All geek questions in one place

Configure Kerberos Authentication Using Delegation in IIS 7 with Windows Server 2008

Situation:

I have a .NET asmx web service deployed to my web server. This service calls the service on another server (our SharePoint server, if necessary). I want to impersonate / delegate a call to a SharePoint service from my web service using client credentials.

Problem:

I get a 401 response from a SharePoint service when I call MY Web Service and call SharePoint.

Setup:

  • IIS 7 is running on my web server. The application pool runs under the "Network Service"
  • On my Windows Server 2003 domain controller on the web server, the option "Reliability for delegation (Kerberos only)" is enabled.
  • In ISS, my application has anonymous authentication disabled, impersonation mode and Windows authentication enabled. All three providers are included (negotiation: Kerberos, Negotiate, and NTLM).
  • The SharePoint server is configured with anonymous enable, impersonation mode and Windows authentication are enabled with the NTLM provider ONLY.

In SharePoint logs, I see that when starting locally in Visual Studio, the username goes through (and the service works correctly), but when I run it on the web server, the username is not in the log file and I get error 401

What am I doing wrong to delegate Kerberos?

Ideas? Thanks!

+4
source share
3 answers

Platform:

Using IIS7, this is what I did on the BOTH servers. The first server and the second we want Kerberos authentication to "move" to.

Step 1:

For an IIS site that has the services you invoke (on each server), go to IIS Manager, click the site on the left in the Connections section, and open the Authentication section in the IIS section. Set ASP.NET Impersonation to Enabled and Windows Authentication to Enabled. All other parameters in the Authentication section (Ananymous, Forms, etc.) must be set to Disabled.

In the "Windows Authentication" section, right-click and select "Providers." Install the only provider that will be Negotiate: Kerberos (this forces Kerberos. If you want, after you get Kerberos to work, you can use the Negotiate and NTLM providers and remove Negotiate: Kerberos so that clients couldn't do Kerberos can connect. Note: I currently have my set for "Negotiate" and "NTLM" and it seems to work)

In the Windows Authentication section, right-click and select Advanced Settings. Uncheck the "Enable Kernal mode." (The "My Advanced Protection" option is disabled, I haven’t tried anything)

Step 2:

For each server you must set the SPN. The SPNs would be the following (or A OR B):

A:

If your application pool is running under IDENTITIY, which is DOMAIN ACCOUNT, add the following SPNs to this domain to the domain controller account

http/COMPUTER_NETBIOS_NAME http/COMPUTER_NETBIOS_NAME.FULLY_QUALIFIED_DOMAIN_NAME http://COMPUTER_NETBIOS_NAME.FULLY_QUALIFIED_DOMAIN_NAME

(if you do not use the default port, add 3 more entries with the port name attached: http / COMPUTER_NETBIOS_NAME: PORT, etc.)

IN:

If your application pool is running under IDENTITY "NetworkService", add the same SPNs as above instead of replacing "http" with "HOST" and ADD THEN TO COMPUTER_NETBIOS_NAME on your domain controller.

I am still working on implementing this in production, but this is what works for me in my test environment. I will keep this update when I find out more.

Note:

This works if you use COMPUTER_NETBIOS_NAME directly in the url when connecting. If you use an alias (www.mysite.mydomain.com) or an IP address directly, this will not work. I believe that although I have not fully tested it, you will need to follow the steps described above, but replace the COMPUTER_NETBIOS_NAME alias or IP address when adding the SPN. (or add it with both netbios and the / ip alias, not quite sure)

Also, if you get an error message that will not be valid for integrated ... after you enable "ASP.NET impersonation", you may need to add

 <validation validateIntegratedModeConfiguration="false" />

to your web.config in the system.webServer section

+5
source

Try the following:

Move Negotiate to the top of the Providers list. And in the applicationHost.config file, usually under C:\Windows\System32\inetsrv\config add useKernelMode="true" useAppPoolCredentials="true" to the <windowsAuthentication> tag under the <location> for your application, for example, below:

 <location path="YOUR_APPLICATION_PATH"> <system.webServer> <security> <authentication> <anonymousAuthentication enabled="false" /> <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true"> <providers> <clear /> <add value="Negotiate" /> <add value="NTLM" /> </providers> </windowsAuthentication> </authentication> </security> </system.webServer> </location>
+1
source

Delegation requires Kerberos. You must do authentication of the SharePoint server support using Kerberos.

+1
source

Source: https://habr.com/ru/post/1495024/

More articles:


All Articles