Setting up Kerberos Authentication for a Website in IIS


I had previously blogged on the working of Kerberos and how to troubleshoot authentication issues with Kerberos when it fails. Then I thought it would be good if I can also document the basic steps we look into when configuring Kerberos for a site. Over here we look into step by step process of the changes we need to make when we want to setup Kerberos for a site.

Please go through the blog on how Kerberos works before going through the setup blog.

The below steps will take you through the setup of Kerberos for a site. Steps 1-8 should be sufficient when you want Kerberos for the site to be configured only for single HOP. The steps followed from Step 9 shows you the configuration when you want to configure double hop i.e delegate the logged in account to a backend server (for eg a sql service).

Steps:

Configuration for single hop:

1) Click on the website, go to authentication and make sure that windows authentication is enabled.

clip_image002

2) Make sure that when you want to use windows authentication, anonymous authentication is not enabled, which is a common mistake I have observed. Because anonymous authentication takes more precedence than windows authentication. Below is the link which talks about precedence in authentication.

http://msdn.microsoft.com/en-us/library/ee825205(v=cs.10).aspx

3) Enabling windows authentication doesn’t mean Kerberos protocol will be used. It might also use NTLM which is also a provider in windows authentication. In order to setup Kerberos for the site, make sure “Negotiate” is at the top of the list in providers section that you can see when you select windows authentication. Negotiate is a provider or container which supports Kerberos protocol and it also contains NTLM as a backup when Kerberos fails due to some reason. But one important thing to keep in mind over here is when we want to use Kerberos “Negotiate” should be at the top.

clip_image004

clip_image006

4) So above three steps should be sufficient when you want to browse your site with the machine name as http://machinename or http://FQDN of machine name and you need not create any SPN’s (concept of SPN is explained in my previous blog) as you will have a HOST SPN registered to your machine account by default when you join a machine to a domain. HOST SPN is similar to HTTP SPN’s and should be sufficient when you want to access a site over Kerberos.

For eg: If you have a machine with the name ‘illuminati’ a host SPN for illuminati will be present and it will be registered to your inbuilt machine account. You can confirm this through running the below command.

Setspn –l machineaccount

Setspn –l illuminati : this will query for all the SPN’S registered to the machine account illuminati.

5) If you want to access the site with a custom hostname we need to create appropriate SPN for the hostname and we need to register it either to the machine account or to the domain account.

We usually don’t register the SPN to a machine account and choose domain accounts when we have a web farm scenario (same site hosted in multiple servers behind a load balancer) and the same ticket from AD should be accessible in all the machines in the farm.

6) Let’s consider the below scenario with imaginary hostname, machine name and a domain account.

FQDN Machine name: illuminatiserver.domain.com

Hostname: Kerberos.com

Domain account: domain\chiranth

Note: Be careful while choosing a hostname. The hostname shouldn’t have “www.” If we have www in the hostname Kerberos will fail, because when a client tries to access a site with hostname www in it, it will try to go over internet rather than intranet zone.

7) For the above requirements with a custom hostname we can create SPN’s in either one of the two ways. It can be chosen on your requirement and the policies you have.

Method 1: Registering a SPN to a machine account.

When you have a custom hostname and you want to register it to a machine account, you need to create an SPN as below.

Setspn –a HTTP/HOSTNAME machineaccount

Eg: setspn –a HTTP/Kerberos.com illuminatiserver

Method 2: Registering a SPN to a domain account.

When you have a custom hostname and you want to register it to a domain account, you need to create a SPN a below.

Setspn –a HTTP/HOSTNAME domainaccount

Eg: setspn –a HTTP/Kerberos.com domain\chiram

Note: These commands can be run on any machines within the domain but In order to create or delete SPN’s you need to be a domain admin privileges.

8) So once we have the proper SPN in place we need to modify the configuration of IIS such that we point IIS to the account to which we have the SPN registered and what account’s credentials IIS needs to use to decrypt the ticket forwarded by the client which obtained from AD. So again based on the above two variations, configuration settings will differ as below.

Method 1: Configuration when we have SPN registered to machine account.

a) Click on the site and go to configuration editor and traverse to the path system.webServer/security/authentication/windowsAuthentication

clip_image008

b) Make sure that usekernel mode is set to true. Usekernel mode setting tells IIS that it needs to use its machine account to decrypt the Kerberos token/ticket which was obtained from AD and forwarded by the client to the server to authenticate the user.

c) Also when have usekernel mode set to true the decryption of the ticket happens at the kernel level which is performance effective and a faster process.

Method 2: Configuration when we have SPN registered to the domain account.

a) Go to advanced settings of your application pool under which your website is running and change the identity to the domain account. In our case it will be domain\chiranth

clip_image010

clip_image012

clip_image014

b) Now Click on the site and go to configuration editor and traverse to the path system.webServer/security/authentication/windowsAuthentication

clip_image016

d) Make sure that you have “useAppPoolCredentials” set to true. When you have “useAppPoolCredentials” set to true you are telling IIS that it needs to use its application pool identity(which we have changed in the previous step to point to domain account) to decrypt the Kerberos token/ticket which was obtained from AD and forwarded by the client to the server to authenticate the user.

Note: If we have both useAppPoolCredentials and kernel mode set to true useAppPoolCredentials takes precedence and application pool account is used for decryption of the ticket. Usekernelmode setting was introduced from IIS 7 and higher versions. In IIS 6 and lower version always the application pool identity was used for decryption of the token/ticket.

Configuration for double hop:

9) The above steps should be sufficient if you expect your site to work over a single Hop. But if you want to delegate the logged in credentials to the backend server, For e.g. if you are passing the logged in credentials to the backend database server and have integrated security = true /SSPI you need to continue following the below steps.

10) Click on site and in authentication section make sure that you have ASP.NET impersonation enabled along with windows authentication.

clip_image018

11) Now you need to specify in AD that the account to which your HTTP service/SPN is registered (for the hostname) is authorized to delegate the user logged in credentials to any backend service (for eg: MSSQL service). This setting again varies on the type of SPN you have registered and might fall under any one of the below categories.

Method 1: When SPN is registered to machine account.

a) Go to Active directory Users and Computers.

b) Click on computers.

c) Search for your computername (in our case illuminatiserver) and go to its properties.

d) Select the delegation tab and choose the second option (unconstrained delegation) ‘Trust this computer for delegation to any service’ where you are authorizing the machine account “illuminatiserver” with the power to delegate the logged in credentials of an user to any backend service running on any machine.

image

Method 2: When SPN is registered to a domain account.

a) Go to Active directory Users and Computers.

b) Click on Users.

c) Search for your domain user account (in our case domain\chiranth) and go to its properties.

d) Select the delegation tab and choose the second option (unconstrained delegation) ‘Trust this account for delegation to any service’ where you are authorizing the domain account “illuminatiserver” with the power to delegate the logged in credentials of an user to any backend service running on any machine.

image

12) We might have policies where we don’t want to enable delegation to all the services i.e we don’t want to have unconstrained delegation setup due to some security policies in such cases we need to enable constrained delegation.

To enable constrained delegation on the delegation tab select the 3rd option where it says “Trust this account for delegation to specified service” and in the bottom windows you can add the list of backend services (MSSQLSVC, CIFS service) specific to the machines to which your SPN account can delegate the login credentials.

For eg: I have registered my HTTP SPN to domain\chiranth and in the delagtion tab of chiranth I have selected the third option “Trust this account for delegation to specified service” and in the list of service I have specified MSSQLSvc/MySQLServer:1433.

The above setting specifies that domain\chiranth account will be able to delegate the logged in credentials in IIS server to only MSSQLSvc running MySQLServer on port 1433 and no other services or machines.

Hope this helps J

Comments (39)

  1. YokiXml says:

    thaks for you job. Very clearly explanation.

  2. Ian Yates says:

    Great walkthrough!

  3. Abe Mie says:

    Very nice article.

    Just to ask. Any reason why I don't have 'Provider' option when I choose "Windows Authentication"?.  

  4. Hi Abe,

    i think your are using IIS 7 on on a windows 2008 SP2 machine. the providers option is only available in IIS 7.5 on windows 2008 R2 onwards. However there is a workaround, you can access the providers section through the UI using configuration editor. to get configuration editoe on windows 2008 SP2 machine, install the IIS 7 administration pack from http://www.iis.net/…/administration-pack . once you get the admin pack and config editor to access the providers section go to system.webServer/security/authentication/windowsAuthentication section inside configuration editor. please let me know if you have queries

  5. Rajini says:

    Do we need to have additional configuration for kerberos if we use loadbalanced web farm using ARR ?

  6. @Rajni: if we are using ARR as a load balancer there are some things wrt SPN's of ARR server we need to take care of. the below blog tells you the extra settings you need to configure when you have ARR as a load balancer

    blogs.msdn.com/…/a-quick-solution-when-windows-authentication-is-required-on-backend-web-server-for-arr-scenario.aspx

    Let me know if you have any queries in particular wrt to the settings

  7. Rajini says:

    Thanks fro your reply Chiranth,

    I used the exact steps that you suggested to configure kerberos and the authentication works fine when i access the applciation using the servername , But when I access the application using the loadbalanced URL it gives error(Support personal can access the application usign loadbalanced URL but the end user cannot) we use netapp filer to store the configuration and application content, Do you think the kerberos needs to be configured at the filer end too ?

  8. Rajini says:

    when i ask the end user the access the application usign loadbalanced URL adn When i enable failed request tracing in the server it gives the following error "Device attached to the system is not functioning" and he gets a 500 internal error

  9. @Rajni: the way to troubleshoot this would be check what is the difference between the user accounts.check if the account has proper permissions. check accessing a simple html page without any DB access. if there is any intermediary device which might be adding some unwanted headers you might see this. collect fiddler to check the headers being sent from the client and collect network traces on the ARR server and IIS server to check the headers it is receiving. you can also collect fiddler on the ARR server rather than network traces to check the headers going to the backend server and the response coming from it by following the below steps in the troubleshooting section "Fiddler Tracing" of this article.

    blogs.msdn.com/…/application-request-routing-part-2-reverse-proxy-and-troubleshooting-arr-urlrewrite-issues.aspx

    please let me know if you have any queries

  10. Anil says:

    Hi Chiranth, Excellent blog. Great information and very very well explained and written. Thank you for it.

    I am a little confused about my use case.

    I have been accessing the site with a custom hostname without setting up a SPN via windows authentication. This has been true for both IIS6 or IIS7.5. I never had issues with SPN or ant decryption etc. Is it because my usekernel mode is set to true?

  11. @Anil: Thanks for the response. This might be because one of the two reasons.

    1) As you dont have any spn's the authentication might be falling back to ntlm and not Kerberos

    2) Or if your custom hostname is a CNAME or alias i.e if the hostname is mapped to the server name rather than directly to the IP address then the SPN will be fetched for the server name which will be present by default.

    You can confirm if you are going over ntlm or Kerberos by taking fiddler traces and examining the tokene. below references can tell you the difference in fiddler tokens in ntlm and Kerberos

    blogs.msdn.com/…/ntlm-want-to-know-how-it-works.aspx

    blogs.msdn.com/…/all-about-kerberos-the-three-headed-dog-with-respect-to-iis-and-sql.aspx

    Please let me know in case of any queries

  12. MalakaG says:

    Hi Chiranth,

    This is a very good and usefull blog post. I'm new to windows environment and I'm trying to follow the same scenario and I did all the things that are in the blog. Note that I'm using a domain account and not a machine account.

    But the problem is when I try to access my web service, I get an Authentication 401 error.

    I had a look at the server side logs and it says the error code is 401.1 – No credentials are available in the security package (0x8009030e)

    Do you have any idea why this is happening?

    Thanks

    Malaka

  13. hi malaka:

    Sorry for the late reply. I was our of town and travelling. in the client application just before calling the web service make sure you set the proxydefault credentials bool value to true or set it as below

    myProxy.Credentials = System.Net.CredentialCache.DefaultCredentials

    myProxy.Credentials = System.Net.CredentialCache.DefaultNetworkCredentials

    support.microsoft.com/…/813834

    Also make sure we have the delegation set for the app pool account. for troubleshooting you can follow the below blog.

    blogs.msdn.com/…/all-about-kerberos-the-three-headed-dog-with-respect-to-iis-and-sql.aspx

    Also you can take system.net traces on the client app side to see what account is going in.

    <?xml version="1.0" encoding="utf-8" ?>

    <configuration>

       <system.diagnostics>

           <trace autoflush="true" />

           <sources>

               <source name="System.Net">

                   <listeners>

                       <add name="System.Net"/>

                   </listeners>

               </source>

               <source name="System.Net.HttpListener">

                   <listeners>

                       <add name="System.Net"/>

                   </listeners>

               </source>

               <source name="System.Net.Sockets">

                   <listeners>

                       <add name="System.Net"/>

                   </listeners>

               </source>

               <source name="System.Net.Cache">

                   <listeners>

                       <add name="System.Net"/>

                   </listeners>

               </source>

           </sources>

           <sharedListeners>

               <add

                   name="System.Net"

                   type="System.Diagnostics.TextWriterTraceListener"

                   initializeData="c:tracesSystem.Net.trace.log"

                   traceOutputOptions="DateTime"

               />

           </sharedListeners>

           <switches>

               <add name="System.Net" value="Verbose" />

               <add name="System.Net.Sockets" value="Verbose" />

               <add name="System.Net.Cache" value="Verbose" />

               <add name="System.Net.HttpListener" value="Verbose" />

           </switches>

       </system.diagnostics>

    </configuration>

    Change the path to where you would like to save the trace. recycle the app pool. reproduce the issue and check the traces.

    please reply back n case of any issues

  14. you can put those config info in the web.config of the client app

  15. AnandStarlin says:

    I did try implementing Kerberos in our PeopleSoft system by following the Oracle document:

    It went well in our Development but i am facing issue in Test .

    Let me explain the Difference between our DEV and TEST Environment

    DEVELOPMENT :

    We have App Server & Web Server is the same box . Say (ABC123- Computer Name)

    TEST :

    Here we have Web Server and App Server in Different Box.

    Here we are using IIS .

    In DEV url we are using computer name for the URL and in TEST here we are IIS to redirect .

    In Test the Kerberos is working inside the Web Server Box and outside anywhere the url gives internet explorer error. Also we found that it works in Chrome and Firefox but not in IE .

    Could you let me know where I went wrong . Is there anything I need to create keytab for all the Servers. Or is it fully related to IIS .

    Please Advice.

  16. AnandStarlin says:

    I did try implementing Kerberos in our PeopleSoft system by following the Oracle document:

    It went well in our Development but i am facing issue in Test .

    Let me explain the Difference between our DEV and TEST Environment

    DEVELOPMENT :

    We have App Server & Web Server is the same box . Say (ABC123- Computer Name)

    TEST :

    Here we have Web Server and App Server in Different Box.

    Here we are using IIS .

    In DEV url we are using computer name for the URL and in TEST here we are IIS to redirect .

    In Test the Kerberos is working inside the Web Server Box and outside anywhere the url gives internet explorer error. Also we found that it works in Chrome and Firefox but not in IE .

    Could you let me know where I went wrong . Is there anything I need to create keytab for all the Servers. Or is it fully related to IIS .

    Please Advice.

  17. @Anand: IE will try to see if Kerberos is configured and wil try to reach the site with Kerberos ticket.

    In Chrome and Firefox I suspect it is going over NTLM> so not quiet sure if we want to use Kerberos or NTLM. if you want to use NTLM in the providers section under windows authentication in UI move NTLM to the top and see if it works in IE. Or if you want to make it work over Kerberos. follow the below steps.

    1) Repro the issue and see if we are seeing any Kerberos error in the system event logs of the client machine.

    2) the hostname you are using, is it a A record, mapped directly to the IP or an alias or CNAME pointing to another name record and not to IP. if it is a C name try to have that as an A record.

    3) check what are all the spn's registered for your hostname and make sure that there are no duplicate http spn's for your site.

    setspn _F -Q */hostname

    Follow the below blog for further troubleshooting or let me know in case of any queries.

    blogs.msdn.com/…/all-about-kerberos-the-three-headed-dog-with-respect-to-iis-and-sql.aspx

  18. AnandStarlin says:

    Hi Chiranth,

    This is the document i followed :docs.oracle.com/…/task_ImplementingKerberosastheDesktopSingleSignonSolution-666fb6.html

    I tried explaining my scenarios very clearly but i am unable to post it says as spam.

  19. AnandStarlin says:

    DEV

    We have App Server & Web Server is the same box . Say (ABC123- Computer Name)

    Steps Followed :

    setspn –A HTTP/ABC123.corporate.XXX.com CORPORATESRVACT

    UAT

    Here we have Web Server and App Server in Different Box.

    Web Server : ABC345.corporate.XXX.com   ( Computer Name)

    App Server : ABC567.corporate.XXX.com    ( Computer Name)

    setspn –A  HTTP/ ABC567.corporate.XXX.com

    setspn –A  HTTP/ ABC567

    setspn –A  HTTP/ ABC345.corporate.XXX.com

    setspn –A  HTTP/peoplesoftuat.corp.com

    setspn –A  HTTP/ABC345

  20. @Anand: I looked into the article and they are trying to implement the authentication by implementing their own filters and doesn't talk much about the IIS side of settings that we have.

  21. Anand says:

    Nice blog 🙂

  22. Jeb says:

    Hi Chiranth,

    While registering SPN, do I have to mention the port number, if I'm using HTTPS?

    Or it really doesn't matter on what port my website runs?

  23. @Jeb: while registering HTTP SPn's its not necessary to mention the port numbers in the setspn command because when IE tries to query for the SPN from AD or KDC it doesn't send the port number in the query  by default. if you have a requirement to register the SPN with port and want IE to request SPN for the hostname along with PORT there is a registry hack which you can do below

    For 32-bit computers

    1.Click Start, click Run, type regedit, and then click OK.

    2.In the left pane, locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerMainFeatureControl

    3.On the Edit menu, point to New, and then click Key.

    4.Type FEATURE_INCLUDE_PORT_IN_SPN_KB908209, and then press ENTER.

    5.On the Edit menu, point to New, and then click DWORD Value.

    6.Type iexplore.exe, and then press ENTER.

    7.On the Edit menu, click Modify.

    8.Type 1 in the Value data box, and then click OK.

    9.Exit Registry Editor.

    For 64-bit computers

    1.Click Start, click Run, type regedit, and then click OK.

    2.In the left pane, locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeMicrosoftInternet ExplorerMainFeatureControl

    3.On the Edit menu, point to New, and then click Key.

    4.Type FEATURE_INCLUDE_PORT_IN_SPN_KB908209, and then press ENTER.

    5. On the Edit menu, point to New, and then click DWORD Value.

    6.Type iexplore.exe, and then press ENTER.

    7.On the Edit menu, click Modify.

    8.Type 1 in the Value data box, and then click OK.

    9.Exit Registry Editor.

  24. Luca Maletti says:

    Many many thanks! I can't find any documentation better than yours. Great job!

  25. Andre says:

    first time, I have read article that explains kerberos, how it works,

    Thanks friend, very nice information you put here

  26. palikero67 says:

    Thanks for a great article.  It was a life saver.

  27. Anandhi says:

    Very useful TL

  28. Getting error says:

    Hi Chiranth

    Tried the both Machine and SPN way:

    Set the trusted machine and SPN for calls.

    setspn –S  HTTP/Test

    setspn –S  HTTP/Test.corporate.XXX.com

    Followed your article full getting error:

    The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM

    Server is 2012R2, IIS8.5,

    if host the website at default website url(http://<servername>/Test/Test.aspx) calling the http://<serviceServer>testService/test.asmx is working fine.

    If host the website on same machine out of default website url(http://Test/Test.aspx), updated the AD to map test to <servername> calling the same http://<serviceServer>testService/test.asmx is throwing error as mentioned above.

    Please suggest,

    Also noticed using wireshark in case of http://<servername>/Test/Test.aspx its sending the negotiate only

    but in case of (http://Test/Test.aspx) its sending NTLM when calling to service.

    1. CHETAN ASHOK CHOUGALE says:

      Hi ,
      Did you get any solution for the your problem ?

  29. Hi ,

    Sorrry for the late response.

    i have a few questions.

    When you host it on the default web site, are you accessing it locally.

    For the host name "Test", are you creating a C name(ALias) or A record(Host to IP mmapping)

    When you create a A record for Test and register the spn as below

    setspn -S HTTP/Test account

    Make sure you set you app pool idenityt of the asp.net site to contain the SPN "account" credentials, then in configuration editor make sure you have useapppoolcredentials set to true and do an iisreset.

    ALso make sure you are impersonating in the code using below mechanisms

    support.microsoft.com/…/813834

    Also make sure you have the delegation on for the account "Account" for which SPN is registered

    If you are using an alias of C name for Test then no need to create a spn for the hostname, because internally test is translated to server name and i get the ticket for http/servername

    in the above case servername will already be registered to the machine account, in that case make sure your usekernelmode is set to true and useapppoolcredentials is set to false

    And make sure your machine account is enbaled for delagation in AD

    Please let me know in case of any queries.

  30. Giri says:

    Nice article, I want to get kerberos token using c# code using asp.net, while implementation getting error WSE594: InitializeSecurityContext call failed with the following error message: A specified logon session does not exist. It may already have been terminated".

  31. Joshua Hendrickson says:

    +++++

    I struggled for a few hours to get TFS Express to use Kerberos. The key bit that seemed to do it was setting useAppPoolIdentity to true (since I run TFS under a dedicated identity).

  32. Peter Björkmarker says:

    Isnt this incorrect:

    Note: If we have both useAppPoolCredentials and kernel mode set to true useAppPoolCredentials takes precedence. Usekernelmode setting was introduced from IIS 7 and higher versions. In IIS 6 and lower version always the application pool identity was used for decryption of the token/ticket and it used to happen at the user level.

    I.e. you can have both kernel mode and useAppPoolCredentials enabled nowadays, and it is also recommended for most applications. Look here: blogs.technet.microsoft.com/…/kerberos-and-load-balancing

    Peter

  33. @Peter: If you observer the blog blogs.technet.microsoft.com/…/kerberos-and-load-balancing

    is for load balancing the application between servers and the SPN is registered to a domain account is used as the app pool identity. When you have both useapppoolcredentials and usekernel mode to true application pool account is the one which will be used for decryption of the ticket and the decryption happens at the kernel level. When you just have usekernelmode to true, your machine account will be used for decryption of the ticket. i didn't mean to imply you cant use both of these. i am explaining what will happen when you have different permutations and combinations for better understanding

  34. GB says:

    Thank you for taking the time to post this article. Very helpful when all you find on some product documentation that runs on IIS is “…assuming Kerberos authentication is in place, …”

  35. Anoop says:

    Hi Chiranth, Great Article and thanks for sharing!
    I’m a novice on IIS and trying to develop a website to perform health check on my Appv publishing servers
    I got to create a website which is to run few URLs with port number (E.g. http://ServerFQDN:53120) and should return 200 for each URL. I have the website run, but it return 400 (unauthorized) from these URLs. Later I got to know that they should be accessed with a machine account.These URLs should be accessed with machine account of the server on which the IIS server is setup. How do I configure this? Should I set up SPN for this? How to do it? Can you help please
    Thanks in advance
    Anoop

    1. Hi Anup,

      Sorry for the late reply.

      Are you seeing a 401 or 400 error?

      if it is a 400 error, you can check the iis logs of the website to see if the 400 is being thrown by IIS or check the httperr logs in C:\Windows\System32\LogFiles\HTTPERR to see if the 400 error was being thrown even before it reached IIS
      If the issue is at IIS level for 400 then collect failed request traces and see who is throwing 400 error.

      Also if the error is 401 and 400 was misspelled then check if you need windows authentication and so if it is properly configured. What provider is coming into effect if it is NTLM or kerberos.

      Also how are you accessing the website? is it from a browser or do you have a client application which makes a call to the website?

      You can check the detailed step by step troubleshooting in the below article
      https://blogs.msdn.microsoft.com/chiranth/2013/09/20/all-about-kerberos-the-three-headed-dog-with-respect-to-iis-and-sql/

      regards,
      Chiranth

  36. Smit Jawale says:

    0
    down vote
    favorite
    I am facing authentication problems when using Windows authentication between client and wcf web service. The error I was getting was (The HTTP request is unauthorized with client authentication scheme ‘Negotiate’. The authentication header received from the server was ‘NTLM,Negotiate’). Environment details-

    Both the client and service installed on the same machine
    Enabled list of Providers for windows authentication: NTLM, Negotiate
    Anonymous Authentication Disabled
    IIS version: IIS Version 8.5.9600.16384
    Windows server version: Windows Server 2012 R2, Version 6.2, Build 9200.
    Config:

  37. Juan Murcia says:

    Thanks for a great article. It has been very helpful!