Microsoft's official enterprise support blog for AD DS and more
Hi, Rob here. First I want to thank you guys for reading and participating in our blogging efforts. I had one of you e-mail us and ask about the web site I used in the Kerberos Authentication Troubleshooting blogs and if they could get a copy of it.
The web site was created by our IIS support counterparts and it turns out it was released to the web as DelegConfig. Brian Murphy-Booth has a blog about the web site here. We at AskDS do not support the DelegConfig web site, so if you have questions or comments about it leave your feedback at that blog location.
With this web site you can test Kerberos double hop configurations and the newer delegation types of constrained delegation and constrained delegation with protocol transition from IIS to the following services: SQL, File Server, OLAP Server, or another web server. The reason why this documentation exists is to help customers configure Kerberos delegation to become familiar with all the tasks involved to configure the environment correctly.
NOTE: Review Setup and Known issues.txt from the DelegConfig.zip file for proper ASP.NET version to be installed on the IIS Server.
For more information on this topic as it relates to IIS you can review the below web site location:
Configuring Constrained Delegation for Kerberos (IIS 6.0)http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/df979570-81f6-4586-83c6-676bb005b13e.mspx?mfr=true
So that this blog is not too long (yeah, I know I am not known for short blogs) we are only going to show you how to configure the SQL server as the backend and how to test it since this is the most common situation where Kerberos delegation is configured. Keep in mind that for learning how Kerberos multi-hop works you do not need to install the full version of SQL. You can use SQL Express, and it can be installed on any operating system.
Registering a Service Principal Name http://technet.microsoft.com/en-us/library/ms191153.aspx
Kerberos Authentication and SQL Server http://technet.microsoft.com/en-us/library/cc280744.aspx
The SQL Server Service can run under basically two types of accounts.
The web site can verify either of these configurations, but there are different steps that need to be followed dependant on which configuration the SQL Server Service is running. Of course with all these configurations it is very important that we have the correct SPNs registered to the correct computer or user account.
I hope that you have been able to learn some new things. All the steps outlined here need to be done when configuring Kerberos delegation and this site will definitely help engineers to understand how Kerberos delegation works.
Have fun learning and testing all the different configurations that are possible with this application!
- Rob Greene
I have a question and it feels like i already know what the answer is, but would just like to get the confirmation from the experts.
We have 2 Forests with a full 2 way transitive trust.
The catch is that we have a 2000 DC in on the parent domain which meens that we need to keep the functional levels at 2000 Native.
My question is : Is it possible to have kerberos working and credentials successfully delegated when I log in from the foreign domain on the parent domain where the WebApplication's AppPool is running as a user from the parent domain. This WebAppication connects to a 3rd party application where the user is being impersonated.
Everything works fine from the parent domain when a user connects to the site, but as soon as a user is connecting from the foreign domain the credentials are not successfully delegated.
Your help will be greatly appreciated.
Hi All Rob here again. I thought I would take the time today and expand upon the Kerberos Delegation
So the answer is no. In order for you to leverage Kerberos delegation accross a Forest a Forest Trust MUST be created between the two forests.
In order for you to create a forest trust both forests MUST be at Windows Server 2003 Forest Functional Level. So you woul need to upgrade / demote all of you Windows 2000 domain controllers before you attempt to change the forest functional level.
Once that is done, you can disolve the current External Trust(s) and create a new forest trust and then you will be able to support Kerberos authentication accross the forest.
Just as an FYI, I do plan on writing a blog about supported configurations with kerberos authentication accross different trust configurations.
I hope this helps. FYI, this is typically a great opportunity for AD Admins to get those last 2000 domain controllers upgraded to 2003/2008 because of the need for the application functionality.
Is it possible to have multiple IIS 6.0 pools with different custom identities and use Kerberos Authentication?
If this requires setting up multiple web sites on the same web server, is there a way to register SPNs for each of these sites?
What an excellent question mmaksimenko!
Lets see if I can explain this without pictures :D.
So the answer is yes, it can be done, although most cusotmers do not like the answer!
However, for this to work, each application pool would need to support a website listening on a different port or IP Address.
If you are going to go the PORT route, then you will need to do the following:
All your IE clients will either need the hotfix (If running IE6) and the registry key enabled (IE6 & IE7 need the registry key)in the below KB:
908209 Internet Explorer 6 cannot use the Kerberos authentication protocol to connect to a Web site that uses a non-standard port in Windows XP and in Windows Server 2003
Then you would add an SPN to the Web Application Pool account. For my example it is going to be computer name of Server1.contoso.com and IIS is listening on port 8080.
SetSPN -A http/server1.contoso.com:8080 CONTOSO\IISKerbSvc
SetSPN -A http/server1:8080 CONTOSO\IISKerbSvc
As you notice in the example that I added the port number to the SPN. IE by default will not append the port number to the Service Principal Name TGS request thus the reason for the hotfix / registry keys are needed from the above KB article.
If you decide to use multiple IP Address, you will need to add DNS A (HOST) records in DNS to reference the IP Addresses you are going to use.
I will warn you, if you plan on using a CNAME Record IE has another problem with this. Again there is a hotfix (for IE6) and registry key (IE6 & IE7) that need to be implemented. See the below KB article:
911149 Error message in Internet Explorer when you try to access a Web site that requires Kerberos authentication on a Windows XP-based computer: "HTTP Error 401 - Unauthorized: Access is denied due to invalid credentials"
After that, you will need to add the correct SPN to the correct web application pool account.
NOTE: If you have XP SP3 installed and using IE6 then you will just need the registry key in place, because the hotfix is in the Service Pack.
I hope that this helps.
Have fun using Kerberos Delegation!
Hi all, Ned here again. Our compadre Brian Murphy-Booth has released the newest version of the Kerberos
I have a ASP.NET web service running on port 8800 and have to access it from C# console application.
If i try to use Kerberos authentication (/w3svc/NTAuthenticationProvers set to "Negotiate,NTLM"), it fails with error: "The request failed with HTTP status 401: Unauthorized".
On the other hand, if NTLM authentication is used (/w3svc/NTAuthenticationProviders set to "NTLM"), i have access but in that case i cant use Kerberos delegation.
Is it in some way connected with KB908209 - same problems that IE has when connecting to non-standard port?
Well, I would really have to say maybe.
I say maybe because I am not that familar with .NET coding and what real DLL is being used to make a connection to web service when all the .net code is being invoked ( it could be WinInet or WinHTTP being used at the client side).
I would say try it, and see if that does resolve the issue.
I will tell you about something else that I have ran into with .net is that you may actually have to pass the server name with port number when you do your authentication call because when .NET passes the authentication call down to the OS it does not tack on the port number to the Kerberos Authentication request.
Sorry I could not be of more help in this situation... But if neither of these resolve your issue, please feel free to open up a case with our Developer Support group.
I am trying to setup delegation and I am new to it. I tried to follow your blog. The differences are I am on IIS7 and for the website instead of a service account I am running it under Network Service.
Following are the symptoms. I have a test site that tries to get data from the sql server. This test site is a very simplified version of the full application. Full application is 3 tier web app -> WCF -> SQL 2005
I am trying to take baby steps in setting this up, hence the test site.
When I run the test site on the web server and try to retrieve data from SQL server, it works and it should because I believe that is just 1 hop. The site is deployed on that server and I am logged into the server.
But when I try to access that site from outside the server I get "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'"
I follow the security logs and on the webserver I see Kerberos authentication but on the sql box it comes in as Anonymous Logon, hence the expected error, if it comes with the anonymous then it will give me that error.
My setup has SQL server running on a service account. There is SPN registered for MSSQLSvc. So I add that service in my delegation setting.
I go to the sql server account and add the http service for my webserver where the spn is for HOST/servername
My site is windows authenticated, anonymous turned off and impersonation turned on.
There is another interesting symptom, if I bind my IIS site to hostname (DNS entry) and IP it stops working locally as well.
I am stuck in a jam. Any help from you is greatly appreciated.
So the first thing is if you are using IIS7 I would recommend that you use this blog to play with the delegation website on IIS7.
I have a feeling that the first set of problems / hurtles you are going to need to figure out is if Kernel mode authentication is causing your issue or not. Keep in mind that you might have to modify the web.config or applicationhost.config file for the application and add useAppPoolCredentials=”ture” setting under Windows Authentication if you want to use Kernel mode authentication.
I see that you did not reference what type of Kerberos delegation you are using? Constrained or unconstrained.
The best pointer I can give you when setting up delegation get it working with unconstrained delegation first. Since this is the easiest to troubleshoot. Once you know that the application works with unconstrained you can try to get it working with constrained delegation.
To be honest with you, your delegation scenario is too complicated to attempt to help you via the comments section on this blog. I would strongly recommend that you create a case with us here at Microsoft to help get this resolved for you.
Thank you for a prompt reply. I have tried your blog and unfortunately I can't test it. I am have a new issue with my sites. My windows authentication has decided to stop working in IE. It works fine on FireFox.
But my IE keeps asking for credentials over and over again (3 times) and gives me a not Authorized 401 error for invalid username and password.
I tried to revert back to what I had which was working but IE won't coorperate. I tried to revert back further with no delegation and yet again IE won't cooperate. I see in my audit logs Audit failure events that gets loged on each try and the username and domain is blank.
I have searched and found out that people were have similar issues but I don't know the reason why it would work before and wouldn't work now. My same application build works on a different (UAT) server.
How can I open a case with Microsoft to help me with this? I have a premium subscription with microsoft.
Can you help me open up a case... and in your experience do you know about the response time on a case.
I am not sure what a premium subscription you are talking about. Are you saying Premier support contract?
If you do not have a Premier support contract then you can use this website to get your local access number to open a case: