SSO in IIS using Kerberos

%3CLINGO-SUB%20id%3D%22lingo-sub-3054525%22%20slang%3D%22en-US%22%3ESSO%20in%20IIS%20using%20Kerberos%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3054525%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20a%20member%20of%20a%205000%20plus%20personnel%2C%20government%20office.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20must%20share%20web%20based%20data%20from%20our%20subdomain%2C%20labs.organization.gov%20to%20everyone%20at%20organization.gov.%26nbsp%3B%20To%20do%20this%20we%20are%20told%20to%20use%20Kerberos%20under%20Windows%20Authentication.%3CBR%20%2F%3E%3CBR%20%2F%3EOur%20labs%2C%20web%20server%20has%20an%20app%20pool%20named%20SITEAppPool%20and%20its%20app-pool%20identity%20is%20labs%5CSITEAppPoolUser.%3CBR%20%2F%3E%3CBR%20%2F%3EAccording%20to%20this%20article%20online%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Farchive%2Fblogs%2Fsurajdixit%2Fkerberos-configuration-manager-for-internet-information-services-server%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fiis-support-blog%2Fsetting-up-kerberos-authentication-for-a-website-in-iis%2Fba-p%2F347882%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20set%20the%20spns%20on%20Machine%20Account%20for%20both%20HOST%20and%20HTTP.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20opened%20IIS%20Manager%20and%20I%20set%20the%20server_name%20node's%2C%20(just%20under%20the%20Start%20Page%20node)%2C%20authentication%20to%20Windows%20Authentication%20and%20the%20Windows%20Authentication%20providers%20to%20Negotiate%2C%20followed%20by%20NTLM.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20also%20opened%20configuration%20editor%20for%26nbsp%3Bserver_name%20node%20and%20set%20security%2Fauthentication%2FwindowsAuthentication%20settings%20like%20so%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20useAppPoolCredentials%3A%20true%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20useKernelMode%3A%20False%3C%2FP%3E%3CP%3EI%20applied%20the%20same%20settings%20to%20Default%20Web%20Site%20and%20to%20CompanyWideAccess%20web%20application.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eafter%20resetting%20my%20iss%2C%20neither%20I%20nor%20any%20person%20at%20the%20organization%20can%20reach%20the%20CompanyWidwAccess%20website%20without%20getting%20a%20login%20prompt%20and%20a%20401%20when%20clicking%20cancel%20on%20the%20prompt.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20change%20the%20settings%20for%26nbsp%3Bsecurity%2Fauthentication%2FwindowsAuthentication%20on%20all%20three%20nodes%20to%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20useAppPoolCredentials%3A%20false%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20useKernelMode%3A%20true%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20and%20other%20member%20of%20our%20subdomain%20can%20connect%2C%20but%20those%20from%20top%20level%20domain%20and%20other%20sub%20domains%20still%20get%20the%20pecky%20login%20prompt.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20have%20not%20only%20read%20the%20above%20article%20but%20also%20a%20couple%20others%2C%20each%20with%20a%20slightly%20different%20take.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20may%20I%20get%20this%20SSO%20to%20work%20for%20all%205000%20plus%20members%20of%20our%20organization%20without%20using%20anonymous%2C%20(a%20big%20no%2Fno)%3F%3CBR%20%2F%3E%3CBR%20%2F%3EI%20feel%20like%20I%20am%20running%20circles%20and%20nothing%20fully%20works.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3054525%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIdentity%20and%20Access%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Visitor

Hello,

 

I am a member of a 5000 plus personnel, government office.

 

We must share web based data from our subdomain, labs.organization.gov to everyone at organization.gov.  To do this we are told to use Kerberos under Windows Authentication.

Our labs, web server has an app pool named SITEAppPool and its app-pool identity is labs\SITEAppPoolUser.

According to this article online:

https://techcommunity.microsoft.com/t5/iis-support-blog/setting-up-kerberos-authentication-for-a-web...

 

I set the spns on Machine Account for both HOST and HTTP.

 

I opened IIS Manager and I set the server_name node's, (just under the Start Page node), authentication to Windows Authentication and the Windows Authentication providers to Negotiate, followed by NTLM.

I also opened configuration editor for server_name node and set security/authentication/windowsAuthentication settings like so:

                    useAppPoolCredentials: true

                    useKernelMode: False

I applied the same settings to Default Web Site and to CompanyWideAccess web application.

 

after resetting my iss, neither I nor any person at the organization can reach the CompanyWidwAccess website without getting a login prompt and a 401 when clicking cancel on the prompt.

 

If I change the settings for security/authentication/windowsAuthentication on all three nodes to:

 

                    useAppPoolCredentials: false

                    useKernelMode: true

 

I and other member of our subdomain can connect, but those from top level domain and other sub domains still get the pecky login prompt.

I have not only read the above article but also a couple others, each with a slightly different take.

 

How may I get this SSO to work for all 5000 plus members of our organization without using anonymous, (a big no/no)?

I feel like I am running circles and nothing fully works. 

 

 

0 Replies