Addendum: Making the DelegConfig website work on IIS 7

Addendum: Making the DelegConfig website work on IIS 7

  • Comments 1
  • Likes

Hi All Rob here again. I thought I would take the time today and expand upon the Kerberos Delegation website blog to show how you can use the web site on IIS 7. Actually, Ned beat me up pretty badly for not showing how to set the site up on IIS 7 [I sure did. Rob’s revenge was to make a blog post so editorially complex that it took me forever to format and publish – Ned].

First thing, I am not going to go over the entire setup to get it working. All the Kerberos delegation steps are exactly the same. However if you have looked at IIS7 the interface is totally different from previous versions.

Installing IIS

1. Launch Server Manager and select Roles in the tree view.
2. Next click on the Add Roles link in the right hand pane.

image

Figure 1 - Adding Roles

You will get the Select Server Roles dialog as shown below.

3. You need to click on Web Server and immediately you will get another dialog box for the Additional Features that need to be installed for the Web Server to function.
4. Click on the Add Additional Features button and click Next.

image

Figure 2 - Adding Web Server Role

You will then be shown another dialog box to select Role Services.

5. You need to make sure that you select ASP.NET. You will again be prompted for additional required Features and click on the Add Required Features button.

image

Figure 3- Selecting ASP.Net Role Services

NOTE: You will also need to add the Authentication methods you want the IIS server to support. For demonstration purposes we are only adding Windows Authentication, and Basic Authentication.

image

Figure 4 - Authentication Modes

6. Once you have selected all the Role Services, click next.
7. Just prior to the installation of the Web Server role you are given a screen that lists the role services you are about to install.

image

Figure 5 - Confirming Role Services

8. Then click the Finish button.

So the IIS 7 interface is totally different than previous versions of the IIS MMC snapin. IIS7 can also do authentication in Kernel mode now which was not possible in previous IIS versions.

Installing the web application

1. Launch the Internet Information Server (IIS) Manager snapin.
2. Expand the tree view and high light the web site.
3. Right click on the web site (in the figure below we used Default Web Site), and select Add Application.

image

Figure 6 - Adding Web Application

4. Type in the Alias name you want to use for the application, and the file path to the application directory for the web site.
5. Make sure that you are using the Classic .NET AppPool for the application pool to be used for the web application.

image

Figure 7 - Configuring Web Application Settings

6. After you have added the web application, you want to select the application directory.
7. Select Authentication as shown in the figure below.

image

Figure 8- DeleConfig Authentication settings

8. Double click on Authentication.
9. Highlight Windows Authentication, and then right click and select Enable. If you want to support other authentication methods you can enable those and disable other authentication methods you do not want to support.
10. Now highlight Anonymous Authentication, and then right click and select Disable.

image

Figure 9 - Enabling Windows Authentication

Now that we have installed IIS and the application you need to decide what account will be used for the Application Pool Identity. I have found that the configuration is drastically different based on the account used. If you use Network Service you configure the system one way, and if you use a domain based account you need to configure the system another way.

I will cover both methods. For the most part the simple configuration is to use Network Service as the Application Pool Identity and can be used most of the time except in cases where you have multiple web servers in a load balance configuration.

Configuring Network Service as the AppPool Identity

1. In the Internet Information Service (IIS) Manager snapin select Application Pools in the tree view.

image

Figure 10 - Verifying AppPool Identity

2. Verify that the Identity being used is NetworkService.
3. Next navigate to the web application. In my lab it is the DelegConfig application.
4. Double click on Authentication while you have the web application node selected in the tree view.

image

Figure 11 - Web Application Authentication mode

5. Make sure that Windows Authentication is enabled. This should have already been done under installing the web application.
6. Right click on Windows Authentication and select Advanced Settings…

image

Figure 12 - Advanced Settings

7. In the Advanced Settings… dialog box you want to make sure that Enable Kernel-mode authentication is checked.

image

Figure 13 - Enable Kernel-mode Authentication

8. After this all the normal things need to be done in the domain to support Kerberos delegation.
9. Then reboot the server.
10. Test the application and it should work.

Configuring a domain based user account as the AppPool Identity

1. In the Internet Information Service (IIS) Manager snapin select Application Pools in the tree view.

image

Figure 14 - Verifying AppPool Identity

2. Verify that the Identity being used is the domain based account you want.
3. If it is not, then right click on the Classic .NET AppPool application pool and select Set Application Pool Defaults…

image

Figure 15 - Setting the Application Pool Defaults

4. You will get the dialog box like the one listed below. Change the Identity being used as highlighted.

image

Figure 16 - Application Pool Defaults

5. Select Custom account and click on the Set button.

image

Figure 17 - Setting custom account identity

6. You will have to type in the domain name and user account that will be used and the password will need to be entered twice.

image

Figure 14 - Typing in the credentials

7. Click the OK button on the Set Credentials dialog box.
8. Click the OK button on the Application Pool Identity dialog box.
9. Click the OK button on the Application Pool Defaults dialog box.
10. Next navigate to the web application. In my lab it is the DelegConfig application.
11. Double click on Authentication while you have the web application node selected in the tree view.

image

Figure 19 - Web Application Authentication mode

12. Make sure that Windows Authentication is enabled. This should have already been done under installing the web application section.
13. Right click on Windows Authentication and select Advanced Settings…

image

Figure 20 - Windows Authentication Advanced Settings

14. In the Advanced Settings… dialog box you want to make sure that Enable Kernel-mode authentication is unchecked.

image

Figure 21 - Disable Kernel-mode authentication

15. You need to add the application pool identity account to the following local computer groups: Administrators, and IIS_IUSRS.

image

Figure 22 - Add the account to the proper groups

16. After this all the normal things need to be done in the domain to support Kerberos delegation.
17. Then reboot the server.
18. Test the application and it should work.

Notes

If you need to understand how to setup the delegation please visit my previous blog about the website located here. There you will see how to add / delete service principal names (SPN), as well as how to configure delegation within Active Directory Users and Computers (ADUC).

I hope that you have found the blog helpful in getting your first IIS7 server configured to use the DelegConfig website and get your feet wet on how to configure IIS7 to support Kerberos authentication.

- Rob ‘ScreenShot’ Greene

  • Hi all, Ned here again. Our compadre Brian Murphy-Booth has released the newest version of the Kerberos