Configure a Custom Identity's SPN to Leverage IWA Auth

This document describes the steps to set up a custom identity for an IIS application pool to leverage Service Principal Names (SPNs) to be used for Integrated Windows Authentication (Kerberos).

Prerequisites

  • Active Directory (AD)

  • SecureAuth server (it must be joined to domain)

AD side settings

SPNs need to be assigned to the username that will be used for IIS Application pool(s).

  1. Create the user name that will be used for the IIS application pool

  2. Assign HTTP, HOST Service Principal Names (SPN) for the created user. You can do this in any of the following ways:

    • Use this command:

      Setspn -a HTTP/FQDNofSecureauthserver UserAccountName

    • SPNs that are assigned for an account can be listed by the following command:

      Setspn.exe -L UserAccountName

    • Use ADSIEdit.exe to assign the SPNs

    • In Active Directory, use username profile > Attribute Editor to assign the SPNs

      For example, HTTP/UserAccountName, HTTP/UserAccountName

SecureAuth server side settings

Add the newly created account into the local administrators group. On SecureAuth side some of the local GPO policy settings need to be set for the created username.

  1. Open Group Policy Object Editor (gpedit.msc).

  2. Click Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.

  3. Add the user name to these Local Policy settings (for example, domain\useraccountname) in any of the following ways:

    • Log on as a batch job.

    • Log on as a service.

    • Replace a process level token.

    • Adjust memory quotes for a process.

  4. Open IIS Manager and do the following:

    1. Click Application Pools.

    2. Select the pool that will use the custom identity’s SPN for Kerberos authentication.

    3. Click Advanced Settings.

    4. Under Process Model, click the Identity section, and then select the Custom Account option.

    5. Enter the useraccountname (i.e. domain\username) and password.

    6. Click OK.

    7. Enable IWA authentication for the SecureAuth realm that will use Integrated Windows Authentication (IWA).

    8. Enable Anonymous Authentication for the SecureAuth realm that will use IWA.

    9. Test it out.