I had previously blogged on the working of Kerberos and how to troubleshoot authentication issues with Kerberos when it fails. Then I thought it would be good if I can also document the basic steps we look into when configuring Kerberos for a site. Over here we look into step by step process of the changes we need to make when we want to setup Kerberos for a site.
Please go through the blog on how Kerberos works before going through the setup blog.
The below steps will take you through the setup of Kerberos for a site. Steps 1-8 should be sufficient when you want Kerberos for the site to be configured only for single HOP. The steps followed from Step 9 shows you the configuration when you want to configure double hop i.e delegate the logged in account to a backend server (for eg a sql service).
Configuration for single hop:
1) Click on the website, go to authentication and make sure that windows authentication is enabled.
2) Make sure that when you want to use windows authentication, anonymous authentication is not enabled, which is a common mistake I have observed. Because anonymous authentication takes more precedence than windows authentication. Below is the link which talks about precedence in authentication.
3) Enabling windows authentication doesn’t mean Kerberos protocol will be used. It might also use NTLM which is also a provider in windows authentication. In order to setup Kerberos for the site, make sure “Negotiate” is at the top of the list in providers section that you can see when you select windows authentication. Negotiate is a provider or container which supports Kerberos protocol and it also contains NTLM as a backup when Kerberos fails due to some reason. But one important thing to keep in mind over here is when we want to use Kerberos “Negotiate” should be at the top.
4) So above three steps should be sufficient when you want to browse your site with the machine name as http://machinename or http://FQDN of machine name and you need not create any SPN’s (concept of SPN is explained in my previous blog) as you will have a HOST SPN registered to your machine account by default when you join a machine to a domain. HOST SPN is similar to HTTP SPN’s and should be sufficient when you want to access a site over Kerberos.
For eg: If you have a machine with the name ‘illuminati’ a host SPN for illuminati will be present and it will be registered to your inbuilt machine account. You can confirm this through running the below command.
Setspn –l machineaccount
Setspn –l illuminati : this will query for all the SPN’S registered to the machine account illuminati.
5) If you want to access the site with a custom hostname we need to create appropriate SPN for the hostname and we need to register it either to the machine account or to the domain account.
We usually don’t register the SPN to a machine account and choose domain accounts when we have a web farm scenario (same site hosted in multiple servers behind a load balancer) and the same ticket from AD should be accessible in all the machines in the farm.
6) Let’s consider the below scenario with imaginary hostname, machine name and a domain account.
FQDN Machine name: illuminatiserver.domain.com
Domain account: domain\chiranth
Note: Be careful while choosing a hostname. The hostname shouldn’t have “www.” If we have www in the hostname Kerberos will fail, because when a client tries to access a site with hostname www in it, it will try to go over internet rather than intranet zone.
7) For the above requirements with a custom hostname we can create SPN’s in either one of the two ways. It can be chosen on your requirement and the policies you have.
Method 1: Registering a SPN to a machine account.
When you have a custom hostname and you want to register it to a machine account, you need to create an SPN as below.
Setspn –a HTTP/HOSTNAME machineaccount
Eg: setspn –a HTTP/Kerberos.com illuminatiserver
Method 2: Registering a SPN to a domain account.
When you have a custom hostname and you want to register it to a domain account, you need to create a SPN a below.
Setspn –a HTTP/HOSTNAME domainaccount
Eg: setspn –a HTTP/Kerberos.com domain\chiram
Note: These commands can be run on any machines within the domain but In order to create or delete SPN’s you need to be a domain admin privileges.
8) So once we have the proper SPN in place we need to modify the configuration of IIS such that we point IIS to the account to which we have the SPN registered and what account’s credentials IIS needs to use to decrypt the ticket forwarded by the client which obtained from AD. So again based on the above two variations, configuration settings will differ as below.
Method 1: Configuration when we have SPN registered to machine account.
a) Click on the site and go to configuration editor and traverse to the path system.webServer/security/authentication/windowsAuthentication
b) Make sure that usekernel mode is set to true. Usekernel mode setting tells IIS that it needs to use its machine account to decrypt the Kerberos token/ticket which was obtained from AD and forwarded by the client to the server to authenticate the user.
c) Also when have usekernel mode set to true the decryption of the ticket happens at the kernel level which is performance effective and a faster process.
Method 2: Configuration when we have SPN registered to the domain account.
a) Go to advanced settings of your application pool under which your website is running and change the identity to the domain account. In our case it will be domain\chiranth
b) Now Click on the site and go to configuration editor and traverse to the path system.webServer/security/authentication/windowsAuthentication
d) Make sure that you have “useAppPoolCredentials” set to true. When you have “useAppPoolCredentials” set to true you are telling IIS that it needs to use its application pool identity(which we have changed in the previous step to point to domain account) to decrypt the Kerberos token/ticket which was obtained from AD and forwarded by the client to the server to authenticate the user.
Note: If we have both useAppPoolCredentials and kernel mode set to true useAppPoolCredentials takes precedence and application pool account is used for decryption of the ticket. Usekernelmode setting was introduced from IIS 7 and higher versions. In IIS 6 and lower version always the application pool identity was used for decryption of the token/ticket.
Configuration for double hop:
9) The above steps should be sufficient if you expect your site to work over a single Hop. But if you want to delegate the logged in credentials to the backend server, For e.g. if you are passing the logged in credentials to the backend database server and have integrated security = true /SSPI you need to continue following the below steps.
10) Click on site and in authentication section make sure that you have ASP.NET impersonation enabled along with windows authentication.
11) Now you need to specify in AD that the account to which your HTTP service/SPN is registered (for the hostname) is authorized to delegate the user logged in credentials to any backend service (for eg: MSSQL service). This setting again varies on the type of SPN you have registered and might fall under any one of the below categories.
Method 1: When SPN is registered to machine account.
a) Go to Active directory Users and Computers.
b) Click on computers.
c) Search for your computername (in our case illuminatiserver) and go to its properties.
d) Select the delegation tab and choose the second option (unconstrained delegation) ‘Trust this computer for delegation to any service’ where you are authorizing the machine account “illuminatiserver” with the power to delegate the logged in credentials of an user to any backend service running on any machine.
Method 2: When SPN is registered to a domain account.
a) Go to Active directory Users and Computers.
b) Click on Users.
c) Search for your domain user account (in our case domain\chiranth) and go to its properties.
d) Select the delegation tab and choose the second option (unconstrained delegation) ‘Trust this account for delegation to any service’ where you are authorizing the domain account “illuminatiserver” with the power to delegate the logged in credentials of an user to any backend service running on any machine.
12) We might have policies where we don’t want to enable delegation to all the services i.e we don’t want to have unconstrained delegation setup due to some security policies in such cases we need to enable constrained delegation.
To enable constrained delegation on the delegation tab select the 3rd option where it says “Trust this account for delegation to specified service” and in the bottom windows you can add the list of backend services (MSSQLSVC, CIFS service) specific to the machines to which your SPN account can delegate the login credentials.
For eg: I have registered my HTTP SPN to domain\chiranth and in the delagtion tab of chiranth I have selected the third option “Trust this account for delegation to specified service” and in the list of service I have specified MSSQLSvc/MySQLServer:1433.
The above setting specifies that domain\chiranth account will be able to delegate the logged in credentials in IIS server to only MSSQLSvc running MySQLServer on port 1433 and no other services or machines.
Hope this helps J