First published on TechNet on Nov 25, 2008
Hi,
Rob
here. First I want to thank you guys for reading and participating in our blogging efforts. I had one of you e-mail us and ask about the web site I used in the
Kerberos Authentication Troubleshooting blogs
and if they could get a copy of it.
The web site was created by our IIS support counterparts and it turns out it was released to the web as
DelegConfig
. Brian Murphy-Booth has a blog about the web site
here
. We at AskDS do not support the DelegConfig web site, so if you have questions or comments about it leave your feedback at that blog location.
With this web site you can test Kerberos double hop configurations and the newer delegation types of constrained delegation and constrained delegation with protocol transition from IIS to the following services: SQL, File Server, OLAP Server, or another web server. The reason why this documentation exists is to help customers configure Kerberos delegation to become familiar with all the tasks involved to configure the environment correctly.
Pre-Flight Check-List
-
Active Directory Domain Functional Level must be Windows Server 2003 if you want to test constrained delegation.
-
Name resolution (WINS or DNS) is properly working in the environment.
-
All computers are within five minutes of time to each other.
-
All service accounts and server computer accounts (IIS and backend) must exist in the same domain if you are going to configure constrained delegation. Note that the user accessing the resource can be in any domain where Kerberos functions to the domain where the IIS and backend servers exist.
-
If you are going to test cross-forest Kerberos authentication or delegation then a working two-way forest trust must exist.
-
The test user account that is going to be delegated must
not
have the account option
Account is sensitive and cannot be delegated
configured. You will find this in the Active Directory Users and Computers on the user’s
Account
tab under the
Account options
heading.
-
The default web site in IIS allows Kerberos authentication to be used. If you are not sure review
KB 215383
.
-
You are using IIS 6 with the ASP.NET component installed.
-
You have installed the backend application or service that you want to test.
NOTE:
Review
Setup and Known issues.txt
from the DelegConfig.zip file for proper ASP.NET version to be installed on the IIS Server.
Configuring the Web site and Web Application Pool Account
-
Extract the zip file to a directory on a server running IIS 6. You can specify any location you wish. According to the DelegConfig blog it can be used with IIS 7 however, we are only going to be showing how to configure it with IIS 6.
-
When you extract the web site, you need to preserve the folder structure.
-
The server running IIS and back-end service should be installed on separate boxes.
-
You need to have the ASP.NET component checked in
Application Server
when you install IIS.
-
Open Active Directory Users and Computers to create the application pool account.
-
We need to create a domain account that will be used for the application pool in IIS. You can name the account anything you wish, for this document we will use the account
IISKerbSvc
.
-
You will need to configure a password for the service account. Also, you should configure the account’s password to never expire. This is configured under the
Account
tab.
-
Open IIS Manager to add a virtual directory.
-
With the
Default Web Site
highlighted, right-click and select
New
, then select
Virtual Directory
.
-
The
Virtual Directory Creation Wizard
will start, click
Next
and specify an
Alias
. For this demo I used
KerbDeleg
. Then click
Next
.
-
Navigate to the path folder where you extracted the files for DelegConfig.zip, then click
Next
.
-
Choose the defaults and click
Next
then click
Finish
.
-
Now that you have a Virtual Directory named
KerbDeleg
you need to create an application pool for the web site to use.
Figure 1 - Creating a new application pool for the web application
-
Right-click
Application Pools
and select
New
then select
Application Pool.
-
The
Application Pool ID
can
be anything and does not have to match the virtual directory name. For this demo I used
KerbDeleg
. Just name it something unique.
-
Once you have the virtual directory and the application pool created, you need to make modifications to the virtual directory that we created in Step 3.
-
Right-click the virtual directory you created in Step 4 (
KerbDeleg
).
-
Select
Properties
.
-
On the
Virtual Directory
tab click
Create
.
Figure 2 - KerbDeleg Virtual directory properties tab
-
Change the
Application Pool
used via the drop-down menu to the one created in Step 4 (
KerbDeleg
). Note that by default it will be
DefaultAppPool
.
-
Make sure
Execute permissions
is set to
Scripts only
.
-
Click the
Documents
tab, and select
Add
.
Figure 3 - KerbDeleg - Documents properties tab
-
Type
Default.aspx
in the dialog box and click
OK
.
-
Select the
Directory Security
tab.
Figure 4 - Changing the authentication methods
-
Under
Authentication and access control
click
Edit
button.
-
Uncheck
Enable anonymous access
, and check
Integrated Windows authentication
.
-
Click
OK
twice.
-
Now we need to change the Identity used by the application pool that we created in Step 4 (
KerbDeleg
).
-
Right click on the application Pool you created. In this documentation it is "KerbDeleg", and select "Properties"
Figure5 - Changing the application pool identity to a service account
-
Select the
Identity
tab.
-
Select
Configurable
and find the account we created in Step 3 (
IISKerbSvc
).
-
Once you have selected the user account and typed in the password for the account, click
OK
.
-
Now, we need to add the user account from Step 2 (
IISKerbSvc
) to the computer local group
IIS_WPG
.
-
If the server running IIS is a member server, use
Compmgmt.msc
(Computer Management).
-
If the server running IIS is a domain controller, use
Dsa.msc
(Active Directory Users and Computers) and this group is located in the
Users
container.
Figure 6 - Adding application pool account to the IIS_WPG group
Note
This step is done to allow the
IISKerbSvc
(application pool identity) the ability to impersonate the user on the web server. If you look at the computer’s user right assignments you will see
Impersonate a client after authentication
and the
IIS_WPG
group is added there by default.
-
We now need to configure the user account for delegation within the domain. So we need the
Setspn
tool in the Windows Support Tools, and access to Active Directory Users and Computers.
-
At a command prompt type the following to find out what Service Principal Names (SPNs) are already associated with your IIS application pool service account:
setspn -L <Domain Name>\<Account from Step 2>
-
What we want to see is similar to the following:
http/<IIS Web site Address>
http/<IIS Web site Address FQDN>
Example:
http/webserver01
http/webserver01.contoso.com
Or
http/www
http/www.contoso.com
Note
There is no colon (":") anywhere in here when we use HTTP. This is a common mistake that can happen when creating SPNs for web sites.
-
If you do not see any of the above listed for the application pool service account then we need to add them one at a time via the following command:
setspn -A http/<Web site Address > <Domain Name\<Account from Step 2>
setspn -A http/<Web site Address FQDN> <Domain Name\<Account from Step 2>
Example:
setspn -A http/webserver01 Contoso\IISKerbSvc
setspn -A http/webserver01.contoso.com Contoso\IISKerbSvc
Or
setspn –A http/www Contoso\IISKerbSvc
setspn –A http/www.contoso.com Contoso\IISKerbSvc
For more information on this topic as it relates to IIS you can review the below web site location:
Configuring Constrained Delegation for Kerberos (IIS 6.0)
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/df979570-81f6-4586-8...
Configuring the SQL Backend
So that this blog is not too long (yeah, I know I am not known for short blogs) we are only going to show you how to configure the SQL server as the backend and how to test it since this is the most common situation where Kerberos delegation is configured. Keep in mind that for learning how Kerberos multi-hop works you do not need to install the full version of SQL. You can use
SQL Express
, and it can be installed on any operating system.
Registering a Service Principal Name
http://technet.microsoft.com/en-us/library/ms191153.aspx
Kerberos Authentication and SQL Server
http://technet.microsoft.com/en-us/library/cc280744.aspx
The SQL Server Service can run under basically two types of accounts.
-
The Local System also known as the SYSTEM account.
-
A domain user account configured as a service account that the customer creates.
The web site can verify either of these configurations, but there are different steps that need to be followed dependant on which configuration the SQL Server Service is running. Of course with all these configurations it is very important that we have the correct SPNs registered to the correct computer or user account.
User Account (Service Account) SPN Configuration
-
If the SQL Server Service is running as a user account, then we need to make sure that the MSSQLSvc SPN for the computer is not registered to the computer. You can run the following command to determine this:
setspn –L <SQL Server Computer Name>
-
If this does come back with a MSSQLSvc SPN registered then you will need to delete that SPN from the computer account, by typing the following command:
setspn –D MSSQLSvc/<Computer Name>:<Port> <Computer Name>
setspn –D MSSQLSvc/<Computer FQDN>:<Port> <Computer Name>
Here is an example:
setspn –D MSSQLSvc/SQLSrv1:1433 SQLSrv1
setspn –D MSSQLSvc/SQLSrv1.contoso.com:1433 SQLSrv1
Then you will want to verify that all SPNs are no longer registered by running SetSPN –L command again.
-
Once that has been verified, we will need to register the MSSQLSvc SPN to the SQL Server service account being used to run the SQL Server by typing the following:
setspn –A MSSQLSvc/<SQL Server Name>:<Port> <Domain Name>\<User Account>
setspn –A MSSQLSvc/<SQL Server Name FQDN>:<Port> <Domain Name>\<User Account>
Here is an example:
setspn –A MSSQLSvc/SQLSrv1:1433 CONTOSO\MSSQLSvc
setspn –A MSSQLSvc/SQLSrv1.contoso.com:1433 CONTOSO\MSSQLSvc
Local System SPN Configuration
-
If the SQL Server service account is running as Local System (which is not common today), then we need to make sure that the MSSQLSvc SPN for the computer is registered. You can run the following command to determine this:
setspn –L <SQL Server Name>
-
If this does NOT come back with a MSSQLSvc SPN registered then you will need to add the SPN for the computer, by typing the following command:
setspn –A MSSQLSvc/<Computer Name>:<Port> <Computer Name>
setspn –A MSSQLSvc/<Computer FQDN>:<Port> <Computer Name>
Here is an example:
setspn –A MSSQLSvc/SQLSrv1:1433 SQLSrv1
setspn –A MSSQLSvc/SQLSrv1.contoso.com:1433 SQLSrv1
Finishing the Configuration for Delegation to Work
-
Open
Active Directory Users and Computers
.
-
Find the user account that the IIS Web site is using for the web application pool and double-click it.
-
If you are in 2000 native mode for the domain, click on the
Account
tab and check the box
Account is trusted for delegation
.
Figure 7 - Windows 2000 domain functional level delegation setup
-
If you are in 2003 domain functional mode, click on the
Delegation
tab.
NOTE
This tab does not exist if you are not in Windows Server 2003 domain functional level or the user account does not have a SPN already defined on the account.
Figure 8 - Windows Server 2003 domain functional level delegation setup
-
To enable open delegation select:
Trust this user for delegation to any service (Kerberos only)
.
-
To enable constrained delegation by selecting:
Trust this user for delegation to specified services only
.
-
Click the
Add
button, and then click on the
Users or Computers
button.
-
If the SQL Service was configured to start as Local System then type in the SQL Servers computer name, and click
Check Names
. Click
OK
.
-
If the SQL Service was configured to start as a domain user account then type in the user account name, and then click
Check Names
. Click
OK
.
For this discussion
remote computer name
refers to the backend server that the IIS web site needs to hand the users Kerberos ticket to.
-
You will see all available SPNs on the remote system. Select the SPN associated with MSSQLSvc then click
OK
.
-
Click
OK
on the user properties dialog box.
-
Restart the IIS service.
How to Test the Web Site
-
Open Internet Explorer, and type in the address of the
http://<web site name>/kerbdeleg
Example:
http://webserver01/kerbdeleg
http://webserver01.contoso.com/kerbdeleg
-
Then click on the
Add Backend
button. Then you will get the web page to configure the backend you want to talk to.
-
Remote address
- this should be the SQL Server with which you want to test Kerberos delegation.
Example:
MEMBER1 or MEMBER1.contoso.com
-
Service type
- this needs to be set to
SQL Server
.
-
Listening port
- for SQL Server access this port needs to match where SQL Server is listening. By default this is port 1433.
-
Service account
: If the SQL Server service was configured as Local System then this needs to be set to
Preferred
and
Local System
. If the SQL Server service was configured for a domain account then this needs to be set to
Configured
and type in the
<domain>\<SQL service account>
.
-
Click
Submit
.
Configuring for Protocol Transition
-
You will first need to make sure that constrained delegation is configured and working in your lab environment. Once this has been accomplished then you should be able to continue.
-
Bring up Active Directory Users and Computers.
-
Find the user account that is being used for the IIS application pool and
Edit
the user.
-
Click on the
Delegation
tab, which you can review in
Figure 8
.
-
And select
Use any authentication protocol
.
-
Click
OK
.
-
Restart the IIS service.
Common Problems When Configuring the Site
-
Prompted for user credentials over and over again – check to make sure that the application pool is correctly configured on the virtual directory. Review Step 5 from above.
-
Directory Listing Denied
error – Check to make sure
Execute permissions
is to
Scripts only
under
Virtual Directory
tab. Review Step 5 from above.
-
403 error – check to make sure default.aspx has been added as a default content page. Review Step 5 from above.
-
404 error – check to make sure that you have installed support for ASP.NET. Look in Add/Remove Windows Components under Application Server and verify that ASP.NET is checked.
-
Next in IIS Manager select
Web Service Extensions
and make sure that ASP.NET is
allowed
.
-
Right-click the
Virtual Directory
and select
Properties
.
-
Click on the
ASP.NET
tab, and select an ASP.NET version that is installed.
I hope that you have been able to learn some new things. All the steps outlined here need to be done when configuring Kerberos delegation and this site will definitely help engineers to understand how Kerberos delegation works.
Have fun learning and testing all the different configurations that are possible with this application!
- Rob Greene