Microsoft's official enterprise support blog for AD DS and more
Hi All Rob here again. I thought I would take the time today and expand upon the Kerberos Delegation website blog to show how you can use the web site on IIS 7. Actually, Ned beat me up pretty badly for not showing how to set the site up on IIS 7 [I sure did. Rob’s revenge was to make a blog post so editorially complex that it took me forever to format and publish – Ned].
First thing, I am not going to go over the entire setup to get it working. All the Kerberos delegation steps are exactly the same. However if you have looked at IIS7 the interface is totally different from previous versions.
1. Launch Server Manager and select Roles in the tree view. 2. Next click on the Add Roles link in the right hand pane.
Figure 1 - Adding Roles
You will get the Select Server Roles dialog as shown below.
3. You need to click on Web Server and immediately you will get another dialog box for the Additional Features that need to be installed for the Web Server to function. 4. Click on the Add Additional Features button and click Next.
Figure 2 - Adding Web Server Role
You will then be shown another dialog box to select Role Services.
5. You need to make sure that you select ASP.NET. You will again be prompted for additional required Features and click on the Add Required Features button.
Figure 3- Selecting ASP.Net Role Services
NOTE: You will also need to add the Authentication methods you want the IIS server to support. For demonstration purposes we are only adding Windows Authentication, and Basic Authentication.
Figure 4 - Authentication Modes
6. Once you have selected all the Role Services, click next. 7. Just prior to the installation of the Web Server role you are given a screen that lists the role services you are about to install.
Figure 5 - Confirming Role Services
8. Then click the Finish button.
So the IIS 7 interface is totally different than previous versions of the IIS MMC snapin. IIS7 can also do authentication in Kernel mode now which was not possible in previous IIS versions.
1. Launch the Internet Information Server (IIS) Manager snapin. 2. Expand the tree view and high light the web site. 3. Right click on the web site (in the figure below we used Default Web Site), and select Add Application.
Figure 6 - Adding Web Application
4. Type in the Alias name you want to use for the application, and the file path to the application directory for the web site. 5. Make sure that you are using the Classic .NET AppPool for the application pool to be used for the web application.
Figure 7 - Configuring Web Application Settings
6. After you have added the web application, you want to select the application directory. 7. Select Authentication as shown in the figure below.
Figure 8- DeleConfig Authentication settings
8. Double click on Authentication. 9. Highlight Windows Authentication, and then right click and select Enable. If you want to support other authentication methods you can enable those and disable other authentication methods you do not want to support. 10. Now highlight Anonymous Authentication, and then right click and select Disable.
Figure 9 - Enabling Windows Authentication
Now that we have installed IIS and the application you need to decide what account will be used for the Application Pool Identity. I have found that the configuration is drastically different based on the account used. If you use Network Service you configure the system one way, and if you use a domain based account you need to configure the system another way.
I will cover both methods. For the most part the simple configuration is to use Network Service as the Application Pool Identity and can be used most of the time except in cases where you have multiple web servers in a load balance configuration.
1. In the Internet Information Service (IIS) Manager snapin select Application Pools in the tree view.
Figure 10 - Verifying AppPool Identity
2. Verify that the Identity being used is NetworkService. 3. Next navigate to the web application. In my lab it is the DelegConfig application. 4. Double click on Authentication while you have the web application node selected in the tree view.
Figure 11 - Web Application Authentication mode
5. Make sure that Windows Authentication is enabled. This should have already been done under installing the web application. 6. Right click on Windows Authentication and select Advanced Settings…
Figure 12 - Advanced Settings
7. In the Advanced Settings… dialog box you want to make sure that Enable Kernel-mode authentication is checked.
Figure 13 - Enable Kernel-mode Authentication
8. After this all the normal things need to be done in the domain to support Kerberos delegation. 9. Then reboot the server. 10. Test the application and it should work.
Figure 14 - Verifying AppPool Identity
2. Verify that the Identity being used is the domain based account you want. 3. If it is not, then right click on the Classic .NET AppPool application pool and select Set Application Pool Defaults…
Figure 15 - Setting the Application Pool Defaults
4. You will get the dialog box like the one listed below. Change the Identity being used as highlighted.
Figure 16 - Application Pool Defaults
5. Select Custom account and click on the Set button.
Figure 17 - Setting custom account identity
6. You will have to type in the domain name and user account that will be used and the password will need to be entered twice.
Figure 14 - Typing in the credentials
7. Click the OK button on the Set Credentials dialog box. 8. Click the OK button on the Application Pool Identity dialog box. 9. Click the OK button on the Application Pool Defaults dialog box. 10. Next navigate to the web application. In my lab it is the DelegConfig application. 11. Double click on Authentication while you have the web application node selected in the tree view.
Figure 19 - Web Application Authentication mode
12. Make sure that Windows Authentication is enabled. This should have already been done under installing the web application section. 13. Right click on Windows Authentication and select Advanced Settings…
Figure 20 - Windows Authentication Advanced Settings
14. In the Advanced Settings… dialog box you want to make sure that Enable Kernel-mode authentication is unchecked.
Figure 21 - Disable Kernel-mode authentication
15. You need to add the application pool identity account to the following local computer groups: Administrators, and IIS_IUSRS.
Figure 22 - Add the account to the proper groups
16. After this all the normal things need to be done in the domain to support Kerberos delegation. 17. Then reboot the server. 18. Test the application and it should work.
If you need to understand how to setup the delegation please visit my previous blog about the website located here. There you will see how to add / delete service principal names (SPN), as well as how to configure delegation within Active Directory Users and Computers (ADUC).
I hope that you have found the blog helpful in getting your first IIS7 server configured to use the DelegConfig website and get your feet wet on how to configure IIS7 to support Kerberos authentication.
- Rob ‘ScreenShot’ Greene
Hi all, Ned here again. Our compadre Brian Murphy-Booth has released the newest version of the Kerberos