspn /s HTTP/webportal adatum\iis_service
Setspn /s HTTP/webportal.adatum.loc adatum\iis_service

Setspn

Thus, we allow this account to decrypt Kerberos tickets, when users access these addresses, and authenticate sessions.

You can check SPN settings of the account like this:

setspn /l iis_service

check spn records

Tip. Kerberos won’t work correctly if the same SPNs are used by different domain entries. Using the following command, make sure that there are no duplicate SPNs in the domain: setspn –x

The next step is the configuration of IIS Application Pool to launch it from the account created earlier.

Select the Application Pool of your website (in our example, it is DefaultAppPool).

DefaultAppPool

Open the Advanced Settings and go to the Identity.

Application Pool Identity

Change it from ApplicationPoolIdentity to adatum\iis_service.

change applicationpool identity

Then go to your website in IIS Manager and select Configuration Editor.

In the dropdown menu select system.webServer > security > authentication > windowsAuthentication

useAppPoolCredentials

Change useAppPoolCredentials to True.

Thus we allow IIS to use the domain account to decrypt Kerberos tickets from the clients.

Reset IIS using this command:

iisreset

iisreset

The same has to be configured on all web farm servers.

Let’s test Kerberos authentication. To do it, open http://webportal.adatum.loc in the client’s browser.

Note. In my case, I couldn’t authenticate at once in IE11. I had to add the address to the list of trusted websites and specify Automatic logon with current user name and password in User Authentication -> Logon in Trusted Zones Sites settings.ie11 Automatic logon with current user name and password

You can make sure that Kerberos authentication is used on your website by means of monitoring HTTP traffic using Fiddler (we mentioned this tool earlier).

Start Fiddler and open the target website in the browser. In the left part of the window, find the line of website access. Go to the Inspectors tab in the right part of the window. The line “Authorization Header (Negotiate) appears to contain a Kerberos ticket” shows that Kerberos has been used to authenticate on the IIS website.

Fiddler  - Authorization Header (Negotiate) appears to contain a Kerberos ticket

 

3 comments
0
Facebook Twitter Google + Pinterest
previous post
Configuring Mozilla Firefox using Group Policies
next post
Fix Disk Is Write Protected Error in Windows 10

Related Reading

PowerShell Install-Module Error: Unable to Download from URI

April 21, 2022

Configuring Always-On High Availability Groups on SQL Server

December 2, 2021

Fix: Windows Stuck at “Preparing to Configure Windows”

August 23, 2021

Updating PowerShell Version on Windows

July 15, 2021

How to Check, Enable or Disable SMB Protocol...

June 7, 2021

3 comments

David Chivers October 16, 2017 - 11:14 pm

Thanks for sharing this, it saved me a bunch of time.

Just one comment on IE zones. I add sites that use my Windows credentials to the Local Intranet zone only, where the automatic logon setting is already applied by default. Sites in the Trusted zone are only trusted for their content – I don’t trust them with my Windows credentials.

Reply
RICHARD HARRIS June 22, 2019 - 2:23 pm

Great article. I don’t know if this will fix my problem. I am trying to use ‘Impersonation’ to authenticate the AD logon user to the SQL Server instance used in my web app. So I put some information on the home screen detailing the System.Security.Principal Identity.Name information and the AuthenticationType and the authentication name comes back as NTLM. I have specified ‘Windows Integrated’ security on the site with impersonation turned on and anonymous access turned off.

Reply
shine August 15, 2019 - 6:31 am

how i can set kerberos authentication if multiple service accounts are used on iis server websites?

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows 7
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • PowerShell
  • VMWare
  • Hyper-V
  • MS Office

Recent Posts

  • Create Organizational Units (OU) Structure in Active Directory with PowerShell

    May 17, 2022
  • Windows Security Won’t Open or Shows a Blank Screen on Windows 10/ 11

    May 17, 2022
  • How to Manually Install Windows Updates from CAB and MSU Files?

    May 16, 2022
  • RDS and RemoteApp Performance Issues on Windows Server 2019/2016

    May 16, 2022
  • Deploying Software (MSI Packages) Using Group Policy

    May 12, 2022
  • Updating VMware ESXi Host from the Command Line

    May 11, 2022
  • Enable or Disable MFA for Users in Azure/Microsoft 365

    April 27, 2022
  • Fix: You’ll Need a New App to Open This Windows Defender Link

    April 27, 2022
  • How to Reset an Active Directory User Password with PowerShell and ADUC?

    April 27, 2022
  • How to Completely Uninstall Previous Versions of Office with Removal Scripts?

    April 26, 2022

Follow us

woshub.com

ad

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Granting Remote Access on SCManager to Non-admin Users
  • Schedule Task to Start When Another Task Finishes
  • Printer Pooling: How to Configure a Printer Pool in Windows Server 2012 R2
  • How to Obtain SeDebugPrivilege when Debug Program Policy is Enabled
  • How to Install TFTP Server on Windows Server 2012 R2
  • Windows 10: WSUS Error 0x8024401c
  • The Requested Resource Is in Use: Cluster Disk Error in Windows Server 2012 R2
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top