Documentation

 

 


This document describes the steps to set up a custom identity for an IIS application pool to leverage Service Principal Names (SPNs) to be used for Integrated Windows Authentication (Kerberos). 

Prerequisites

  • Active Directory (AD)
  • SecureAuth server (it must be joined to domain)


AD side settings

SPNs need to be assigned to the username that will be used for IIS Application pool(s).

  1. Create the user name that will be used for the IIS application pool
  2. Assign HTTP, HOST Service Principal Names (SPN) for the created user. You can do this in any of the following ways: 
    • Use this command: 
      Setspn  -a HTTP/FQDNofSecureauthserver  UserAccountName
    • SPNs that are assigned for an account can be listed by the following command: 
      Setspn.exe  -L  UserAccountName
    • Use  ADSIEdit.exe to assign the SPNs
    • In Active Directory, use username profile > Attribute Editor to assign the SPNs

      (i.e. HTTP/UserAccountNameHTTP/UserAccountName).


SecureAuth server side settings

 Add the newly created account into the local administrators group. On SecureAuth side some of the local GPO policy settings need to be set for the created username.

  1. Open Group Policy Object Editor (gpedit.msc).
  2. Click Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
  3. Add the user name to these Local Policy settings (for example, domain\useraccountname) in any of the following ways:
    • Log on as a batch job. 
    • Log on as a service.
    • Replace a process level token. 
    • Adjust memory quotes for a process.
  4. Open IIS Manager and do the following: 
    1. Click Application Pools
    2. Select the pool that will use the custom identity’s SPN for Kerberos authentication. 
    3. Click Advanced Settings
    4. Under Process Model, click the Identity section,  and then select the Custom Account option. 
    5. Enter the useraccountname (i.e. domain\username) and password. 
    6. Click OK
    7. Enable IWA authentication for the SecureAuth realm that will use Integrated Windows Authentication (IWA). 
    8. Enable Anonymous Authentication for the SecureAuth realm that will use IWA. 
    9. Test it out. 

2 Comments

  1. If you get the following error message "An external error has occurred" while changing the "user rights assignment", please see this microsoft kb http://support.microsoft.com/kb/2411938

  2. Please add the following to the web.config of the realm configured for IWA if the above steps does not work:

     <security>
          <authentication>
            <anonymousAuthentication enabled="false" />
            <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true">
                        <providers>
                            <clear />
                            <add value="Negotiate" />
                            <add value="NTLM" />
                        </providers>
                    </windowsAuthentication>
          </authentication>
        </security>