Using DelegConfig tool for troubleshooting Kerberos Delegation issues

  • Article

A couple of days ago I delivered a presentation on troubleshooting Kerberos configuration issues, especially from the SQL Server's perspective. Part of this presentation I demonstrated the use of Brian Murphy-Booth's (https://blogs.iis.net/brian-murphy-booth) DelegConfig tool and demonstrated how this tool can also be used for configuring SQL Server.

Since a lot of people showed interest in the use of this tool, I thought I'd share some information on its use. Here’s where you can download the tool from: https://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1434

 

This tool will help you very easily check and fix the configuration of your IIS application + backend server (SQL, OLAP, etc. ) from a security stand-point in order to ensure Kerberos Authentication and Kerberos Delegation. It will basically check everything that needs to be checked like Active Directory properties for accounts and SPNs and will point you into the right direction for fixing the problems.

 

The tool is basically simple ASP.NET application that you have to configure in IIS under the same Application Pool as the application whose config you need to check.

Here’s how to configure it:

 

1. Once you download the tool and unzip the archive you will have a folder called Kerberos (let’s say c:\Kerberos\ )on your hard drive.

For this presentation, let’s say I want to check my ReportServer application config.

2. Open IIS Manager, check the App Pool under which ReportServer runs and create a new Virtual Directory... under the web site of my application.

3. Follow the Wizard and Select an Alias (let’s say DelegConfig), point it to the Kerberos folder and allow Read and Run Scripts permissions (see below) and click Finish

 

4. Open the Properties for the newly created Virtual Directory and select the Application Identified at step 2, as App Pool for this VDIR.

5. Open the Directory Security tab and make sure only Integrated Windows Authentication is selected (disable Anonymous access if it’s enabled).

 

Now your tool is ready to be used. To use it:

 

1. On a Client Machine, open IE and navigate to our DelegConfig Application (type https://yourserver/DelegConfig )

2. The application will open but we’re not ready to read the results yet. In the address bar you will have the address: https://yourserver/DelegConfig/Default.aspx?resolvedName=

You will have to supply the FQDN of your server as value for resolvedName parameter like this: https://yourserver/DelegConfig/Default.aspx?resolvedName=yourserver.yourdomain.com . press GO.

3. Now you’re ready to check the config of your server. Below I’ll present each section.

3.1.

 

Here my App Pool is running as EUROPE\emilianb.

The tool even has a page that allows you to check, delete and add SPNs if the account with which you access the DelegConfig has enough privileges in AD. So clicking the Fix This button takes you to the page SetSPN.aspx:

 

 

After you click YES, you will have the possibility to check SPNs for whatever account you want or to add new SPNs. For example, here below I am viewing the SPNs for one of my machine’s account:

 

3.2.

 

I’m accessing the Application with EUROPE\emilianb. (it’s a bit confusing since it’s the same account as the identity of the app pool, but I think you get the idea).

 

3.3.

 

3.4. Clicking on the Add Backend button will allow you to also check the configuration of your backend server. You’ll have to tell it what is the server name, the service type, the port and the identity and it will add a section for your backend server.  and the checklist ->