Kerberos authentication and troubleshooting delegation issuesTo customize this column to your needs, we want to invite you to submit your ideas about topics that interest you and issues that you want to see addressed in future Knowledge Base articles and Support Voice columns. You can submit your ideas and feedback using the Ask For It form. There's also a link to the form at the bottom of this column.
http://www.microsoft.com about Kerberos and how to troubleshoot delegation issues.
IIS 6.0The following white paper describes how to set up delegation in Microsoft Windows Server 2003. The white paper has specific information for Network Load Balancing (NLB) but includes excellent detail about how to set up a delegated scenario without using NLB. To view this white paper, visit the following Microsoft Web site: Note Use HTTP Service Principal Names (SPNs) especially when you use NLB.
Another popular Kerberos issue recently has been the need to allow for multiple application pools to use the same DNS name. Unfortunately, when you use Kerberos to delegate credentials, you cannot bind the same Service Principal Name (SPN) to different application pools. You cannot do this because of the design of Kerberos. The Kerberos protocol requires multiple shared secrets for the protocol to work correctly. By using the same SPN for different application pools, we eliminate one of these shared secrets. The Active Directory directory service will not support this configuration of the Kerberos protocol because of the security issue.
Configuring the SPNs in this manner causes Kerberos authentication to fail. A possible workaround for this issue would be to use protocol transitioning. The initial authentication between the client and the Server Running IIS would be handled by using the NTLM authentication protocol. Kerberos would handle the authentication between IIS and the backend resource server.
Microsoft Internet Explorer 6 or laterThe client browser may experience issues, such as receiving repeated logon prompts for credentials or "401 Access Denied" error messages from the server running IIS. We have found the following two issues that may help resolve these issues:
- Verify that Enable Integrated Windows Authentication is selected in the browser's properties. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 299838 Unable to negotiate Kerberos authentication after upgrading to Internet Explorer 6
- If Internet Explorer Enhanced Security Configuration is enabled in Add/Remove Programs, you must add a site that uses delegation to the
Trusted sites list. For more information, click the following article number to view the article in the Microsoft Knowledge Base:815141 Internet Explorer Enhanced Security Configuration changes the browsing experience
IIS 5.0 and IIS 6.0After you upgrade from IIS 4.0 to IIS 5.0 or IIS 6.0, delegation may not function correctly, or possibly someone or an application has modified the metabase property NTAuthenticationProviders.
For more information about how to fix this issue, click the following article number to view the article in the Microsoft Knowledge Base:
A particular area of trouble can occur when you set the SPN
Determine the server nameDetermine whether you are connecting to the Web site by using the actual NetBIOS name of the server or by using an alias name, such as a DNS name (for example, www.microsoft.com). If you are accessing the Web server by using a name other than the actual name of the server, a new Service Principal Name (SPN) must have been registered by using the Setspn tool from the Windows 2000 Server Resource Kit. Because the Active Directory directory service does not know this service name, the ticket-granting service (TGS) does not give you a ticket to authenticate the user. This behavior forces the client to use the next available authentication method, which is NTLM, to renegotiate. If the Web server is responding to a DNS name of www.microsoft.com but the server is named webserver1.development.microsoft.com, you must register www.microsoft.com in Active Directory on the server that is running running IIS. To do this, you must download the Setspn tool and install it on the server that is running IIS.
If you are using Windows Server 2003 and IIS 6, the Setspn tool for Microsoft Windows Server 2003 is available from the following location:
If you can connect to the server, follow these steps to set an SPN for the DNS name that you are using to connect to the server:
- Install the Setspn tool.
- On the server running IIS, open a command prompt, and then open the C:\Program Files\Resource Kit folder.
- Run the following command to add this new SPN (www.microsoft.com) to the Active Directory for the server:Setspn -A HTTP/www.microsoft.com webserver1Note In this command, webserver1 represents the NetBIOS name of the server.
Registering ServicePrincipalNames for CN=webserver1,OU=Domain Controllers,DC=microsoft,DC=comTo view a listing of SPNs on the server to see this new value, type the following command on the server running IIS:
Verify that the computer is trusted for delegationIf this server running IIS is a member of the domain but is not a domain controller, the computer must be trusted for delegation for Kerberos to work correctly. To do this, follow these steps:
- On the domain controller, click Start, point to Settings, and then click Control Panel.
- In Control Panel, open Administrative Tools.
- Double-click Active Directory Users and Computers.
- Under your domain, click Computers.
- In the list, locate the server running IIS, right-click the server name, and then click Properties.
- Click the General tab, click to select the
Trusted for delegation check box, and then click
Delegation and Microsoft ASP.NETFor more information about the configuration for delegating credentials when you use an ASP.NET application, click the following article number to view the article in the Microsoft Knowledge Base:
Ask For It form.
Article ID: 907272 - Last Review: Sep 12, 2012 - Revision: 1