Kerberos Authentication for IIS 7

Kerberos Authentication for IIS 7

The Very Basics

1. Install this hotfix for Windows 2008 R2 (http://support.microsoft.com/kb/2545850) which makes Kerberos more reliable. Machine account password changes occur every ~30 days by default, so if your uptime is more than a fortnight, this might cause authentication difficulties at some point.

2. Get the SPNs right - an SPN must be registered against only one account - whether a user or computer account. If you've registered an SPN against more than one account, that breaks Kerberos. It doesn't always break authentication because NTLM is the fallback method, but it does break delegation ('logon failed for user null or anonymous'-type errors).

Which SetSPN Should I Use?

You should always use the Windows 2008 version of SetSPN (or later), as:

  • it supports the -S switch, which doesn't let you create duplicate SPNs accidentally
  • it can be used to search for duplicate SPNs without resorting to LDIFDE queries and exports
Other tips:
  • Never use SetSPN -A , as incorrect use of this command will create duplicate SPNs. Duplicate SPNs are bad.
  • If you suspect you have broken Kerberos, use SETSPN -X to search the domain for groups of duplicate SPNs.
  • If you suspect your problem might be elsewhere in the forest, SETSPN -X -F will query the forest, not just the domain.
IIS 7 introduces the ApplicationPoolIdentity account type (seen also as IIS AppPool\AppPoolName). This is considered equivalent to the computer account for who-owns-the-SPN purposes.

Web Farms


 If you need Kerberos and you have a load balanced web farm, you must use a domain user account as the application pool account
  • The SPNs must be registered against this account
    • The SPNs must be registered against only this account
Things that may also cause Kerb to web servers to fail:
  • Membership in a large number of groups:
    • HTTP.SYS registry entries must be configured for large token sizes
    • Request Filtering settings may need to be configured
    • ASP.Net security settings may also need to be confgured
Leave a Comment
  • Please add 1 and 1 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • Richard Mueller edited Revision 5. Comment: Removed (en-US) from title

  • Patris_70 edited Revision 3. Comment: added en-US tag and title

Page 1 of 1 (2 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Patris_70 edited Revision 3. Comment: added en-US tag and title

  • Richard Mueller edited Revision 5. Comment: Removed (en-US) from title

Page 1 of 1 (2 items)