Article ID: 907272 - View products that this article applies to.
IIS Developer Support Voice column
Kerberos authentication and troubleshooting delegation issuesTo customize this column to your needs, we want to invite you to submit your ideas about topics that interest you and issues that you want to see addressed in future Knowledge Base articles and Support Voice columns. You can submit your ideas and feedback using the Ask For It
(http://support.microsoft.com/common/survey.aspx?scid=sw;en;1176&p0=&p1=&p2=&p3=&p4=)form. There's also a link to the form at the bottom of this column.
My name is Martin Smith, and I am with Microsoft's Microsoft Internet Information Services (IIS) Critical Problem Resolution group. I have been with Microsoft nine years and have been with the IIS team all nine years. I have compiled information from multiple locations on http://msdn.microsoft.com
(http://www.microsoft.com)about Kerberos and how to troubleshoot delegation issues.
IIS 6.0The following white paper describes how to set up delegation in Microsoft Windows Server 2003. The white paper has specific information for Network Load Balancing (NLB) but includes excellent detail about how to set up a delegated scenario without using NLB. To view this white paper, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/cc757299.aspxNote Use HTTP Service Principal Names (SPNs) especially when you use NLB.
Another popular Kerberos issue recently has been the need to allow for multiple application pools to use the same DNS name. Unfortunately, when you use Kerberos to delegate credentials, you cannot bind the same Service Principal Name (SPN) to different application pools. You cannot do this because of the design of Kerberos. The Kerberos protocol requires multiple shared secrets for the protocol to work correctly. By using the same SPN for different application pools, we eliminate one of these shared secrets. The Active Directory directory service will not support this configuration of the Kerberos protocol because of the security issue.
Configuring the SPNs in this manner causes Kerberos authentication to fail. A possible workaround for this issue would be to use protocol transitioning. The initial authentication between the client and the Server Running IIS would be handled by using the NTLM authentication protocol. Kerberos would handle the authentication between IIS and the backend resource server.
Microsoft Internet Explorer 6 or laterThe client browser may experience issues, such as receiving repeated logon prompts for credentials or "401 Access Denied" error messages from the server running IIS. We have found the following two issues that may help resolve these issues:
IIS 5.0 and IIS 6.0After you upgrade from IIS 4.0 to IIS 5.0 or IIS 6.0, delegation may not function correctly, or possibly someone or an application has modified the metabase property NTAuthenticationProviders. For more information about how to fix this issue, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/248350/ )Kerberos authentication fails after upgrading from IIS 4.0 to IIS 5.0
A particular area of trouble can occur when you set the SPN
Determine the server nameDetermine whether you are connecting to the Web site by using the actual NetBIOS name of the server or by using an alias name, such as a DNS name (for example, www.microsoft.com). If you are accessing the Web server by using a name other than the actual name of the server, a new Service Principal Name (SPN) must have been registered by using the Setspn tool from the Windows 2000 Server Resource Kit. Because the Active Directory directory service does not know this service name, the ticket-granting service (TGS) does not give you a ticket to authenticate the user. This behavior forces the client to use the next available authentication method, which is NTLM, to renegotiate. If the Web server is responding to a DNS name of www.microsoft.com but the server is named webserver1.development.microsoft.com, you must register www.microsoft.com in Active Directory on the server that is running running IIS. To do this, you must download the Setspn tool and install it on the server that is running IIS.
If you are using Windows Server 2003 and IIS 6, the Setspn tool for Microsoft Windows Server 2003 is available from the following location:
http://support.microsoft.com/kb/970536To determine whether you are connecting by using the actual name, try to connect to the server by using the actual name of the server instead of the DNS name. If you cannot connect to the server, see the "Verify the computer is trusted for delegation" section.
If you can connect to the server, follow these steps to set an SPN for the DNS name that you are using to connect to the server:
To view a listing of SPNs on the server to see this new value, type the following command on the server running IIS:
Registering ServicePrincipalNames for CN=webserver1,OU=Domain Controllers,DC=microsoft,DC=com HTTP/www.microsoft.com Updated object
Setspn -L webservernameNote that you do not have to register all services. Many service types, such as HTTP, W3SVC, WWW, RPC, CIFS (file access), WINS, and uninterruptible power supply (UPS), will map to a default service type that is named HOST. For example, if your client software uses an SPN of HTTP/webserver1.microsoft.com to create an HTTP connection to the Web server on the webserver1.microsoft.com server, but this SPN is not registered on the server, the Windows 2000 domain controller will automatically map the connection to HOST/webserver1.microsoft.com. This mapping applies only if the Web service is running under the local System account.
Verify that the computer is trusted for delegationIf this server running IIS is a member of the domain but is not a domain controller, the computer must be trusted for delegation for Kerberos to work correctly. To do this, follow these steps:
Delegation and Microsoft ASP.NETFor more information about the configuration for delegating credentials when you use an ASP.NET application, click the following article number to view the article in the Microsoft Knowledge Base:
810572Impersonation and delegation are two methods for a server to authenticate on the behalf of the client. Deciding which of these methods to use and their implementation can cause some confusion. You must review the difference between these two methods and examine which of these methods you may want use for your application. My recommendation would be to read the following white paper for further details:
(http://support.microsoft.com/kb/810572/ )How to configure an ASP.NET application for a delegation scenario
(http://support.microsoft.com/kb/305971/ )Windows 2000 Server prompts domain user for credentials
(http://support.microsoft.com/kb/262177/ )How to enable Kerberos event logging
(http://support.microsoft.com/kb/326985/ )How to troubleshoot Kerberos-related issues in IIS
842861As always, feel free to submit ideas on topics you want addressed in future columns or in the Knowledge Base using the Ask For It
(http://support.microsoft.com/kb/842861/ )TechNet Support WebCast: Troubleshooting Kerberos authentication with secure Web applications and Microsoft SQL Server
Contact us for more help
Connect with Answer Desk for expert help.